Browse CompTIA Certification Guides

CompTIA Security+ (SY0-701) FAQ

Fuad Efendi March 28, 2026 6 min read

Current SY0-701 Security+ FAQ covering exam format, PBQs, study strategy, zero trust, IAM, crypto, incident response, and GRC.

On this page

Security+ is easiest when you treat each question as a control-design decision: what reduces risk, preserves evidence, respects least privilege, and still fits the operational constraint in the prompt.

PBQ: Performance-based question that asks you to analyze, configure, sequence, or troubleshoot rather than only pick a definition.

IAM: Identity and access management, which covers authentication, authorization, privilege control, and account lifecycle.

GRC: Governance, risk, and compliance work that ties policy, oversight, risk handling, and evidence together.

Fast exam facts

As of March 28, 2026, CompTIA lists:

  • Series code: SY0-701
  • Exam version: V7
  • Question count: up to 90
  • Duration: 90 minutes
  • Question types: multiple-choice and performance-based questions
  • Passing score: 750 on a 100-900 scale

What does SY0-701 actually cover?

CompTIA’s current Security+ page breaks SY0-701 into five domains:

  • General Security Concepts: 12%
  • Threats, Vulnerabilities, and Mitigations: 22%
  • Security Architecture: 18%
  • Security Operations: 28%
  • Security Program Management and Oversight: 20%

This guide follows that structure directly, with one chapter page per official domain and one lesson page per major objective group.

Who should take Security+?

Security+ is a strong baseline for help desk and support professionals moving into security, junior analysts, system administrators who want a recognized security credential, and career-switchers who already have solid IT fundamentals.

Are there prerequisites?

There are no formal prerequisite exams. As of March 28, 2026, CompTIA recommends Network+ and two years of experience working in a security or systems administrator job role.

What is the current exam format?

CompTIA currently lists:

  • Exam version: V7
  • Series code: SY0-701
  • Launch date: November 7, 2023
  • Question count: maximum of 90
  • Exam style: multiple-choice and performance-based questions
  • Duration: 90 minutes
  • Passing score: 750 on a 100-900 scale
  • Languages: English, Japanese, Portuguese, Spanish, and Thai

CompTIA also says retirement is usually three years after launch, which is why the guide is structured in smaller modular pages instead of one giant Security+ book page.

Are PBQs included?

Yes. Security+ includes performance-based questions as part of the exam. They usually test workflow thinking rather than obscure detail: picking the right control, interpreting logs, ordering incident-response steps, reading a network or certificate problem, or selecting the strongest mitigation.

If a PBQ is time-consuming, mark it and return after your first pass through the easier questions.

How is this guide organized?

Use the guide in this order:

  1. Study Plan if you want pacing.
  2. The five chapter pages for domain-level routing.
  3. The 28 lesson pages for the actual learning work.
  4. Cheat Sheet, Glossary, and Resources for final review and scope checking.

What is the best way to study?

A realistic plan for most candidates is:

Daily cadence that works well:

  • 45-60 minutes of reading
  • page quiz immediately after the lesson
  • one small lab or workflow drill
  • a short miss log with the rule you missed

How should I practice PBQs?

Practice workflows, not isolated trivia:

  • choose the strongest least-privilege access model for a scenario
  • read a short log set and identify the next step
  • order containment, eradication, and recovery correctly
  • inspect a certificate or mail-authentication scenario and identify the weak point
  • simulate vulnerability triage: critical asset, public exposure, limited patch window, compensating control

What should I do when two answers both sound secure?

Use this order:

  1. eliminate the answer that breaks the stated business or operational constraint
  2. prefer the answer that preserves least privilege and evidence handling
  3. if one answer is more targeted and the other is broader but vaguer, the targeted answer is usually stronger

Security+ usually rewards the control that fits the scenario cleanly, not the one that sounds biggest or most expensive.

What is Zero Trust in practical terms?

Zero Trust means:

  • verify explicitly
  • apply least privilege
  • assume breach
  • enforce policy close to the resource

Security+ usually rewards answers that reduce implicit trust, narrow access, and improve telemetry rather than answers that rely on a broad trusted internal network.

What IAM distinctions should I know cold?

  • Authentication vs authorization vs accounting
  • RBAC vs ABAC vs DAC vs MAC
  • SAML vs OAuth 2.0 vs OIDC
  • MFA factor categories
  • privileged access controls, including vaulting, session control, and narrow admin access

If these still blur together, use the glossary before doing more mixed practice.

What crypto and PKI topics matter most?

Know the difference between:

  • hashing and encryption
  • encryption and digital signatures
  • encoding and encryption
  • certificate issuance and certificate validation
  • expiration and revocation

You should also be comfortable with PKI chain logic, OCSP and CRL concepts, and the idea that key access matters as much as the algorithm choice.

What should I memorize for incident response?

  • Preparation -> Identification -> Containment -> Eradication -> Recovery -> Lessons learned
  • order of volatility
  • chain of custody
  • the difference between incident response, threat hunting, and root cause analysis

During a live incident, Security+ usually favors containment before eradication.

What GRC topics matter most?

Know how to separate:

  • policy, standard, procedure, and guideline
  • risk appetite and risk tolerance
  • internal and external audits
  • privacy duties and broader security duties
  • compliance status and true control effectiveness

What tools should I recognize by name?

Nmap, Wireshark, tcpdump, Zeek, Nessus or OpenVAS, Burp or ZAP, Metasploit, Sysinternals tools, Volatility, Autopsy, OpenSSL, and common SIEM or logging terminology. The exam is vendor-neutral, so focus on the role the tool plays, not only on the brand.

Do I need to memorize every tool flag or command?

No. Security+ is more interested in whether you understand what the tool is for and when it fits the scenario. You should recognize what tools like Wireshark, Nmap, Zeek, Volatility, or OpenSSL are used to do, but the exam is not mainly a command-syntax test.

How long should I study before scheduling?

As a working default:

  • strong IT background: 4-5 weeks
  • moderate IT background, newer to security: 5-6 weeks
  • lighter background: 6-8 weeks with more lab time

Aim for consistent mixed-practice performance and solid chapter-level understanding before booking.

What should a tiny home lab include?

  • one Windows VM
  • one Linux VM
  • packet capture or simple IDS visibility
  • one small web app or container
  • certificate inspection with openssl
  • at least one workflow drill around logs, IAM, and incident triage

After Security+, what next?

Common next steps:

  • CySA+ for blue-team and detection-heavy work
  • PenTest+ for offensive security direction
  • cloud-security or admin tracks if you want platform-specific work
  • governance and audit study if you lean toward risk and oversight

Quick readiness checklist

  • I can classify controls correctly and explain why the control fits the scenario.
  • I can distinguish vector, vulnerability, malicious activity, and mitigation.
  • I understand zero trust, access models, and MFA in scenario form.
  • I can work through PKI, certificate validation, and crypto-purpose questions.
  • I know the IR phases and why evidence handling matters.
  • I can separate governance, risk, compliance, and audit language without guessing.

Quiz

Loading quiz…
Glossary