CompTIA Security+ Exam Objectives (SY0-701): Domain-by-Domain Breakdown

The CompTIA Security+ SY0-701 exam tests five domains across 90 questions in 90 minutes. CompTIA updated the domain weights when they retired SY0-601 in mid-2024. Two domains, Security Operations (28%) and Threats/Vulnerabilities/Mitigations (22%), carry exactly half the exam weight. The other three domains share the rest. If you study the official objectives PDF without understanding the weights, you'll waste 30 to 40 hours on the lower-weight domains and run out of time on the high-impact ones.

The 90-second answer

Study the high-weight domains first. Security Operations (28%) and Threats/Vulnerabilities/Mitigations (22%) together account for 50% of the exam. If you can answer 90% of questions in these two domains, you're already at 45 points out of a passing 750. Combined with average performance elsewhere, that's the path to a pass.

The traps: General Security Concepts (12%) feels easy because it covers vocabulary, so candidates skip it during review. Then 5 to 7 questions tripped on technical definitions of things like "compensating control" or "deterrent vs preventive" cost the exam. Security Program Management (20%) feels boring (policies, governance, audit) so candidates skim it. Both are deceptively trap-heavy.

The good news: every SY0-701 question maps to one of these five domains, and the official objectives PDF lists every sub-objective. There are no surprises if you actually read it.

What does Domain 1 (General Security Concepts) cover?

Domain 1 covers the foundational vocabulary every security question relies on, weighted at 12%. Roughly 11 questions on a 90-question exam. The CIA triad, AAA (authentication, authorization, accounting), non-repudiation, security controls classifications, change management, zero trust principles, and basic cryptography fall here.

Specific objectives you'll see on the exam:

Topic	What's tested
CIA triad	Distinguishing confidentiality, integrity, availability concerns in scenario questions
Security control types	Technical vs administrative vs physical; preventive vs detective vs corrective vs compensating vs deterrent
Change management	The PMBOK-style process of impact assessment, approval, testing, documentation
Cryptographic solutions	PKI, symmetric vs asymmetric, hashing (SHA-256, SHA-3), digital signatures, certificates
Zero trust principles	Adaptive identity, threat scope reduction, policy-driven access, control plane vs data plane

This domain is mostly vocabulary memorization. The fastest study approach is reading Professor Messer's 1.1 through 1.4 videos at 1.5x speed, then making a one-page summary in your own words. Most candidates rate this the easiest domain after taking it.

What does Domain 2 (Threats, Vulnerabilities, and Mitigations) cover?

Domain 2 weighs 22% and covers everything attackers do plus how defenders respond. Roughly 20 questions per exam. Threat actors, attack surfaces, malware classifications, social engineering, network attacks, application attacks, vulnerability classifications, indicators of compromise, and mitigation techniques all fall here.

The sub-objectives that show up most often:

• Threat actor motivations and capabilities: nation-state vs organized crime vs hacktivist vs insider; you need to map a scenario description to the right threat actor type
• Attack vectors and attack surfaces: differentiating attack vectors (how) from attack surfaces (where)
• Malware classifications: virus vs worm vs trojan vs ransomware vs rootkit vs spyware vs keylogger vs logic bomb. Several questions per exam.
• Social engineering: phishing variants (spear, whaling, vishing, smishing), pretexting, watering hole attacks, business email compromise
• Network attacks: DDoS variants (volumetric, protocol, application layer), MITM, DNS attacks, wireless attacks, replay attacks
• Application attacks: SQL injection, XSS (stored vs reflected vs DOM-based), CSRF, directory traversal, buffer overflow, race conditions, malicious code injection
• Indicators of compromise (IoC): account lockouts, concurrent session usage, blocked content, impossible travel, resource consumption, OOM errors, missing logs
• Mitigation techniques: segmentation, access control, monitoring, least privilege, defense in depth, hardening

Most candidates lose points here on the indicator-of-compromise questions and the social engineering variants. The fix is doing 50 to 80 practice questions in this domain specifically before exam day.

What does Domain 3 (Security Architecture) cover?

Domain 3 weighs 18% and covers architectural design choices that shape security posture. Roughly 16 questions per exam. Network, infra, application, and cloud security architecture; resilience and recovery patterns; secure data classification all fall here.

The sub-objectives that show up most:

• Network security architecture: firewall placement, DMZ design, network segmentation, VLANs, micro-segmentation, screened subnets, east-west vs north-south traffic
• Cloud security architecture: shared responsibility model (specifically AWS / Azure / GCP variations), serverless vs containers, SaaS-specific concerns, IaC security, hybrid cloud
• Application security architecture: secure coding practices, input validation, output encoding, parameterized queries, secure defaults, secure libraries
• Resilience and recovery: high availability designs, fault tolerance, redundancy, backup strategies (3-2-1 rule), RTO/RPO calculations, hot/warm/cold sites
• Data classification and protection: sensitive data identification, encryption at rest, encryption in transit, DLP, tokenization, data masking, secure data disposal

This domain often surprises candidates because it overlaps with the CompTIA Cloud+ exam content. If you've done any cloud work, expect to score higher here than you expect. If you haven't, this is the domain where simulated labs help most.

What does Domain 4 (Security Operations) cover?

Domain 4 weighs 28%, the highest of any domain. About 25 questions per exam. Hardening, asset management, vulnerability management, monitoring, incident response, digital forensics, and identity management all fall here.

The sub-objectives that show up most:

• Hardening techniques: secure baselines, configuration management, disabling unnecessary services, default credential changes, patch management, endpoint hardening
• Vulnerability management: scanning (authenticated vs unauthenticated, internal vs external), CVSS scoring, prioritization by risk, remediation strategies
• Monitoring and SIEM: log aggregation, correlation rules, alert tuning, dashboards, retention policies, common SIEM platforms (Splunk, Sentinel, Elastic, QRadar)
• Incident response: NIST 800-61 lifecycle (preparation, detection, containment, eradication, recovery, lessons learned), playbooks, chain of custody, tabletop exercises
• Digital forensics: evidence preservation, chain of custody, volatile vs non-volatile data, timeline analysis, hash verification, legal holds
• Identity and access management: SSO, MFA, federation, just-in-time access, privileged access management, identity proofing, account lifecycle
• Automation and orchestration: SOAR platforms, scripted responses, ticket integration, API-driven workflows

This domain has the most performance-based questions (PBQs). Expect 2 to 3 PBQs that drop you into a simulated SIEM dashboard or ask you to drag IR phases into the right order. The home-lab investment from the Security+ study guide pays off most here.

What does Domain 5 (Security Program Management) cover?

Domain 5 weighs 20%, the second-largest after Operations. About 18 questions per exam. Risk management, governance, audit, vendor risk management, security awareness, and compliance frameworks all fall here.

The sub-objectives that show up most:

• Risk management: risk identification, assessment (qualitative vs quantitative), treatment (accept, avoid, mitigate, transfer), monitoring, risk appetite vs tolerance, risk register
• Governance: policies, standards, procedures, guidelines, centralized vs decentralized governance, governance structures
• Compliance frameworks: NIST CSF v2.0, ISO 27001, PCI DSS, GDPR, HIPAA, SOX, CCPA, regional data sovereignty rules
• Vendor risk management: due diligence, contracts and SLAs, third-party assessments, supply chain attacks, fourth-party risk
• Audit and assessment: internal vs external audit, attestation reports (SOC 1, SOC 2 Type I vs II, ISO certifications), gap analysis, control testing
• Security awareness: training programs, phishing simulations, password policies, acceptable use policies, role-based training
• Privacy considerations: data subject rights, consent management, privacy impact assessments, breach notification timelines

This domain trips technical candidates because it asks process questions, not technical ones. The framework-mapping questions (NIST CSF function to a specific control) are where most points get lost. Spend at least 8 hours on this domain even though it feels "boring" to technical readers.

How do the domain weights compare to SY0-601?

CompTIA shifted weight toward Security Operations and Security Program Management when they updated to SY0-701 in mid-2024. The old SY0-601 breakdown was:

Domain	SY0-601 weight	SY0-701 weight	Change
Attacks, Threats, Vulnerabilities	24%	22%	-2% (now "Threats, Vulnerabilities, Mitigations")
Architecture and Design	21%	18%	-3% (now "Security Architecture")
Implementation	25%	merged into Architecture + Operations	removed as standalone
Operations and Incident Response	16%	28%	+12% (now "Security Operations")
Governance, Risk, Compliance	14%	20%	+6% (now "Security Program Management")

The big shift is Security Operations going from 16% to 28%. If you're using older study material that pre-dates SY0-701, you'll under-prepare on the most important domain. Verify your course version covers SY0-701 explicitly before you spend study time on it.

How do I use the domain weights to plan study time?

Allocate study hours proportional to domain weights, with a 1.2x multiplier for domains where you have weaker hands-on experience. A realistic 80-hour study budget breaks down like this:

Domain	Weight	Base hours	Adjusted hours (for typical IT admin)
Security Operations	28%	22	24-28 (most candidates need extra lab time)
Threats, Vulnerabilities, Mitigations	22%	18	18-20
Security Program Management	20%	16	18-20 (process-heavy, often skipped)
Security Architecture	18%	14	14-16
General Security Concepts	12%	10	8-10 (vocabulary, fast to learn)

If you're a process-oriented person (project manager, GRC analyst), flip the multiplier: spend MORE time on Architecture and Operations, less on Program Management.

The candidates who pass on the first try track their per-domain practice-question accuracy weekly. Practice tools like NerdExam break their question banks by domain, so you can see where you're at 85% and where you're at 60%, then allocate the next week's study time accordingly.

For practice questions filtered by domain, NerdExam has 1,056 enriched SY0-701 questions with full explanations. Start practicing Security+ questions to see the question style before you commit to a study plan.

What's NOT on the SY0-701 exam?

CompTIA explicitly excludes several topics that show up in study forums but never appear on the real exam:

• Specific vendor product configuration (no exam questions on "configure Cisco ASA firewall syntax")
• Programming syntax (you might see PowerShell or Bash pseudo-code in a PBQ but never write code)
• Deep cryptography math (you need to know SHA-256 exists, not implement it)
• Specific CVE numbers (you need to know what CVSS is, not memorize CVE-2024-1234)
• Detailed legal case law (you need to know HIPAA exists and its general scope, not memorize which exception applies in subsection 164.512)
• Specific tool keyboard shortcuts or menu paths
• Vendor-specific cloud service names (you need "object storage", not "S3 vs Azure Blob vs GCS")

If a YouTube prep video spends 20 minutes on any of these, switch videos. The exam doesn't reward that level of detail.

Ready to start? Practice with 1,056 real Security+ SY0-701 questions on NerdExam or browse the free per-question explanations. CompTIA's free exam objectives PDF is also worth downloading first if you haven't: CompTIA Security+ exam objectives.

Adjacent reading: CompTIA Security+ Study Guide: 10-Week Plan, Where to actually buy a Security+ voucher, What is MFA, What is a CVE, What is Zero Trust.