Continue your mission
A comprehensive preparation guide for the CompTIA Security+ SY0-701 exam, covering exam structure, domain weights, study timelines, resources, performance-based question strategy, and how Security+ maps to the Planetary Defense Model's six domains.
# CompTIA Security+ Study Guide
CompTIA Security+ is the most widely held entry-level cybersecurity certification in the industry. It is vendor-neutral, broadly recognized by employers across sectors, and accepted by the Department of Defense as meeting the baseline certification requirement for multiple IAT and IAM roles under DoD 8570/8140.
Security+ occupies a specific position in the certification landscape: it is not an advanced credential, and it should not be treated as one. Its value is as a foundational signal, demonstrating to employers that a candidate has working knowledge of security concepts across the full breadth of the field. It answers the question "does this person understand security at all?" in the affirmative. The deeper specialization comes after.
The current version is SY0-701, released in November 2023. CompTIA typically retires exam versions approximately three years after release, so SY0-701 is expected to be the active version through approximately late 2026. Candidates should confirm the current active version before purchasing study materials or registering.
Security+ maps directly and completely to the Planetary Defense Model's six domains. This is not a coincidence: the security knowledge the exam covers is the security knowledge the PDM addresses. Understanding Security+ deeply is understanding the conceptual foundation of the full PDM model.
Security+ is a certification, not a job role, but it targets a specific career stage: practitioners entering the security field either from adjacent IT backgrounds (networking, systems administration, help desk) or from career changes without prior IT experience.
The credential signals readiness for entry-level positions including SOC analyst (Tier 1), security analyst, security administrator, systems administrator with security responsibilities, and information security specialist roles. It is frequently listed as a required or preferred credential for these positions.
For practitioners already working in IT, Security+ validates and formalizes knowledge they may have acquired informally across years of operational experience. For career changers, it provides the structured curriculum needed to develop foundational security knowledge from the ground up.
The DoD 8570/8140 framework makes Security+ particularly valuable for anyone pursuing federal government or defense contractor positions. Many contracts specify Security+ as the minimum credential for personnel in security-relevant roles, which creates significant employer demand for the certification beyond the private sector.
The SY0-701 exam covers five domains with approximately these weighting values:
Domain 1: General Security Concepts (12%) covers foundational terminology and concepts: security control categories (preventive, detective, corrective, deterrent, compensating), cryptographic fundamentals (symmetric and asymmetric encryption, hashing, PKI, certificate management), authentication factors, and basic security principles (confidentiality, integrity, availability). This domain rewards candidates who understand the conceptual framework rather than just the vocabulary.
Domain 2: Threats, Vulnerabilities, and Mitigations (22%) is the largest domain and covers attack types and their defenses: social engineering (phishing, vishing, smishing, pretexting, baiting), malware categories (ransomware, spyware, adware, rootkits, worms, trojans), application vulnerabilities (injection attacks, XSS, CSRF, buffer overflow, race conditions), network attacks (man-in-the-middle, denial of service, ARP poisoning, DNS attacks), and physical attacks. This domain is where understanding how attacks actually work pays dividends over simple memorization.
Domain 3: Security Architecture (18%) covers how security is designed into systems and networks: cloud security concepts, network segmentation (VLANs, DMZ, air-gapped networks), virtualization security, zero trust architecture principles, secure network design (firewalls, IDS/IPS, proxies, load balancers), and infrastructure as code security considerations.
Domain 4: Security Operations (28%) is the most heavily weighted domain and covers the operational security functions: endpoint security (EDR, host-based firewalls, data loss prevention), identity and access management (MFA, PAM, directory services, federation), monitoring and log analysis, incident response procedures, digital forensics fundamentals, vulnerability scanning, and patch management. This domain rewards practical exposure to security tools and processes.
Domain 5: Security Program Management and Oversight (20%) covers the governance dimension: data privacy regulations (GDPR, CCPA, HIPAA, PCI DSS), risk management frameworks (NIST CSF, ISO 27001, RMF), security policies and standards, third-party risk management, business continuity and disaster recovery planning, and security awareness training programs.
Security+ is not a destination credential: it is a launchpad. The career trajectories from Security+ are:
The analyst track progresses from Security+ to CompTIA CySA+ (the SOC analyst and security analyst credential), then potentially to GIAC analyst credentials (GCIH, GCFA) or platform-specific certifications (Microsoft SC-200, Splunk Core Power User) as the practitioner deepens into a specialty area. This path is best suited for practitioners entering SOC analyst or security analyst positions who want to build formal credentials aligned to their daily work.
The practitioner track progresses from Security+ to a domain-specific credential: CCNA Security or a cloud provider associate certification (AWS Security Specialty, AZ-500) for infrastructure practitioners, application security certifications (GWEB, CSSLP) for developers, or identity-focused certifications for IAM practitioners. The distinguishing factor here is specialization: the practitioner has identified their primary domain and pursues depth rather than continued breadth.
The advanced generalist track progresses from Security+ to CompTIA CASP+ (the advanced practitioner credential, covering enterprise security architecture at a depth well beyond Security+), which is appropriate for practitioners who want to maintain breadth rather than specializing. CASP+ is vendor-neutral, DoD-approved for senior IAT roles, and covers the kind of architectural security thinking that prepares practitioners for architect and senior engineering roles.
The management track progresses from Security+ toward CISM or CISSP as the practitioner accumulates the required experience and takes on broader program responsibilities. Security+ is the starting point for this path, but CISSP requires five years of qualifying experience, so the management track is a long-game strategy.
The offensive track uses Security+ as the foundational certification and pivots toward eJPT (entry-level practical pentesting), then TCM Security's PNPT, and eventually OSCP. Security+ provides the conceptual framework; the offensive certifications build the operational skills.
Security+ typically takes six months to two years of experience to feel foundationally solid in practice. Candidates who attempt Security+ as their first exposure to security content without prior IT background should plan for the longer study timeline and supplement certification study with hands-on learning on platforms like TryHackMe (particularly the "Pre-Security" and "SOC Level 1" paths). The certification is valuable as a signal but earns its full value when the holder has enough practical context to apply the concepts operationally.
Study timeline: 8 to 12 weeks is realistic for career changers with no security background but with basic IT literacy. 4 to 6 weeks is appropriate for IT professionals (network administrators, systems administrators, help desk professionals) with at least one year of hands-on IT experience. Experienced security practitioners who are simply formalizing existing knowledge may prepare in two to four weeks of targeted review.
Professor Messer's Security+ Course: Free video course available at professormesser.com. Professor Messer is widely regarded as the best free Security+ resource. His video explanations are clear, thorough, and structured around the exam objectives. The paid practice exams are reasonably priced and provide good coverage of the exam style. For candidates on a budget, Professor Messer plus free practice questions from ExamCompass covers the material adequately.
CompTIA CertMaster Learn: The official CompTIA self-paced learning platform. It is thorough and directly aligned to exam objectives but significantly more expensive than alternatives. Best suited for candidates who want the official resource and have employer tuition reimbursement.
Textbooks: Mike Chapple and David Seidl's "CompTIA Security+ Study Guide" (Sybex) and Darril Gibson's Security+ guide are both well-regarded. Textbook study works best for candidates who process information better through reading than video.
Practice exams: Jason Dion's Security+ practice exams on Udemy are widely considered the most realistic simulation of actual exam difficulty. Candidates who consistently score 85%+ on Dion's practice exams are well-prepared for the actual exam. Passing a practice exam set immediately before the real exam is an effective final preparation strategy.
Performance-Based Questions (PBQs): PBQs are simulation-based questions that require configuring a firewall, analyzing a packet capture, interpreting a log file, or completing a similar hands-on task within the exam interface. They appear at the beginning of the exam and can be time-intensive. The standard strategy: flag them at the start, complete all multiple-choice questions first, then return to PBQs with remaining time. Specific PBQ preparation is valuable: Professor Messer and CompTIA's official resources include PBQ practice scenarios.
Performance-Based Question types to practice: Firewall rule configuration (given a scenario, set rules to allow or block specific traffic), packet capture analysis (identify the attack type from a Wireshark screenshot), log file interpretation (identify suspicious entries in Windows event logs or authentication logs), and cryptography application (select the appropriate algorithm and key length for a described use case). Each of these question types requires understanding the underlying concept, not just recognizing the tool name.
Test-taking strategy for multiple choice: Eliminate obvious wrong answers first, reducing four choices to two. Then apply the Security+ test philosophy: the correct answer usually involves the most risk-aware, policy-grounded, or defense-in-depth approach rather than the most technically sophisticated implementation. Questions with qualifiers like "first," "best," and "most" almost always reward the answer that addresses governance or risk before diving into technical implementation. Double negatives in answers ("which of the following would NOT prevent an attacker from accessing the system by exploiting a lack of authentication?") require careful parsing: identify what the question is actually asking before eliminating answers.
Exam logistics: Register through CompTIA's official portal. The exam can be taken in-person at a testing center or online through Pearson OnVUE proctoring. Online testing is convenient but requires a quiet, monitored environment with no second monitors, a clean desk, and the ability to show the room via webcam to the proctor. The exam fee is $392 USD (subject to change). Retake fees apply if a second attempt is needed; CompTIA offers a retake policy with a mandatory waiting period between attempts. CompTIA vouchers purchased through authorized training providers are sometimes discounted, and employer tuition reimbursement programs frequently cover the exam fee.
Security+ is the natural foundation certification for the CDA.Institute Domain Zero curriculum. Domain Zero prepares students for the conceptual frameworks they will use throughout the CDA ecosystem, and Security+ covers those frameworks at exactly the right level of abstraction for foundational preparation.
The alignment between Security+ domains and PDM domains is close enough to use as a direct mapping tool. Domain 2 (Threats, Vulnerabilities, and Mitigations) corresponds to TID and VSD. Domain 3 (Security Architecture) spans SPH, IAT, and DPS. Domain 4 (Security Operations) maps primarily to TID with elements of SPH and IAT. Domain 5 (Security Program Management and Oversight) is RGA territory. Using the PDM model as a mental organizing framework while studying Security+ helps candidates retain material by connecting it to a coherent structural model rather than memorizing disconnected facts.
For CDA community members pursuing Security+, the progression is: Security+ (foundational across all six domains) to CySA+ (TID operational depth) or a domain-specific credential aligned to their primary practice area. The certification path should follow the PDM domain where the practitioner intends to specialize.
CDA Theater missions that address topics covered in this article.
A realistic hour-by-hour account of what SOC analyst work actually looks like across a full shift, from handoff review to alert triage, investigation, escalation, and shift reporting. Includes the career progression path and an honest assessment of the demands and burnout realities of the role.
A comprehensive guide for the Certified Information Systems Security Professional credential, covering the CAT exam format, all eight CBK domains, experience requirements, the management mindset the exam rewards, study resources, and how CISSP aligns with the Planetary Defense Model.
A comprehensive preparation guide for the Offensive Security Certified Professional certification, covering the current PEN-200/OSCP+ exam format, Active Directory requirements, preparation timeline, resources, and what the 'try harder' philosophy actually means in practice.
Written by Evan Morgan
Found an issue? Help improve this article.