Security+ Domain Guide

CompTIA Security+ SY0-701 Exam Domains Explained: What You Need to Know

A complete breakdown of all 5 CompTIA Security+ SY0-701 exam domains — what's covered, how they're weighted, key topics to master, and where to focus your study time.

LearnZapp Team · 10 min read

A lot of people start Security+ prep by opening whatever chapter of their book looks interesting — usually malware, sometimes cryptography — and get three months in before they realize they haven't touched half the exam. Knowing how the CompTIA Security+ exam domains actually break down is what keeps that from happening to you.

The SY0-701 version has five domains. They're not weighted equally, and they don't cost the same amount of study effort per percentage point. One of them is worth almost a third of the exam and is also where the most people fail. Another is only 12% of the exam but everything else builds on it. If you treat them all the same, you'll study wrong.

Here's what's actually on the exam, and where your time matters most.

The five domains, at a glance

Domain Weight
1. General Security Concepts 12%
2. Threats, Vulnerabilities, and Mitigations 22%
3. Security Architecture 18%
4. Security Operations 28%
5. Security Program Management and Oversight 20%

Domain 4 jumps out. At 28%, it's more than a quarter of the exam on its own, and the content inside it — cryptography, IAM, incident response — is where most test-takers lose points. If you come away from this guide with one thing, let it be that Domain 4 deserves disproportionate study time.

Domain 1: General Security Concepts (12%)

This domain is small and it's tempting to rush through it. Don't. Almost every other domain pulls vocabulary from here. If you're shaky on the CIA triad, control types, and the zero trust model, you'll read Domain 4 questions and won't even understand what they're asking.

The content itself is straightforward: the CIA triad and its inverse (DAD), security control categories (technical, operational, managerial, physical), control types (preventive, detective, corrective, compensating), data protection fundamentals, and zero trust. None of it is individually hard.

What trips people up is control categorization. Security+ loves to ask you whether a firewall is technical/preventive or operational/detective, whether security awareness training is operational/preventive or managerial/preventive, whether an audit is detective or compensating. These aren't trick questions — they have correct answers — but you need to think about them enough times that the categorization becomes automatic. Flashcards work well for this. So does writing out 20 example controls and classifying each one two ways (category + type) until it feels obvious.

Spend a week or two here and move on.

Domain 2: Threats, Vulnerabilities, and Mitigations (22%)

This is the domain that feels the most like "security" in the pop-culture sense. Threat actors, malware families, social engineering, password attacks, vulnerability scanning, pen testing phases. It's also where candidates tend to over-invest, because the material is interesting and easy to read.

The trap is memorizing names without understanding what each attack targets. A useful exercise: for every malware type you study, write down what it primarily attacks from the CIA triad.

  • Ransomware attacks availability (and, depending on the variant, confidentiality when data is exfiltrated before encryption).
  • Spyware attacks confidentiality.
  • Rootkits attack integrity — the OS itself is lying to you about what's running.
  • Worms attack availability through propagation and resource consumption.
  • Botnets are infrastructure, not really a payload — they get used for DDoS, spam, or crypto mining.

Social engineering is the other big chunk. The exam will give you a scenario and ask which specific variant it is. Phishing is untargeted mass email. Spear phishing is targeted to a specific person or group. Whaling is spear phishing where the target is an executive. Business Email Compromise mimics a real business email thread, often to redirect a wire transfer. Pretexting is the setup — the story the attacker tells to justify the ask. These overlap in messy ways in real life, but on the exam they're distinct, and you should know them cold.

One pattern I've seen a lot: people who score 90%+ on Domain 2 practice questions still miss scenario questions on the real exam because they jump to the answer too fast. The exam writers know the obvious trap answer for every scenario. Read the whole question. Every time.

CVSS, vulnerability scanning (credentialed vs. non-credentialed), and the pen testing phases (recon, scanning, enumeration, exploitation, post-exploitation, reporting) are the other things you need down. You don't need to compute CVSS scores — just know the ranges and what they mean.

Domain 3: Security Architecture (18%)

Network segmentation, firewalls, IDS/IPS, cloud, virtualization, containers, embedded/IoT, resilience, disaster recovery, physical security. Broad surface area. The version bump to SY0-701 moved cloud much more firmly into the center of this domain, which matters: if you're studying from an older book or video course, you may be missing cloud content that now shows up on the exam.

The single most-tested concept here is the shared responsibility model. Know who handles what at each layer:

Model Provider handles You handle
IaaS Physical infra, hypervisor, network OS, middleware, runtime, apps, data, IAM
PaaS Everything up through runtime Apps, data, access controls
SaaS Nearly everything Data classification, user access, identity

The rest of Domain 3 is memorization-heavy but not conceptually hard. RAID levels (0 stripes, 1 mirrors, 5 stripes with parity, 10 is striped mirrors), backup types (full vs. incremental vs. differential), and recovery sites (hot/warm/cold) are all comparison questions. A one-page cheat sheet you build yourself — not one you download — will stick better than anything a study guide gives you.

Embedded systems, IoT, and SCADA/ICS are on the exam but usually get less than a handful of questions. Know them, but don't over-study them.

Domain 4: Security Operations (28%)

This is the one. More than a quarter of the exam, the most conceptually demanding content, and the section where people who pass solidly pull ahead of people who barely pass.

Cryptography (the hardest sub-area)

If there's one topic that deserves a second full study pass toward the end of your prep, it's this. People learn cryptography once in week 3, feel like they understand it, and then can't recall the difference between ECDSA and ECDH two months later on exam day. Schedule a second crypto pass around week 10 or 12. You'll thank yourself.

Things to actually know:

  • Symmetric vs. asymmetric. Symmetric (AES, ChaCha20) is fast and used for bulk data. Asymmetric (RSA, ECC) is slow and used for key exchange and digital signatures. In practice they're combined — asymmetric handshakes negotiate a symmetric session key, and bulk traffic flows over the symmetric cipher. Hybrid encryption, basically.
  • Hashing is one-way. SHA-256 is the workhorse; MD5 and SHA-1 are deprecated for anything security-sensitive. A hash is not encryption — you can't "decrypt" a hash.
  • Salting defeats rainbow tables. Key stretching (bcrypt, Argon2, PBKDF2) defeats offline brute force.
  • Digital signatures use the private key to sign, the public key to verify. Encryption is the opposite — public key to encrypt, private key to decrypt. Mix these up on the exam and you'll lose points.
  • PKI: a certificate binds a public key to an identity, signed by a CA. Certificates can be revoked (CRL or OCSP). OCSP stapling is the efficiency improvement that lets the server include the revocation status with the cert.

Identity and Access Management

Authentication methods (something you know/have/are/do), MFA, and the protocols (Kerberos, SAML, OAuth, OIDC). The exam cares that you can distinguish them:

  • SAML is enterprise SSO. XML-based. Common in corporate environments.
  • OAuth is authorization ("let this app access your Google Calendar"), not authentication per se.
  • OIDC sits on top of OAuth and adds authentication.
  • Kerberos is internal to a network domain, ticket-based, avoids sending passwords over the wire.

Access control models — DAC, MAC, RBAC, ABAC — show up constantly. Know the decision tree: role-based when access depends on job function, attribute-based when it depends on context (time of day, device posture, location), MAC when there are formal security labels, DAC when the resource owner decides.

Incident response

Six phases, in order: preparation, detection and analysis, containment, eradication, recovery, post-incident activity. The exam will give you a scenario and ask which phase you're in. Containment and eradication trip people up — containment is stopping the bleeding (isolate the host, revoke the credential), eradication is removing the threat completely (rebuild the system, patch the vuln, close the attack vector). You contain first, then eradicate.

Monitoring and network defense

SIEM, EDR/XDR, DLP, NAC, IDS/IPS. The distinction between IDS (detects, alerts) and IPS (detects, blocks) is basic but tested. SOAR is orchestration on top — playbooks that automate common responses.

Domain 4 is the one where practice-question volume matters. Do hundreds of Domain 4 questions. Cryptography questions especially — the scenarios teach you something that reading alone doesn't.

Domain 5: Security Program Management and Oversight (20%)

Candidates underrate this domain because it's "not technical." That's exactly why it's a trap. It's worth 20% of the exam — basically tied with Domain 3 — and the questions test judgment, not recall. You can't flashcard your way through judgment.

Content is governance (policies, standards, procedures, guidelines), risk management (identification, assessment, treatment), compliance frameworks, third-party risk, data classification, and audits.

Risk treatment is high-yield. Four options: mitigate (add a control), accept (the cost of mitigation exceeds the risk), transfer (insurance, outsourcing), avoid (stop doing the risky activity). Scenario questions will describe a situation and ask which treatment fits. The right answer is often counterintuitive if you think technically — sometimes accept is correct, because spending $500K to prevent a $10K risk is bad governance.

Compliance frameworks to know: GDPR (EU, personal data, 72-hour breach notification), HIPAA (US healthcare, PHI), PCI DSS (card data, 12 requirements, merchants and processors), SOX (public company financial controls), and ISO/IEC 27001 (international ISMS standard). You don't need to recite every clause — you need to know what each one covers and when it applies.

Data classification (public, internal, confidential, restricted) drives everything from encryption requirements to retention to who can see what. Scenarios will test whether you assign the right classification to the right data.

The study approach here is different from the technical domains: fewer flashcards, more scenario questions. Read explanations for every question you miss. The explanations are where the governance reasoning lives.

How to allocate your study time

Proportional allocation (12% of your time on Domain 1, 22% on Domain 2, etc.) is the wrong mental model. Use effort-per-point instead, where you weight by weight AND by difficulty:

  • Domain 1: short, maybe 1–2 weeks. Small domain, conceptually easy, but don't skip.
  • Domain 5: 2–3 weeks. Not technical but requires scenario practice.
  • Domain 2: 3 weeks. Material is fun and you'll move through it quickly. Resist spending more.
  • Domain 3: 3 weeks. Extra cloud focus if your materials are older.
  • Domain 4: 5–7 weeks, spread out, with a second pass on cryptography late in the prep cycle.

That's roughly 15–20 weeks of real study, plus a final 1–2 weeks of full-length practice exams and targeted review of whatever the practice tests show you're weakest on. If you already work in security, compress it. If you're coming in cold, extend it.

Another pattern worth watching: people who delay taking their first full-length practice exam until they "feel ready" almost always delay the real exam too. Take a full-length practice test early — like week 3 — even if you bomb it. The purpose isn't to get a good score. The purpose is to see the shape of the thing you're preparing for.

Where to go from here

If you're at the start of your prep, the first useful thing you can do isn't more reading — it's finding out where your baseline is across these five domains. Most people are wrong about where they're weak. They assume it's cryptography because that's the intimidating topic, and then they sit down for a practice test and their lowest domain turns out to be Domain 5.

LearnZapp's free Security+ diagnostic covers all five SY0-701 domains in about 15 minutes and gives you a per-domain breakdown. No signup. Use it to pick where this guide's study-time recommendations apply to you.

Take a free Security+ diagnostic test

For a week-by-week version of the allocation above, see our Security+ SY0-701 study plan. If you're still deciding on a realistic timeline, how long it takes to study for Security+ breaks it down by experience level. And if cryptography is the sub-area you're most worried about — a reasonable worry — Security+ cryptography explained goes deeper than we could here.

Security+ Domain Guide ← Back to Blog

Contact Us

Have a question or feedback? We typically respond within 24 hours.

We'll reply to your email address. No spam, ever.