CompTIA Security+ Study Guide 2026 (SY0-701)
The CompTIA Security+ (SY0-701) certification validates your ability to implement, monitor, and respond to security incidents across networks and systems. This comprehensive study guide breaks down all five domains, explains critical concepts, and provides actionable study strategies to help you pass with confidence in 2026.
Table of Contents
Domain 1: General Security Concepts (11%)
Domain 1 establishes the foundational principles that underpin all cybersecurity practices. This domain covers the CIA triad, security principles, and governance frameworks that form the backbone of security decision-making.
Key Topics in Domain 1
The CIA Triad and Beyond
The CIA triad comprises confidentiality, integrity, and availability. Confidentiality ensures that sensitive data remains accessible only to authorized parties. Integrity guarantees that data has not been modified, deleted, or corrupted. Availability ensures that systems and data are accessible when needed. However, modern security extends beyond the CIA triad to include authentication, non-repudiation, and accountability. Non-repudiation prevents users from denying their actions, which is critical in forensic investigations and legal proceedings.
Authentication, Authorization, and Accounting (AAA)
Authentication verifies the identity of a user or system using factors such as passwords, biometrics, or digital certificates. Authorization determines what authenticated users are permitted to do based on their roles and permissions. Accounting tracks and logs user activities for compliance, auditing, and security investigations. Implementing robust AAA mechanisms is fundamental to controlling access and maintaining security posture.
Risk Management Fundamentals
Risk management is the process of identifying, assessing, and mitigating threats to your organization. The formula Risk = Threat x Vulnerability x Asset Value guides security professionals in prioritizing efforts. Risk assessment involves qualitative (subjective scoring) and quantitative (numerical analysis) approaches. Organizations must understand the difference between risk acceptance (living with residual risk), risk mitigation (reducing likelihood or impact), risk avoidance (eliminating the activity), and risk transference (shifting risk through insurance or outsourcing).
Governance, Risk, and Compliance (GRC)
Governance refers to the policies, procedures, and oversight mechanisms that guide security operations. Compliance involves meeting external regulatory requirements such as HIPAA, GDPR, PCI-DSS, and SOX. Frameworks such as NIST Cybersecurity Framework, ISO/IEC 27001, and CIS Controls provide structured approaches to implementing security controls and achieving compliance objectives.
Study Strategy for Domain 1: Focus on understanding the "why" behind security principles rather than memorizing definitions. Create a mind map showing how CIA, AAA, and risk management interconnect. Use real-world scenarios to practice applying these concepts, such as designing access controls for sensitive data or evaluating the cost-benefit of implementing a new security control.
Domain 2: Threats, Vulnerabilities, and Mitigations (23%)
This domain is the largest weighted section of the exam and covers the practical threats you'll encounter in real-world environments. You'll learn to identify, classify, and respond to malware, social engineering attacks, and various exploits.
Malware and Exploit Types
Malware Categories
Malware encompasses any software designed to harm systems or compromise data. Viruses attach to legitimate programs and spread when those programs execute. Worms self-replicate and spread across networks without user interaction. Trojans disguise themselves as legitimate software but perform unauthorized actions. Ransomware encrypts files and demands payment for decryption keys. Spyware secretly monitors user activity and exfiltrates data. Rootkits gain privileged access and hide their presence from detection tools. Adware displays unwanted advertisements, often bundled with legitimate software. Understanding the characteristics of each type is essential for implementing effective detection and prevention strategies.
Attack Vectors and Exploits
Exploits are techniques that leverage vulnerabilities to gain unauthorized access or execute malicious code. Buffer overflow attacks write data beyond allocated memory boundaries, potentially overwriting security controls or executing arbitrary code. SQL injection inserts malicious SQL commands into input fields, allowing attackers to access or modify databases. Cross-site scripting (XSS) injects malicious scripts into web pages viewed by other users. Man-in-the-middle (MITM) attacks intercept communications between two parties, potentially eavesdropping or modifying data. Privilege escalation exploits allow unprivileged users to gain administrative access. Zero-day exploits target previously unknown vulnerabilities before vendors can release patches.
Social Engineering and Human Factors
Social engineering exploits human psychology to bypass technical controls. Phishing emails impersonate legitimate organizations to steal credentials or deploy malware. Spear phishing targets specific individuals with customized messages. Whaling targets high-value targets such as executives. Pretexting creates false scenarios to extract information. Baiting offers something of value (USB drives, downloads) to trigger malware installation. Tailgating and piggybacking gain physical access by following authorized users. The human element remains one of the most exploitable vulnerabilities, making user awareness training essential to security programs.
Vulnerability Assessment and Management
Vulnerability scanning uses automated tools to identify weaknesses in systems and applications. Common Vulnerabilities and Exposures (CVE) provides a standardized naming system for known vulnerabilities. The Common Vulnerability Scoring System (CVSS) assigns numerical scores (0-10) indicating severity. Penetration testing goes beyond scanning to actively exploit vulnerabilities and assess impact. Remediation involves patching systems, disabling unnecessary services, or implementing compensating controls. Vulnerability management is an ongoing process requiring regular assessment, prioritization, and remediation.
Study Strategy for Domain 2: This domain requires both breadth and depth. Create detailed flashcards for each malware type, including characteristics, detection methods, and remediation. Watch demonstrations of common attacks such as SQL injection and phishing to understand how they work in practice. Study the CVSS scoring methodology with real CVE examples. Use practice labs to implement mitigations for common vulnerabilities.
Domain 3: Security Architecture and Design (25%)
Domain 3, the largest section, covers security controls, cryptography, identity and access management, and secure system design. This is where you apply concepts from earlier domains to design secure environments.
Security Control Types and Implementation
Preventive, Detective, and Responsive Controls
Security controls fall into three categories based on their timing and function. Preventive controls stop attacks before they occur, such as firewalls, intrusion prevention systems (IPS), and encryption. Detective controls identify attacks as they happen, including intrusion detection systems (IDS), security information and event management (SIEM), and log monitoring. Responsive controls limit damage after an attack is detected, such as isolation of affected systems, data recovery procedures, and incident response teams. Most effective security programs layer all three types, creating defense in depth that protects against diverse threats.
Cryptography Fundamentals
Cryptography transforms readable data (plaintext) into unreadable data (ciphertext) to protect confidentiality and integrity. Symmetric encryption uses a single shared key for both encryption and decryption, offering fast processing but requiring secure key exchange. Algorithms include AES (Advanced Encryption Standard), which is considered secure for governmental and commercial use. Asymmetric encryption uses a public key (known to all) and private key (kept secret), solving the key distribution problem but consuming more processing power. RSA is the most common asymmetric algorithm. Hashing creates a fixed-length digital fingerprint of data; even a tiny change produces a completely different hash. SHA-256 and SHA-3 are current standards. Digital signatures combine hashing and asymmetric encryption to prove authenticity and non-repudiation. Perfect forward secrecy ensures that compromise of long-term keys doesn't expose previously encrypted sessions.
Identity and Access Management (IAM)
IAM systems manage user identities, their authentication, and their permissions across systems. Multi-factor authentication (MFA) requires two or more authentication factors (something you know, something you have, something you are, somewhere you are, something you do) to verify identity. Single Sign-On (SSO) allows users to authenticate once and access multiple systems without re-authenticating. Role-based access control (RBAC) assigns permissions based on job roles. Attribute-based access control (ABAC) makes decisions based on attributes such as department, clearance level, or device security posture. Privileged access management (PAM) controls access to high-risk accounts and systems, often requiring additional authentication and monitoring.
Secure Network Architecture
Defense in depth applies multiple layers of security at different points. Network segmentation divides networks into zones, limiting lateral movement if one zone is compromised. DMZs (demilitarized zones) host public-facing services while protecting internal networks. VLANs (virtual local area networks) isolate traffic at layer 2. Zero trust assumes no trust by default and verifies every access request, regardless of source. Network access control (NAC) ensures devices meet security policies before connecting. Data loss prevention (DLP) prevents exfiltration of sensitive data through network monitoring and blocking.
Cloud Security Considerations
Cloud services introduce shared responsibility models where both cloud providers and customers have security obligations. Infrastructure-as-a-Service (IaaS) provides virtual servers and storage; customers must secure the operating system and above. Platform-as-a-Service (PaaS) includes operating systems and middleware; customers secure applications and data. Software-as-a-Service (SaaS) is fully managed; customers focus on data and user access. Cloud-specific risks include misconfiguration, insecure APIs, and multi-tenant isolation issues. Data encryption in transit and at rest protects confidentiality. Regular assessments and proper identity management are essential in cloud environments.
Study Strategy for Domain 3: This is a conceptually dense domain requiring hands-on practice. Set up a home lab using virtual machines to practice network segmentation, firewall rules, and access control configurations. Study cryptographic algorithms by working through encryption examples step-by-step. Understand the trade-offs between security and usability when designing IAM systems. Create comparison charts for different control types, authentication methods, and encryption algorithms. Take practice labs focused on implementing security controls.
Domain 4: Security Operations (23%)
Domain 4 covers the day-to-day activities that keep security programs running, including monitoring, logging, SIEM systems, and security tool management.
Monitoring and Logging
Centralized Logging and SIEM
Security Information and Event Management (SIEM) systems collect logs from across your infrastructure and analyze them for security events. SIEM platforms parse logs, correlate events from multiple sources, and alert analysts to potential incidents. Centralized logging simplifies investigation and ensures logs aren't deleted by attackers. Log retention policies must balance storage costs with compliance requirements. Splunk, Elastic Stack, and ArcSight are common SIEM platforms. Proper log configuration ensures that relevant events are captured without creating excessive noise that obscures real threats.
Network Monitoring and Analysis
Network monitoring tools capture and analyze traffic patterns to detect anomalies and intrusions. Intrusion Detection Systems (IDS) passively monitor traffic and alert on suspicious activity. Intrusion Prevention Systems (IPS) actively block detected threats. NetFlow analysis examines traffic patterns to identify data exfiltration or command-and-control communications. Packet analysis using tools like Wireshark allows deep inspection of network protocols. Baseline establishment identifies normal traffic patterns, making anomalies easier to spot.
Endpoint Detection and Response (EDR)
EDR tools monitor individual systems for signs of compromise, including unusual process execution, file modifications, and network connections. EDR provides visibility into system behavior and enables rapid isolation of infected systems. EDR platforms maintain activity timelines that forensic investigators use to understand attack progression and impact.
Log Management Best Practices
Logs must capture sufficient detail to enable investigation without creating overwhelming noise. Syslog standardizes log formats across systems. Log aggregation centralization simplifies analysis and ensures completeness. Log protection prevents attackers from deleting logs to cover their tracks. Immutable logging using write-once storage or cryptographic techniques ensures log integrity. Log analysis automation using rules and machine learning accelerates threat detection.
Study Strategy for Domain 4: Hands-on experience with SIEM and monitoring tools is invaluable. Set up open-source SIEM such as Wazuh or ELK Stack in your lab environment. Practice writing correlation rules that detect multi-step attacks. Study common attack patterns and the logs they generate. Understand how to interpret SIEM dashboards and alerts. Review case studies of security incidents to understand how monitoring would have detected them.
Domain 5: Incident Response and Recovery (18%)
Domain 5 focuses on preparing for and responding to security incidents, including detection, containment, eradication, and recovery.
Incident Response Framework
The Incident Response Lifecycle
Effective incident response follows a structured process. Preparation involves establishing incident response teams, tools, and procedures before incidents occur. Detection and analysis identifies security events and determines if they constitute actual incidents. Containment limits the scope and impact of the incident by isolating affected systems (short-term containment) and implementing fixes (long-term containment). Eradication removes the threat from the environment, including malware, backdoors, and attacker access methods. Recovery restores systems to normal operations, including patching, restoring from clean backups, and rebuilding systems. Post-incident activities include investigation, documentation, lessons learned, and improvements to prevent recurrence.
Evidence Handling and Chain of Custody
Digital forensics requires careful handling of evidence to ensure admissibility in legal proceedings. Chain of custody documents all access to evidence, ensuring it hasn't been tampered with. Live response captures volatile data such as RAM contents before systems are powered down. Write blockers prevent accidental modification of storage devices during analysis. Evidence preservation applies cryptographic hashing to demonstrate that evidence hasn't changed. Proper documentation supports both technical investigation and legal action against attackers.
Investigation and Analysis Techniques
Incident investigation determines what happened, how it happened, and the extent of compromise. Timeline reconstruction uses logs and forensic artifacts to determine the sequence of events. Attacker behavior analysis examines tools, techniques, and procedures (TTP) to identify the threat actor. Impact assessment quantifies data compromised, systems affected, and operational disruption. Root cause analysis identifies the initial vulnerability or mistake that allowed the attack.
Business Continuity and Disaster Recovery
Business continuity planning ensures critical operations continue during disruptions. Recovery point objective (RPO) defines the acceptable amount of data loss (time since last backup). Recovery time objective (RTO) defines how quickly systems must be restored. Backup strategies include full, incremental, and differential backups at appropriate intervals. Redundancy at multiple levels (server, data center, geographic region) reduces single points of failure. Failover mechanisms automatically switch to backup systems when primary systems fail. Regular testing of backup and recovery procedures ensures they work when needed.
Lessons Learned and Continuous Improvement
Post-incident reviews capture learning to improve future response. Blameless post-mortems focus on improving processes rather than assigning fault. Documentation of findings shares knowledge across the organization. Implementation of recommendations prevents similar incidents. Metrics such as mean time to detect (MTTD) and mean time to respond (MTTR) track improvement over time.
Study Strategy for Domain 5: Study the NIST incident response framework and compare it to other frameworks you'll encounter in practice. Create detailed flowcharts of incident response procedures. Understand the legal and forensic implications of incident handling. Practice writing incident reports that clearly document findings and recommendations. Review real-world incident case studies to understand complex attack scenarios and response strategies. Use practice labs that simulate incident scenarios requiring investigation and response.
Study Strategies and Preparation Tips
Create a Personalized Study Plan
Assess your current knowledge against each domain. Allocate more study time to domains with lower confidence or higher exam weight. Domain 3 (25%) and Domain 2 (23%) warrant substantial focus. Create a timeline that builds foundational knowledge in Domain 1 before progressing to applied topics in Domains 3-5. Plan to study for 8-12 weeks, allowing 10-15 hours per week for a solid foundation.
Leverage Multiple Learning Resources
Use textbooks, video courses, practice exams, and hands-on labs to engage different learning styles. Official CompTIA study materials provide the most aligned content with the exam. Microsoft's security documentation provides real-world implementation context for many concepts. Industry certifications such as CompTIA Network+ provide prerequisite networking knowledge that strengthens Security+ understanding.
Hands-On Lab Experience is Critical
The 19 hours of practice labs included with DiviTrain's course provide essential hands-on experience. Use labs to implement security controls, practice incident response procedures, and develop practical skills. Supplement with personal lab environments using free or low-cost virtualization platforms.
Master Practice Exams
Practice exams under timed conditions replicate the real testing experience. Review incorrect answers thoroughly, not just to learn the correct answer but to understand why other options were incorrect. MeasureUp practice exams (60 days access) with DiviTrain provide high-quality preparation. Aim for consistent scores above 80% before attempting the real exam.
Join Study Communities
Connect with others studying for Security+. Study groups provide accountability, allow you to explain concepts (which reinforces learning), and expose you to different perspectives. Online communities and forums offer answers to specific questions and discussion of challenging topics.
Focus on Application Over Memorization
The Security+ exam tests ability to apply security concepts in realistic scenarios rather than memorize definitions. Practice answering scenario-based questions that require reasoning about security implications. Think about trade-offs between security and usability, cost-benefit analysis of controls, and appropriate responses to different threat types.
The DiviTrain Advantage
- Expert tutor support available 24/7 to answer your questions as you study
- MeasureUp Practice Exams with 60 days of access to refine your test-taking skills
- 365 days of course access, giving you the flexibility to learn at your own pace
- 19 hours of hands-on practice labs that let you apply concepts in realistic scenarios
- Structured curriculum covering all five domains with clear learning objectives
- Developed by Skillsoft, the global leader in enterprise learning, ensuring content quality and relevance
Additional Resources for Deeper Learning
Expand your knowledge beyond the exam syllabus with these authoritative sources:
- NIST Cybersecurity Incident Handling Guide (SP 800-61) provides official guidance on incident response procedures referenced throughout Domain 5.
- NIST Cybersecurity Framework offers a widely adopted structure for managing cybersecurity risk that complements Security+ concepts.
- OWASP Top 10 documents the ten most critical web application security vulnerabilities, essential context for understanding threats in Domain 2.
- CompTIA Security+ Official Page contains the most current exam objectives, sample questions, and official study materials.
- CVE (Common Vulnerabilities and Exposures) is the official database of known vulnerabilities, allowing you to study real-world examples referenced in Domain 2.
Consider exploring related certifications to build comprehensive cybersecurity expertise. CompTIA CySA+ extends Security+ knowledge with advanced threat analysis and incident response skills. Browse all cybersecurity training options to find additional relevant certifications. For cloud security specialists, Microsoft Azure Security Engineer Associate (AZ-500) combines Security+ foundations with cloud-specific implementations.
Frequently Asked Questions
Is CompTIA Security+ (SY0-701) suitable for beginners in cybersecurity?
CompTIA Security+ is an entry-level to intermediate certification that assumes foundational IT knowledge. CompTIA recommends either two years of IT experience or completion of CompTIA Network+ before attempting Security+. If you lack IT background, you can still succeed through dedicated study and hands-on lab practice. Many employers value Security+ as a starting point for cybersecurity careers, particularly for defensive security roles such as SOC analysts and security administrators.
What is the passing score for CompTIA Security+ SY0-701?
The passing score for Security+ SY0-701 is 750 out of 900 points, equivalent to approximately 83%. The exam uses adaptive testing, meaning question difficulty adjusts based on your performance. This scoring method ensures consistent reliability regardless of specific questions presented. Aiming for consistent scores of 85% or higher on practice exams provides a safety margin above the passing threshold.
How long is the Security+ exam and what question formats does it use?
The Security+ exam is 90 minutes long and contains approximately 90 questions. Question formats include multiple-choice questions with four options, performance-based questions that simulate real-world security scenarios, and drag-and-drop matching questions. Performance-based questions require you to complete actual security tasks such as configuring access controls or analyzing logs. The diverse question formats test both knowledge and practical application, so practice with varied question types during preparation.
Which domain is most important to focus on for Security+ exam preparation?
Domain 3 (Security Architecture and Design) carries the highest weight at 25% of the exam score, followed closely by Domain 2 (Threats, Vulnerabilities, and Mitigations) at 23% and Domain 4 (Security Operations) at 23%. Together, these three domains comprise 71% of the exam. However, all domains are important, and a strong foundation in Domain 1 supports understanding of applied topics in later domains. Allocate study time proportionally to domain weights while ensuring adequate understanding of all topics.
How important are hands-on labs for passing Security+?
Hands-on labs are highly valuable for understanding security concepts practically and building skills you'll use in real security roles. The 19 hours of practice labs provided with DiviTrain courses allow you to implement controls, configure systems, and practice incident response procedures. Labs significantly improve your ability to answer scenario-based questions and perform-based questions on the exam. Many study guides recommend dedicating 40-50% of study time to hands-on practice, with the remaining time spent on theory and practice exams.
What is the cost of CompTIA Security+ exam and how often can you retake it?
As of 2026, the CompTIA Security+ exam costs approximately $380 USD, though pricing may vary by region and testing center. If you don't pass on your first attempt, you can retake the exam, but CompTIA requires a 14-day waiting period before your second attempt. A third attempt requires a 14-day wait from the second attempt. Some individuals choose to take the exam at reduced cost during CompTIA's promotional periods. Budget for both the exam fee and quality study materials like practice exams and courses when planning your certification investment.
How long is the Security+ certification valid, and what are the renewal requirements?
CompTIA Security+ certifications remain valid for three years from the date you pass the exam. After three years, you must renew to maintain an active certification. Renewal options include retaking the exam, earning a higher-level CompTIA certification (such as CISSP or CCSK), or accumulating continuing education credits through approved activities. Many professionals maintain their certification by pursuing advanced certifications, which CompTIA accepts as automatic renewal, making it efficient to advance your career while maintaining current credentials.
How does Security+ differ from other entry-level security certifications like CEH or CISSP?
CompTIA Security+ focuses on security fundamentals and is vendor-neutral, making it broadly applicable across different platforms and organizations. CEH (Certified Ethical Hacker) emphasizes penetration testing and offensive security techniques, requiring more advanced technical skills and hands-on hacking experience. CISSP is an advanced certification requiring significant experience (typically 5+ years) and covers security governance in-depth, making it suitable for senior security professionals. Security+ serves as an excellent foundation, with many professionals progressing to CEH for specialized offensive skills or CISSP for leadership and governance focus.
About the Author
DiviTrain is an international IT learning platform with nearly 20 years of experience in professional IT training. Our courses are developed by Skillsoft, the global leader in enterprise learning, ensuring high-quality, industry-relevant content. You get access to hands-on practice labs, expert tutor support available 24/7, and official MeasureUp practice exams, all backed by DiviTrain's commitment to your certification success. Whether you're pursuing your first certification or advancing your career in cybersecurity, DiviTrain provides the complete tools, guidance, and support you need to succeed.
