Security+ Questions
Domain Weights
SY0-701
CompTIA Security+ SY0-701 Domain Breakdown — Weights, Topics & Sample Questions
Every Security+ SY0-701 domain explained: how much it counts, which subtopics are hardest, what question types to expect, and a sample Security+ question for each.
March 4, 2026
• 10 min read
Exam Weight at a Glance
Domain 1: General Security Concepts
12%
Domain 2: Threats, Vulnerabilities & Mitigations
22%
Domain 3: Security Architecture
18%
Domain 4: Security Operations
28%
Domain 5: Security Program Management & Oversight
20%
The table above is the starting point for any study plan. Domain 4 (Security Operations) at 28% is the single most important domain — getting it wrong will fail you regardless of performance elsewhere. Together, Domains 2 and 4 account for 50% of the exam.
Below is a complete breakdown of each domain with the topics that matter most, sample Security+ questions, and links to targeted practice.
Domain 1: General Security Concepts
Exam weight: 12% · 70 questions in our bank
The foundation domain. Lower weight but tested topics appear in other domains as assumed knowledge. Gaps here will hurt you across the whole exam.
Hardest Subtopics
- Security control categories & types — 3×4 matrix (Technical/Managerial/Operational/Physical × Preventive/Detective/Corrective/Deterrent/Compensating/Directive)
- Choosing the correct cryptographic algorithm for a specific requirement (AES vs RSA vs ECC vs DH)
- Zero Trust concepts: control plane, data plane, policy enforcement point, policy decision point
- Authentication protocols: Kerberos vs NTLM vs RADIUS vs TACACS+ — when each is used
Typical Question Types
Definition/classification MCQs
Algorithm selection scenarios
Control-type matching PBQs
Sample Domain 1 Question
A security team wants to verify that patch deployments did not introduce new configurations. Which control type BEST addresses this?
A. Preventive
B. Detective
C. Corrective
D. Compensating
Explanation: A detective control identifies that something has changed — in this case, a configuration audit / change detection tool. Preventive would block the bad patch before deployment. Corrective would remediate after discovery.
Domain 2: Threats, Vulnerabilities & Mitigations
Exam weight: 22% · 120 questions in our bank
Second-highest weight, and the domain with the most attack-identification questions. Expect to read attacker logs, network captures, and indicators of compromise and identify the attack.
Hardest Subtopics
- Distinguishing malware types from behaviour: rootkit (hides in kernel) vs spyware (exfiltrates data) vs ransomware (encrypts files) vs worm (self-propagates) vs logic bomb (triggers on condition)
- Social engineering technique identification: phishing vs vishing vs smishing vs spear phishing vs whaling vs pretexting vs tailgating vs watering hole
- Wireless attack types: evil twin vs deauthentication vs KRACK vs WPS attacks — identifying from scenario clues
- Application vulnerabilities: SQL injection vs XSS vs CSRF vs buffer overflow — identifying from log patterns
- Threat intelligence concepts: STIX/TAXII, IOC vs IOA, TTP, threat actor attribution
Typical Question Types
Attack identification scenarios
Log/indicator analysis
Mitigation selection MCQs
Matching PBQs (attack → indicator)
Sample Domain 2 Question
An analyst notices that users are receiving emails that appear to come from the CFO, requesting urgent wire transfers. No malware is detected. Which attack is MOST likely?
A. Spear phishing with a malicious attachment
B. Business Email Compromise (BEC)
C. Watering hole attack
D. Vishing
Explanation: BEC involves impersonating executives (often via spoofed or compromised email accounts) to authorise fraudulent financial transfers. No malware is used — the attack is purely social engineering. Spear phishing typically includes a malicious link or attachment.
Domain 3: Security Architecture
Exam weight: 18% · 95 questions in our bank
Design-focused questions requiring you to choose the correct architectural controls for given requirements. Heavy overlap with cloud and hybrid environments.
Hardest Subtopics
- Cloud service and deployment models: SaaS/PaaS/IaaS responsibility boundaries (the shared responsibility matrix)
- Network segmentation tools: VLAN vs firewall vs DMZ vs microsegmentation vs SD-WAN
- Zero Trust architecture components: SASE, ZTNA, IAM, identity-aware proxy, policy enforcement points
- High availability designs: active-active vs active-passive, load balancers, geographic distribution
- Infrastructure as Code security: immutable infrastructure, drift detection, secrets management in pipelines
Typical Question Types
Architecture design scenario MCQs
Cloud model responsibility questions
Best-architecture-for-requirement selection
Sample Domain 3 Question
A company is migrating to SaaS applications and wants to enforce data loss prevention policies across all cloud services without deploying agents on every endpoint. Which solution is BEST?
A. Next-generation firewall (NGFW)
B. Cloud Access Security Broker (CASB)
C. Security Information and Event Management (SIEM)
D. Web Application Firewall (WAF)
Explanation: A CASB sits between users and SaaS services and enforces DLP, visibility, and access control across cloud applications without requiring endpoint agents. A WAF protects web apps from attacks (not DLP). SIEM is for log correlation and alerting, not traffic control. NGFW controls network traffic but does not inspect SaaS sessions without traffic hairpinning.
Domain 4: Security Operations
Exam weight: 28% · 150 questions in our bank
The highest-weight domain by a significant margin. It covers the day-to-day work of a security analyst: monitoring, incident response, vulnerability management, and hardening. PBQs are heavily concentrated here.
Hardest Subtopics
- Incident response phase ordering (PICERL) — especially knowing WHEN exactly Contain vs Eradicate vs Recover happens
- SIEM, SOAR, EDR, XDR, and MDR distinctions — and which tool fits which scenario
- Vulnerability scanning vs penetration testing: scope, authorisation, output, timing
- Log analysis: identifying attack patterns from firewall logs, auth logs, DNS logs, web server logs
- Hardening procedures: default password changes, disabling unnecessary services, OS baselines, application allow-listing
Typical Question Types
Incident response ordering PBQs
Tool selection scenarios
Log analysis scenarios
Hardening checklist scenarios
Sample Domain 4 Question
During an incident investigation, forensic analysts are collecting evidence. They have access to a running server with active user sessions, a log server, and backup tapes. In what order should they collect evidence according to the order of volatility?
A. Log server → running server memory → backup tapes
B. Running server memory → log server → backup tapes
C. Backup tapes → log server → running server memory
D. Running server memory → backup tapes → log server
Explanation: The order of volatility requires capturing the most perishable evidence first. RAM (running server memory) is lost when the system is powered off or rebooted — collect it first. Log server data is more persistent but still volatile compared to backup tapes. Backup tapes are the least volatile (they persist offline). Answer: RAM first → logs second → tapes last.
Domain 5: Security Program Management & Oversight
Exam weight: 20% · 105 questions in our bank
The compliance, governance, and risk management domain. Questions are often wordy scenarios requiring you to identify the correct policy, framework, regulation, or risk concept in context.
Hardest Subtopics
- Risk calculation: SLE (Single Loss Expectancy) = AV × EF, ALE = SLE × ARO — producing the right number and using it to justify control cost
- Compliance framework mapping: HIPAA vs PCI-DSS vs SOX vs GDPR vs CMMC — which regulation applies to which business type
- Data classification: public vs internal vs confidential vs restricted — and which controls are required at each level
- Privacy concepts: data subject rights under GDPR (right to access, erasure, portability), data controller vs data processor, DPA
- Third-party risk: vendor assessments, supply chain attacks, right-to-audit clauses, due diligence
Typical Question Types
Regulation identification scenarios
Risk calculation MCQs
Policy selection scenarios
Compliance mapping
Sample Domain 5 Question
A healthcare organisation stores patient records and processes credit card payments. Which combination of compliance frameworks are REQUIRED?
A. SOX and GDPR
B. HIPAA and PCI-DSS
C. CMMC and ISO 27001
D. NIST CSF and FedRAMP
Explanation: HIPAA (Health Insurance Portability and Accountability Act) is required for any organisation that stores or processes protected health information (PHI). PCI-DSS (Payment Card Industry Data Security Standard) is required for any organisation that processes, stores, or transmits cardholder data. Both apply here. SOX applies to publicly traded companies. GDPR applies to companies processing EU residents' data.
Frequently Asked Questions
Which Security+ domain is hardest?
For most candidates, Domain 4 (Security Operations) is the hardest because it combines the most content with the most PBQs. Domain 5 (Program Management) is often underestimated — the risk calculations and compliance questions reward careful pre-exam study.
Can I skip a domain if the weight is low?
No. A 12% domain still contributes roughly 10–11 questions. You cannot afford to blank entire domains — even General Security Concepts at 12% can be the difference between a 730 and a 750. Allocate study time proportionally, not zero.
Are all question types tested in every domain?
No. PBQs are concentrated in Domains 2 and 4. Domains 3 and 5 tend toward scenario-based MCQs. Domain 1 has more definition and classification questions. This makes Domain 4 the most time-consuming in the exam.
Test Every Domain — 540 Security+ Questions
Our domain-filtered practice mode lets you attack your weakest domain directly — until it is no longer weak.