TTIA Prep
Sign inStart free
Home / Blog / security+

security+

CompTIA Security+ SY0-701 Exam Format: Everything You Need to Know

Author
CompTIA Prep Team
Published
Reading time
8 min read
Student sitting at a desk taking an exam
Photo by Andy Barbour on Pexels

Introduction

Knowing exactly what to expect on exam day is half the battle. Candidates who understand the Security+ SY0-701 exam format going in — how many questions, how long they have, what the question types look like, and how performance-based questions work — are significantly better prepared than those who encounter surprises at the test centre.

This guide gives you a complete picture of the SY0-701 exam structure so you can build your study approach around what the exam actually tests.

SY0-701 at a Glance

Exam detailValue
Exam codeSY0-701
Maximum questions90
Exam duration90 minutes
Passing score750 (scale of 100–900)
Question typesMultiple choice, performance-based
LanguagesEnglish, Japanese, Portuguese, Simplified Chinese
DeliveryPearson VUE test centre or online proctored
Exam priceApproximately $392 USD (voucher price; discounts available)
Certification validity3 years (renewable via CE credits or retesting)

The exam was launched in November 2023, replacing the SY0-601 version. The SY0-701 is the current active version and will remain the standard through at least late 2026.

How Many Questions Will You Actually See?

The "maximum 90 questions" can be confusing. Here's how it works in practice.

CompTIA states a maximum of 90 questions. In most candidate reports, the actual number sits between 80 and 90. You won't know in advance exactly how many you'll face. The exam includes some unscored beta questions that CompTIA uses to evaluate for future exams — these do not count toward your score, but you won't know which ones they are.

The practical implication: plan for 90 questions and pace yourself accordingly. One minute per question is the baseline. Performance-based questions take longer, so you need to bank time on the straightforward MCQs to compensate.

Question Types in Detail

Multiple-Choice Questions (MCQs)

The majority of the exam consists of standard multiple-choice questions. You see a question stem and four answer options; you select the single best answer.

CompTIA Security+ MCQs are scenario-heavy. Rather than asking "what does AES stand for?", a typical question presents a situation: a company is selecting an encryption algorithm for data at rest on portable devices, and you must identify which option best meets the stated requirements. The correct answer requires you to apply knowledge, not just recall it.

Common MCQ traps to watch for:

  • "BEST" and "MOST": Multiple options may be technically correct, but only one is the best answer in the given scenario.
  • "EXCEPT" and "NOT": These flip the question. You're looking for the one option that does NOT apply.
  • Distractors that are real but irrelevant: CompTIA often includes plausible-sounding options that are genuine security concepts but wrong for the specific scenario described.

Performance-Based Questions (PBQs)

Performance-based questions are the distinctive feature of CompTIA exams. They require you to interact with a simulated environment or work through a multi-step scenario rather than simply selecting from four options.

PBQ types you may encounter on SY0-701:

  • Drag-and-drop: Match attack types to descriptions, order the steps of an incident response process, or categorise security controls into the correct framework tier
  • Fill-in-the-blank: Complete a configuration command or policy statement
  • Simulations: Work within a simplified interface — configure firewall rules, review network diagrams and identify misconfigurations, or analyse log outputs to identify an attack

Critical point about PBQs: They appear at the beginning of the exam. When you open the SY0-701, the first questions you face will be PBQs. Many candidates feel unprepared for this because they've only practised MCQs.

Do not spend more than three to four minutes on any single PBQ before flagging it and moving on. You can return to flagged questions at the end. Letting one complex PBQ consume ten minutes of your 90-minute exam is one of the most common reasons candidates run out of time.

The Five Exam Domains

CompTIA structures the SY0-701 exam around five domains. Each domain has a published percentage weighting that tells you how many exam questions come from that area.

Domain 1: General Security Concepts (12%)

The lightest-weighted domain covers foundational security terminology and concepts: security controls (preventive, detective, corrective), the CIA triad, authentication methods (MFA, biometrics, certificates), basic cryptography concepts, and physical security.

Treat this domain as the vocabulary layer. The concepts here appear throughout the other domains — you need them to understand what's being asked elsewhere.

Domain 2: Threats, Vulnerabilities, and Mitigations (22%)

At 22%, this is the second-highest weighted domain. It covers:

  • Threat types: Malware (ransomware, trojans, rootkits, fileless malware), social engineering (phishing, vishing, smishing, business email compromise), physical threats
  • Vulnerability types: Application vulnerabilities (SQL injection, XSS, buffer overflow, IDOR), network vulnerabilities, zero-days
  • Attack techniques: Password attacks, network scanning and enumeration, adversary-in-the-middle attacks
  • Mitigation techniques: Patching, segmentation, access controls, threat intelligence

This is the domain where scenario questions are densest. Questions typically describe an attack or incident and ask you to identify what type it is, what allowed it to succeed, or what control would have prevented it.

Domain 3: Security Architecture (18%)

Covers secure network design (segmentation, VLANs, DMZs, firewalls, proxies), cloud security architecture, infrastructure as code, virtualisation and containerisation security, and secure application development concepts.

This domain requires you to understand not just what security technologies are, but where they belong in an architecture and why. Questions often describe a network diagram scenario and ask you to recommend the appropriate control.

Domain 4: Security Operations (28%)

The largest domain at 28%. If you're short on study time, this is where you'll get the highest return on investment. Key areas:

  • Identity and access management: Zero trust, RBAC, ABAC, PAM, directory services
  • Endpoint security: EDR, antivirus, application allow-listing, host-based firewalls
  • Vulnerability management: Scanning, CVSS scoring, remediation prioritisation
  • Incident response: IR lifecycle, evidence handling, forensics basics, containment strategies
  • Monitoring and logging: SIEM, log aggregation, alerting
  • Data security: DLP, classification, encryption in transit and at rest

Domain 5: Security Program Management and Oversight (20%)

Covers governance, risk, and compliance topics: risk management frameworks (NIST RMF, ISO 27001), compliance requirements (HIPAA, PCI DSS, GDPR), data privacy, security awareness training, vendor risk management, and audit concepts.

This domain is often underweighted in candidate preparation because it feels less technical. At 20%, it's a significant chunk of the exam. Candidates who ignore it consistently lose marks unnecessarily.

Scoring: How the 750 Passing Score Works

CompTIA uses a scaled scoring system ranging from 100 to 900. The passing score is 750. This is not a percentage — you cannot simply count how many questions you got right and divide by 90.

CompTIA's scaled scoring adjusts for minor variations in difficulty between exam versions. A score of 750 represents a consistent level of demonstrated knowledge regardless of which specific question set you receive.

What does 750 approximately mean in practice? Industry estimates suggest you need to answer approximately 75–80% of scored questions correctly to achieve a passing scaled score. This varies by question difficulty, so treat this as a rough guide rather than a precise threshold.

There is no penalty for wrong answers. Guess on every question you're unsure about — never leave one blank.

Retake Policy

If you fail SY0-701, you can retake it after 14 calendar days. There's no limit on the number of retakes, but you must wait 14 days between each attempt. The retake voucher costs the same as the original exam.

Preparing for the Exam Format

Understanding the format is one thing; being comfortable with it is another. The most effective preparation combines:

  1. Domain-targeted practice questions — work through each domain's content with realistic MCQs that match the scenario-heavy style of the real exam
  2. Performance-based question practice — use platforms that include simulated PBQ-style questions, not just standard MCQs
  3. Timed full-length mock exams — practise completing 80–90 questions in 90 minutes so pacing is automatic on exam day

Start practising with free SY0-701 questions. Each question includes a detailed explanation, so you understand not just what the correct answer is but why the other options are wrong.

Summary

The SY0-701 exam has a maximum of 90 questions in 90 minutes, with a passing score of 750. It includes both standard MCQs and performance-based questions, the latter appearing at the start of the exam. Five domains cover general security concepts, threats and vulnerabilities, security architecture, security operations, and security program management.

Domain 4 (Security Operations) at 28% and Domain 2 (Threats, Vulnerabilities, and Mitigations) at 22% together account for half the exam — prioritise these in your study plan.

Know the format, practise under exam conditions, and you'll walk into the test centre with no surprises.

Ready to put this into practice?Create a free account and turn what you've just read into real exam-style practice questions.
Start practising free

Read alongside