reference

CompTIA Security+ Exam Objectives (SY0-701): Domains and Weights

The SY0-701 blueprint is not evenly weighted, and treating it as if it were is the fastest way to waste a study week. CompTIA publishes exactly how much of the exam each of the five domains carries, and that weighting should drive where you spend your hours. This page maps the five domains, their official weights, and how many questions a full 90-item form allocates to each, so you can prioritize by exam load rather than by what feels comfortable.

By Junaid Khalid, updated 2026-04-18

Key takeaways

  • Security+ SY0-701 has five domains, and they are not weighted equally.
  • Security Operations (28%) and Threats, Vulnerabilities, and Mitigations (22%) together carry half the exam.
  • General Security Concepts (12%) is the lightest by count but underpins the other four.
  • On a 90-question form, domain weight maps almost directly to question count.
  • Scoring is compensatory, so a strong domain can offset a weaker one.
  • Study in weight order: the heaviest two domains earn the most points per hour.

The five SY0-701 domains at official weight

CompTIA fixes the domain weighting for the current Security+ exam (SY0-701, Exam Objectives Version 5.0). The weights below are the official percentages, and the question-count column shows roughly how many of a 90-item form fall into each domain when you apply that weighting.

  • Domain 1.0, General Security Concepts: 12% (about 11 questions on a 90-item form).
  • Domain 2.0, Threats, Vulnerabilities, and Mitigations: 22% (about 20 questions).
  • Domain 3.0, Security Architecture: 18% (about 16 questions).
  • Domain 4.0, Security Operations: 28% (about 25 questions).
  • Domain 5.0, Security Program Management and Oversight: 20% (about 18 questions).

Domain 1.0: General Security Concepts (12%)

The foundation the other four domains build on. It covers control categories and types, the CIA triad, Zero Trust planes, core cryptographic concepts, and change management. Nothing here is deep on its own, but the vocabulary is load-bearing: if you are shaky on control types or Zero Trust language, every other domain reads harder than it should.

It is the lightest domain by count, so do not over-invest, but do lock the terminology early. The rest of your prep depends on it.

Domain 2.0: Threats, Vulnerabilities, and Mitigations (22%)

The heaviest knowledge domain. It covers threat actors and their motivations, attack surfaces, common vulnerabilities, indicators of malicious activity, and the mitigation techniques that reduce risk. This is where raw recall pays off: you need to recognize attack types and match them to the correct mitigation quickly.

At 22% it is roughly one in five questions. Combined with Security Operations, these two domains decide the exam. Build a mental catalog of threat-to-mitigation pairs and drill it until recognition is automatic.

Domain 3.0: Security Architecture (18%)

Where design decisions meet security outcomes. It covers securing architecture models, enterprise infrastructure, data protection strategies, and resilience and recovery. The questions lean toward "which design choice best achieves this security goal," so it rewards reasoning over memorization.

At 18% it is a real slice of the exam. Practice reading a short scenario and picking the architecture or data-protection control that fits the stated constraint, not just a control that is technically valid.

Domain 4.0: Security Operations (28%)

The largest single domain. It covers hardening, secure baselines, identity and access management, automation, incident response, and the day-to-day operation of security controls. If you have hands-on operations experience this is your strongest ground; if you do not, it is where you should spend the most study time.

At 28% it is more than a quarter of every form. Prioritize incident-response ordering and identity and access management: both show up heavily and both reward reading the scenario carefully before answering.

Domain 5.0: Security Program Management and Oversight (20%)

The management-side reasoning that trips up hands-on candidates. It covers governance, risk management, third-party risk, compliance, and security awareness. Technically strong candidates often underestimate this domain because it is less about configuration and more about process and judgment.

At 20% it is a fifth of the exam. If you come from a purely technical background, treat this as a priority, not an afterthought. Learn the governance and risk vocabulary the same way you learned the threat catalog.

How the weighting should shape your study plan

Study in weight order. Security Operations and Threats, Vulnerabilities, and Mitigations together account for half the exam, so they earn the most points per hour. Security Architecture and Security Program Management and Oversight are the next tier. General Security Concepts is lightest by count but should be locked first because it underpins everything else.

Scoring is compensatory: there is no minimum you must hit in any single domain, so a strong domain can offset a weaker one. That means the smart move is to protect your points in the two heavy domains rather than chasing perfection in a light one.

The fastest way to see where you actually stand is a timed diagnostic that reports your score by domain. That turns this weighting map into a personal priority list instead of a generic one.

FAQs

See where you stand across all five domains

Take a free timed Security+ practice test and get an instant per-domain breakdown before you plan your study week.

Take a free test