The five SY0-701 domains at official weight
CompTIA fixes the domain weighting for the current Security+ exam (SY0-701, Exam Objectives Version 5.0). The weights below are the official percentages, and the question-count column shows roughly how many of a 90-item form fall into each domain when you apply that weighting.
- Domain 1.0, General Security Concepts: 12% (about 11 questions on a 90-item form).
- Domain 2.0, Threats, Vulnerabilities, and Mitigations: 22% (about 20 questions).
- Domain 3.0, Security Architecture: 18% (about 16 questions).
- Domain 4.0, Security Operations: 28% (about 25 questions).
- Domain 5.0, Security Program Management and Oversight: 20% (about 18 questions).
Domain 1.0: General Security Concepts (12%)
The foundation the other four domains build on. It covers control categories and types, the CIA triad, Zero Trust planes, core cryptographic concepts, and change management. Nothing here is deep on its own, but the vocabulary is load-bearing: if you are shaky on control types or Zero Trust language, every other domain reads harder than it should.
It is the lightest domain by count, so do not over-invest, but do lock the terminology early. The rest of your prep depends on it.
Domain 2.0: Threats, Vulnerabilities, and Mitigations (22%)
The heaviest knowledge domain. It covers threat actors and their motivations, attack surfaces, common vulnerabilities, indicators of malicious activity, and the mitigation techniques that reduce risk. This is where raw recall pays off: you need to recognize attack types and match them to the correct mitigation quickly.
At 22% it is roughly one in five questions. Combined with Security Operations, these two domains decide the exam. Build a mental catalog of threat-to-mitigation pairs and drill it until recognition is automatic.
Domain 3.0: Security Architecture (18%)
Where design decisions meet security outcomes. It covers securing architecture models, enterprise infrastructure, data protection strategies, and resilience and recovery. The questions lean toward "which design choice best achieves this security goal," so it rewards reasoning over memorization.
At 18% it is a real slice of the exam. Practice reading a short scenario and picking the architecture or data-protection control that fits the stated constraint, not just a control that is technically valid.
Domain 4.0: Security Operations (28%)
The largest single domain. It covers hardening, secure baselines, identity and access management, automation, incident response, and the day-to-day operation of security controls. If you have hands-on operations experience this is your strongest ground; if you do not, it is where you should spend the most study time.
At 28% it is more than a quarter of every form. Prioritize incident-response ordering and identity and access management: both show up heavily and both reward reading the scenario carefully before answering.
Domain 5.0: Security Program Management and Oversight (20%)
The management-side reasoning that trips up hands-on candidates. It covers governance, risk management, third-party risk, compliance, and security awareness. Technically strong candidates often underestimate this domain because it is less about configuration and more about process and judgment.
At 20% it is a fifth of the exam. If you come from a purely technical background, treat this as a priority, not an afterthought. Learn the governance and risk vocabulary the same way you learned the threat catalog.
How the weighting should shape your study plan
Study in weight order. Security Operations and Threats, Vulnerabilities, and Mitigations together account for half the exam, so they earn the most points per hour. Security Architecture and Security Program Management and Oversight are the next tier. General Security Concepts is lightest by count but should be locked first because it underpins everything else.
Scoring is compensatory: there is no minimum you must hit in any single domain, so a strong domain can offset a weaker one. That means the smart move is to protect your points in the two heavy domains rather than chasing perfection in a light one.
The fastest way to see where you actually stand is a timed diagnostic that reports your score by domain. That turns this weighting map into a personal priority list instead of a generic one.