CompTIA Security+ SY0-701: what changed and what to focus on
The key differences between SY0-601 and SY0-701, which domains got reweighted, and the new topic areas that will show up on your exam.
When CompTIA released Security+ SY0-701 in November 2023, it was not a cosmetic update. The domain structure was reorganized, the weightings shifted significantly, and entirely new topic areas appeared that were absent from SY0-601. If you are working from study materials built for the previous version, some of what you learned still applies - but a meaningful portion of your preparation needs to be rebuilt around the updated objectives. Here is a clear breakdown of what changed and where your study time should go.
The five domains and their new weights
SY0-701 keeps a five-domain structure, but the domains are renamed, reorganized, and reweighted substantially compared to SY0-601. The official breakdown published in the CompTIA Security+ exam objectives is as follows:
- 1.0 General Security Concepts: 12%
- 2.0 Threats, Vulnerabilities, and Mitigations: 22%
- 3.0 Security Architecture: 18%
- 4.0 Security Operations: 28%
- 5.0 Security Program Management and Oversight: 20%
The most important number here is 28%. Security Operations is now by far the largest domain on the exam. If you studied for SY0-601, where the closest equivalent domain (Operations and Incident Response) carried just 16%, you need to substantially expand your coverage of monitoring, incident response, digital forensics, and endpoint security. Nearly three out of every ten points on the exam live in this domain.
What is genuinely new in SY0-701
Several topic areas that were either absent or only lightly covered in SY0-601 now appear prominently in SY0-701. These are not incremental additions - they represent real gaps between the two exams that require dedicated study.
Zero trust architecture
Zero trust is now explicitly required knowledge, aligned with the framework described in NIST Special Publication 800-207. Candidates need to understand the core principles - verify explicitly, apply least privilege access, assume breach - and how those principles translate into network segmentation design, identity-centric access controls, and policy enforcement points. This is not a definition to memorize; the exam tests how you would apply zero trust thinking to a described scenario.
Cloud-native security
SY0-701 goes deeper into cloud security than its predecessor. The shared responsibility model across IaaS, PaaS, and SaaS environments is now testable in detail, as are cloud-specific attack surfaces like misconfigured storage buckets, overly permissive IAM roles, and insecure API endpoints. Candidates who have studied primarily in the context of on-premises environments will find this area demands focused attention.
OT, ICS, and SCADA security
Operational technology security - covering industrial control systems (ICS), supervisory control and data acquisition (SCADA) systems, and embedded devices - now has dedicated coverage in SY0-701. This reflects the growing convergence of IT and OT environments and the rising threat to critical infrastructure sectors including energy, water, and manufacturing.
AI and ML threats
Artificial intelligence and machine learning appear in SY0-701 in both offensive and defensive contexts. On the attack side, candidates should understand AI-assisted phishing, synthetic media (deepfakes), and adversarial inputs designed to fool detection models. On the defense side, the exam covers AI-driven anomaly detection and behavioral analytics as tools used in modern security operations. SY0-601 touched adversarial AI only in passing; SY0-701 treats it as a full topic area.
Supply chain risk management
Following a series of high-profile supply chain compromises, SY0-701 now covers third-party risk assessment, vendor due diligence, and the security implications of both software and hardware supply chains. Candidates should be familiar with how to evaluate supplier security posture and what technical and contractual controls are used to manage that exposure.
What got reduced or removed
SY0-701 streamlined several areas that had deep coverage in SY0-601. Legacy protocol specifics - particularly around deprecated wireless security standards and older cryptographic implementations - received less emphasis. Certain highly specific knowledge about algorithm parameter details from protocols that are no longer recommended was removed in favor of a more conceptual and applied understanding of current cryptographic practice.
This does not mean cryptography disappeared from the exam. Encryption, public key infrastructure, hashing, and digital certificate management remain core topics. What changed is the depth of historical detail required. SY0-701 asks you to understand which cryptographic approach fits a given requirement and why - not to recall the exact specifications of algorithms that are no longer in active use.
The shift to scenario-based thinking
One of the most significant changes in SY0-701 is not a topic area - it is an assessment philosophy. The exam has moved decisively away from pure recall questions toward applied scenario questions. Rather than asking what does AES stand for, the exam presents a situation: an organization needs to encrypt data at rest in a multi-tenant cloud environment with strict regulatory requirements. Which approach best satisfies these constraints? You are expected to evaluate the options in context, not just recognize definitions.
Study strategies that rely heavily on memorizing glossary terms will underperform on SY0-701. You need to be able to read a scenario, identify the core security problem, and select the most appropriate response - often from options that are all technically defensible but differ in how well they fit the specific situation. This requires judgment, not just recognition. Building that judgment takes practice with realistic scenario exercises, not flashcard review alone.
Performance-based questions: what they are and how to practice them
Performance-based questions (PBQs) appear at the start of the Security+ exam and require you to interact with a simulated environment rather than select from multiple-choice answers. Common PBQ formats include configuring a firewall rule set, analyzing a packet capture for signs of intrusion, identifying vulnerabilities in a given system configuration, or completing a network diagram using drag-and-drop components.
Most cert-prep tools do not offer realistic PBQ practice. Candidates who encounter PBQs for the first time on exam day often find them disorienting - particularly under time pressure, since complex simulations can consume disproportionate time if you are not accustomed to the format. The most effective way to prepare for PBQs is through hands-on lab work and interactive simulations, not by reading descriptions of what PBQs involve.
Where to focus your study time
Given the domain weights and the new topic areas, here is a practical prioritization framework for SY0-701 preparation:
- Security Operations (28%): Spend at least a third of your total study time here. Cover incident response lifecycle, log monitoring and analysis, endpoint detection and response, digital forensics fundamentals, and the tools used in security operations workflows. This domain alone determines whether most candidates pass or fail.
- Threats, Vulnerabilities, and Mitigations (22%): Malware categories, attack technique taxonomy, vulnerability scanning and management, and mitigation strategies. The new AI/ML threat content and supply chain risk topics are covered under this domain.
- Security Program Management and Oversight (20%): Governance frameworks, risk management, compliance requirements, data privacy regulations, and audit concepts. This domain rewards candidates who understand security in a business and regulatory context, not just a technical one.
- Security Architecture (18%): Zero trust design, cloud security models, network architecture principles, and infrastructure hardening. The new content here is substantive and warrants dedicated study - candidates carrying over SY0-601 knowledge will find genuine gaps.
- General Security Concepts (12%): Foundational knowledge covering terminology, basic controls, and cryptographic concepts. Cover this domain efficiently but avoid over-investing - the return per hour of study is lower here than in the heavier domains.
SY0-701 reflects a more operationally grounded view of what entry-level security professionals need to know. The candidates who perform best are those who approach it not as a vocabulary test but as a simulation of real security decision-making under realistic constraints. TierOne Defense Academy builds your preparation around exactly that kind of applied, scenario-driven practice. Learn more about our Security+ preparation pathway and how we approach the SY0-701 exam.