Study Plan

Security+ Exam Prep Guide

Pass CompTIA Security+ (SY0-701) on your first attempt. Complete study plan, best resources, and exam strategies from people who've passed.

Exam Overview

Current version: SY0-701 (launched November 2023)

  • Questions: Maximum of 90 questions (multiple choice + performance-based)
  • Time: 90 minutes
  • Passing score: 750 out of 900 (roughly 83%)
  • Cost: $404 USD
  • Performance-based questions (PBQs): 3-5 scenario/simulation questions worth more points

What changed in SY0-701: More emphasis on cloud security, automation, governance/compliance. Less focus on legacy protocols. Still covers core security concepts but with modern context.

Exam Domains (What to Study)

Domain Weight Study Time Key Topics
1. General Security Concepts 12% 12 hours CIA triad, authentication methods, security controls
2. Threats, Vulnerabilities & Mitigations 22% 22 hours Attack types, malware, vulnerabilities, threat actors
3. Security Architecture 18% 18 hours Secure network design, cloud security, infrastructure
4. Security Operations 28% 28 hours Monitoring, incident response, digital forensics, automation
5. Security Program Management & Oversight 20% 20 hours Governance, risk management, compliance, policies

Focus areas: Domains 2 and 4 are 50% of exam—prioritize these. Domain 1 is foundational—master it first. Domains 3 and 5 require understanding context and application, not just memorization.

8-Week Study Plan

Week 1-2: Foundation + Domain 1

  • Download CompTIA Security+ objectives PDF (free from CompTIA)
  • Watch Professor Messer videos for Domain 1 (YouTube, free)
  • Read Darril Gibson GCGA book Chapters 1-2 (library or buy $40)
  • Create flashcards for acronyms (lots of them in Security+)
  • Do 50 practice questions on Domain 1
  • Goal: Understand CIA triad, authentication types, access control models

Week 3-4: Domain 2 (Heaviest Domain)

  • Watch Professor Messer videos for Domain 2
  • Read Gibson book Chapters 3-5
  • Memorize attack types (phishing, ransomware, SQL injection, XSS, etc.)
  • Understand threat actor motivations and tactics
  • Learn vulnerability scanning and patch management
  • Do 100+ practice questions on Domain 2
  • Critical: Know how attacks work, not just names. Exam asks scenario questions.

Week 5: Domain 3 (Architecture)

  • Network security design (DMZ, VLANs, segmentation)
  • Cloud security (SaaS/IaaS/PaaS, shared responsibility model)
  • Cryptography fundamentals (symmetric/asymmetric, hashing, PKI)
  • Secure protocols (TLS, IPsec, SSH)
  • Do 75 practice questions on Domain 3
  • Tip: Draw network diagrams. Understanding topology helps with scenario questions.

Week 6: Domain 4 (Security Operations - Heaviest)

  • SIEM, log analysis, monitoring tools
  • Incident response process (preparation → detection → containment → eradication → recovery → lessons learned)
  • Digital forensics basics
  • Automation and orchestration (SOAR)
  • Do 100+ practice questions on Domain 4
  • This is the most practical domain—think like a SOC analyst.

Week 7: Domain 5 + Full Review

  • Governance, risk, compliance frameworks (NIST, ISO, GDPR, etc.)
  • Security policies and procedures
  • Third-party risk management
  • Do 75 practice questions on Domain 5
  • Review all flashcards (daily repetition)
  • Take first full practice exam (Jason Dion or Professor Messer)

Week 8: Practice Exams + Exam Prep

  • Take 3-4 full practice exams (different question sets)
  • Review EVERY wrong answer—understand why
  • Drill weak domains identified in practice exams
  • Practice PBQ scenarios (Jason Dion course has good simulations)
  • Final review of exam objectives—check you covered everything
  • Goal before exam: Scoring 85%+ on multiple practice exams

Best Study Resources

Free Resources

  • Professor Messer (YouTube): Complete SY0-701 video course. Industry standard, updated regularly. Start here. His study groups are also free on YouTube.
  • CompTIA Exam Objectives: Download free PDF. Use as checklist.
  • ExamCompass: Free practice questions. Not as good as paid Dion, but solid for reinforcement.
  • Cybrary: Free Security+ course (create account). Good supplement to Messer.
  • Library: Borrow Darril Gibson GCGA book or Mike Meyers All-in-One via Libby app.

Worth Paying For

  • Jason Dion Practice Exams (Udemy, $15 on sale): 6 practice exams + PBQ simulations. Best prep for exam format. His explanations are excellent. Worth every penny.
  • Darril Gibson "Get Certified Get Ahead" book ($40): Best-written Security+ book. Clear explanations, good practice questions. Buy if not borrowing from library.
  • Professor Messer Practice Exams ($20 per exam): Official Messer practice tests. Good quality, cheaper than Dion but fewer exams.
  • CompTIA CertMaster Practice (30-day trial, then $99): Official CompTIA practice. Use free trial strategically in final month.

Optional (Not Required)

  • Mike Meyers All-in-One book: Comprehensive but verbose. Good if you like detailed reading.
  • TryHackMe Security+ Path: Hands-on labs. Fun but not essential for passing exam.
  • LinkedIn Learning Security+ course: Alternative to Messer. Good if you have free access.

Performance-Based Questions (PBQs) Strategy

What Are PBQs?

3-5 scenario-based simulations where you configure firewalls, analyze logs, identify attack types in packet captures, or troubleshoot security issues. Worth more points than multiple choice.

Common PBQ types:

  • Configuring firewall rules (allow/deny traffic based on requirements)
  • Analyzing wireless network security settings
  • Identifying malware or attack indicators in logs
  • Implementing network segmentation
  • Matching security controls to scenarios

PBQ Exam Strategy

  1. Skip them first: PBQs appear at beginning of exam. Flag them, do multiple choice first. Come back with time remaining.
  2. Read carefully: PBQ scenarios have multiple requirements. Missing one means wrong answer.
  3. Use process of elimination: Some PBQs have drag-and-drop or matching. Eliminate obviously wrong options first.
  4. Budget 10-15 minutes per PBQ: Don't spend 30 minutes on one question. Move on if stuck.
  5. Practice with Jason Dion PBQ simulations: Actual exam PBQs are similar format.

Exam Day Tips

Before the Exam

  • Night before: Light review only (flashcards, skim notes). Get 7-8 hours sleep.
  • Morning of: Eat protein-rich breakfast. Don't cram—increases anxiety without helping retention.
  • Arrive 15-30 min early: Check-in process takes time. Arrive stressed = perform worse.
  • Bring two forms of ID: One must have photo and signature. Check CompTIA requirements.

During the Exam

  • Use the whiteboard: You get laminated sheet + marker. Brain dump acronyms and port numbers immediately.
  • Flag questions you're unsure about: Come back after completing others. Don't get stuck.
  • Read carefully: Many wrong answers from misreading "EXCEPT" or "LEAST" in questions.
  • Eliminate wrong answers: Even if you don't know the right answer, eliminate 2-3 obviously wrong options. Improves guessing odds.
  • Watch time: 90 minutes for 90 questions = 1 minute per question. PBQs take longer, so move quickly on multiple choice.

Common Traps

  • Not reading full question: Questions often have multiple clauses. "Most secure AND cost-effective" means both criteria matter.
  • Overthinking: Don't assume extra context not in question. Answer what's asked, not what you think they mean.
  • Confusing similar concepts: TACACS+ vs RADIUS, symmetric vs asymmetric crypto, IDS vs IPS. Know the differences cold.
  • Forgetting port numbers: Exam loves asking ports. Memorize common ones (22, 23, 25, 53, 80, 443, 3389, etc.).

What to Memorize

Port Numbers (Critical)

  • FTP: 20/21
  • SSH: 22
  • Telnet: 23
  • SMTP: 25
  • DNS: 53
  • HTTP: 80
  • HTTPS: 443
  • RDP: 3389
  • LDAP: 389/636
  • SMB: 445

Attack Types (Know Cold)

  • Phishing, spear phishing, whaling
  • Ransomware, malware types
  • DDoS, DoS
  • Man-in-the-middle
  • SQL injection
  • Cross-site scripting (XSS)
  • Buffer overflow
  • Password attacks (brute force, dictionary, rainbow table)

Acronyms (Make Flashcards)

Security+ has 100+ acronyms. Sample critical ones:

  • AAA, ACL, AES, APT, ARP, BYOD, CA, CRL, DDoS, DHCP, DMZ, DNS, EAP, EDR, GDPR, GPO, HIDS, HIPS, HSM, HTTP, HTTPS, IaaS, IDS, IPS, IoT, IPsec, IRP, LDAP, MFA, NAC, NAT, NGFW, NIDS, NIPS, NIST, OCSP, OS, OVAL, PaaS, PAP, PAM, PBKDF2, PCI DSS, PII, PKI, RADIUS, RBAC, RDP, ROI, RSA, SAST, SCAP, SCEP, SIEM, SLA, SMS, SNMP, SOC, SOAR, SQL, SSH, SSL, SSO, TACACS+, TLS, TPM, UTM, VPN, WAF, XSS

Use Anki or Quizlet for spaced repetition review.

Frequently Asked Questions

How hard is Security+ really?

Moderate difficulty. Harder than A+ or Network+, easier than CISSP or CEH. Pass rate is around 65-70%. With proper preparation (100-150 hours), most people pass on first attempt. The volume of material is substantial, but concepts aren't overly complex. Biggest challenge: memorizing hundreds of acronyms, attack types, and port numbers. Second challenge: applying concepts to scenario questions, not just regurgitating definitions.

Should I get Network+ before Security+?

Not required, but helpful. Security+ assumes networking knowledge (TCP/IP, subnetting, protocols). If you understand networking already (from work or courses), skip Network+ and go straight to Security+. If networking is completely new, consider: (1) Getting Network+ first (easier path but adds 2-3 months), or (2) Watching free networking videos (Professor Messer Network+ series) without taking exam, then proceed to Security+.

Can I pass Security+ using only free resources?

Yes—Professor Messer videos + Gibson book from library + ExamCompass questions = passable. However, $15 for Jason Dion practice exams dramatically increases pass probability. Those practice exams are worth it—they teach you exam format and identify knowledge gaps. Budget recommendation: $15-$50 total (Dion exams + maybe Messer exams or Gibson book). Exam fee is $404—spending extra $30 to avoid retake is smart insurance.

What score should I aim for on practice exams before taking real exam?

Target 85%+ on multiple different practice exams. Consistently scoring 80-85% means you'll likely pass (750/900 required = ~83%). Scoring 75-80% is borderline—study weak areas 1-2 more weeks. Below 75% on practice exams = high failure risk, delay exam. Take at least 3 full practice exams before the real thing. Different question sets reveal different knowledge gaps.

What happens if I fail?

You can retake immediately (no waiting period) but must pay another $404. CompTIA offers exam vouchers with retake ($300-350 for exam + one retake) which saves money if you're not confident. After failing, you get score report showing which domains you were weak in. Focus retake study on those domains. Most people who fail pass on second attempt after targeted review. Common failure reasons: (1) Didn't do enough practice exams, (2) Memorized answers instead of understanding concepts, (3) Weak on PBQs due to lack of hands-on practice.

Next Steps

🔒

Security+ Full Guide

Complete certification overview and career information
💰

Free Study Resources

Where to find free Security+ materials
🛡️

Cybersecurity Analyst Path

Career roadmap after getting Security+
📚

Study Strategies

General exam prep techniques that work