What version of Security+ is current in 2026?

SY0-701 is the current and only active version. It launched on 7 November 2023 and replaced the now-retired SY0-601 (English-language SY0-601 retired 31 July 2024). The official exam objectives document is Version 5.0; CompTIA also labels the exam series 'V7'.

Is a newer version coming, and should I wait?

A next version (widely referred to as SY0-801) has been signaled by training providers for a possible preview around late 2026 (an oft-cited estimate is ~20 October 2026), but CompTIA has not published a firm release date or an SY0-701 retirement date. Don't wait — study and sit SY0-701 now. When a new version launches, CompTIA typically runs both for roughly six months, and your earned certification stays valid for its full three years regardless.

How many questions and how long is the exam?

A maximum of 90 questions in 90 minutes, mixing multiple-choice questions with performance-based questions.

What score do I need to pass?

750 on a scaled 100-900 range. It is not a simple percentage, so don't assume you need 83%.

Do I need experience or prerequisites?

There are no mandatory prerequisites. CompTIA recommends Network+ plus about two years in a security/systems administration role, but motivated beginners pass with focused study.

How do I keep the certification active?

It is valid for 3 years. Renew by earning 50 CEUs (a CE fee applies) or by completing CompTIA CertMaster CE, which satisfies the full requirement in one course; earning a higher-level cert (e.g., CySA+, CASP+/SecurityX) also renews it.

How to Pass CompTIA Security+ (SY0-701)

A practical, no-fluff guide to passing CompTIA Security+ (SY0-701) — the current exam format and domain weights, scoring and cost, a realistic study plan, and the highest-leverage strategy to pass.

Last reviewed June 12, 2026. Exam logistics change — always confirm current details on the official certification site before you book.

Take a timed mock exam → Compare prep courses →

The exam at a glance

CompTIA Security+ (current version SY0-701) is the industry’s baseline cybersecurity certification. Here is what you are signing up for:

Up to 90 questions in a single sitting.
90 minutes total.
Two item types: standard multiple-choice questions and performance-based questions (PBQs) — interactive, simulation-style tasks where you configure or analyze something rather than just pick an answer.
Passing score: 750 on a 100–900 scale.
Cost: USD $439 for one voucher in the US (raised from $425 in late May 2026; authorized partners sell around $395, academic discounts exist, and prices vary by region).
Once you pass, the certification is valid for 3 years.

SY0-701 launched on 7 November 2023 and replaced the retired SY0-601 (the English-language SY0-601 retired 31 July 2024). As of mid-2026 it is the only active version, so this is the exam to study for. The official objectives document is Version 5.0 (CompTIA also labels the exam series “V7”).

How it is scored

Your result is a scaled score from 100 to 900, and you need 750 to pass. This is the single most misunderstood number on the exam: 750/900 is not 83% correct. CompTIA weights questions and scales the result, so the raw percentage you need is lower than the headline figure suggests. Treat anything consistently above 85% on quality practice tests as a green light.

Expect a handful of PBQs first (usually two to five). These eat time. Common advice that works: flag the PBQs, do the multiple-choice questions first, then return to the PBQs with your remaining minutes. There is no published per-domain minimum — only your overall 750 matters, so a weaker domain can be offset by a stronger one.

Are you eligible — and what does it cost?

There are no mandatory prerequisites. Anyone can register and sit the exam.

CompTIA recommends you first hold CompTIA Network+ and have about two years of experience in a security or systems administration role. That is a recommendation, not a gate — plenty of career-changers pass with disciplined study and hands-on practice instead of formal experience.

Budget for the $439 voucher (it rose from $425 in late May 2026). If you are a student, ask about academic pricing (discounts up to ~40–50% exist), and consider a voucher-plus-retake bundle if you want a safety net.

Build a realistic study plan

Most prepared candidates need 6–10 weeks at 8–12 hours per week. Here is a proven 8-week skeleton — compress or stretch to fit your schedule:

Week 1 — General Security Concepts (12%). CIA triad, control types (preventive/detective/corrective/compensating), cryptography basics, AAA/identity. Build vocabulary; this domain underpins everything.
Weeks 2–3 — Threats, Vulnerabilities & Mitigations (22%). Malware families, social engineering, attack types, vulnerability management, and mitigation techniques. Make flashcards for every attack and indicator.
Week 4 — Security Architecture (18%). Secure network/cloud design, zero trust, resilience, and data protection.
Weeks 5–6 — Security Operations (28%). The biggest domain. Hardening, monitoring, logging, incident response, identity/access management, automation. Spend the most hours here. Do hands-on labs.
Week 7 — Security Program Management & Oversight (20%). Governance, risk, compliance, third-party risk, audits, policies.
Week 8 — Full-length practice exams + remediation. Take timed mocks, review every miss, and drill PBQ-style tasks.

Mix resources: read or watch a full objectives walkthrough, then practice retrieval (quizzes/flashcards) and practice exams — passive watching alone does not stick.

The exam mindset / highest-leverage strategy

Follow the weights. Domains 2, 4, and 5 are 70% of the exam (22% + 28% + 20%). Every study hour on Security Operations and Threats pays back the most.
Think like a defender choosing the best answer. Multiple options will be “technically valid”; pick the one that best fits the scenario (most secure, most appropriate, first step, etc.). Watch for qualifier words: first, best, most likely, MOST cost-effective.
Master the verbs in PBQs. Practice actually doing tasks — reading a firewall ruleset, mapping a log to an attack, ordering incident-response steps.
Manage time. ~1 minute per multiple-choice question leaves room for PBQs. Don’t get stuck; flag and move on.

Master the domains

Domain weights — spend your study time in proportion.

General Security Concepts — 12%. Definitions and frameworks: CIA triad, control categories and types, change management, basic cryptography (hashing, symmetric vs. asymmetric, PKI, certificates). Tested as crisp recall — know the precise difference between similar terms.
Threats, Vulnerabilities & Mitigations — 22%. Threat actors and motivations, attack vectors, social engineering, malware, application/network/cloud vulnerabilities, and the mitigations that counter each. Heavily scenario-based (“which attack is this?”).
Security Architecture — 18%. Designing secure systems: network architectures, zero trust, secure cloud and on-prem design, resilience/recovery, and data protection (encryption, masking, classification).
Security Operations — 28%. The day-to-day: hardening and baselines, monitoring and SIEM, vulnerability and patch management, identity and access management, incident response, digital forensics, and automation/orchestration. Expect the most questions and the most PBQs here.
Security Program Management & Oversight — 20%. Governance, risk management, compliance, policies/standards, third-party/vendor risk, and audits/assessments. More conceptual and managerial than technical.

Common pitfalls

Treating 750 as 83% and over-studying, or under-studying because you misjudged the bar.
Skipping hands-on practice and getting blindsided by PBQs.
Memorizing without scenarios — the exam rewards applying knowledge, not reciting it.
Ignoring the small domains — General Security Concepts is only 12%, but its vocabulary is the foundation for every other question.
Cramming acronyms with no context. Know what each one does and when you’d use it.
Spending too long on the first PBQ and running out of time for easy points.

After you pass

Your Security+ is valid for 3 years. Keep it active through CompTIA’s Continuing Education (CE) program:

Earn 50 CEUs over the three-year cycle (a CE fee applies), or
Take the CompTIA CertMaster CE course, which satisfies the full 50-CEU requirement in one self-paced activity, or
Earn a higher-level certification (e.g., CySA+, CASP+/SecurityX) to renew automatically.

Security+ also feeds CompTIA’s CE pool, so a single higher cert can renew multiple credentials. Natural next steps: CompTIA CySA+ (analyst/SOC track) or PenTest+ (offensive), then CASP+/SecurityX for senior roles.

One note for planners: a next version (often referred to as SY0-801) has been signaled for a possible preview around late 2026 (an oft-cited estimate is ~20 October 2026), but CompTIA has not confirmed a firm date or an SY0-701 retirement date. Don’t wait — sit SY0-701 now; your certification stays valid for its full three years regardless of new versions.

The week before, and exam day

The final week is for consolidation, not new material:

Take at least one full timed practice exam and review every miss.
Re-drill your weakest domain and any PBQ task types you fumble.
Skim acronyms, port numbers, and crypto basics the night before — then sleep.

On exam day:

Bring two valid IDs (for in-person) or test your equipment and quiet room in advance (for online proctoring).
Arrive/log in early; rushing kills focus.
Do the multiple-choice questions first, flag PBQs, and circle back.
Read every question fully and watch for qualifiers (first, best, MOST).
Don’t leave anything blank — there’s no penalty for guessing.

You’ve got this. Study to the weights, practice hands-on, and aim to clear 750 with margin to spare.

Quick-reference: exam tips by domain

Pulled from every term in this subject — a fast last-pass before exam day.

Security Operations

Containment — Short-term containment (isolate host) buys time; long-term containment supports forensics.
CVE — Use CVE IDs to track patch status and to communicate with vendors.
CVSS — Critical: 9.0-10. High: 7.0-8.9. Always apply Environmental and Temporal metrics to your context.
Dashboard — Dashboards drive decisions only if metrics are trustworthy and audience-appropriate.
Detection — Mean time to detect (MTTD) is a core SOC metric — lower is better.
DLP — DLP needs accurate data classification to work — garbage in, garbage out.
Eradication — Eradicate root cause and persistence (backdoors, scheduled tasks, new accounts), not just symptoms.
Forensics — Preserve chain of custody; hash evidence before and after to prove integrity.
Hardening — Follow CIS Benchmarks or DISA STIGs as a hardening baseline.
Incident — Declared incidents trigger formal response, communication, and post-incident review.
Logging — Centralize logs — local logs can be deleted by attackers. Time-sync with NTP for correlation.
Monitoring — Monitor for both known signatures and behavioral anomalies; combine endpoint, network, and identity telemetry.
Password — NIST guidance: length over complexity, no forced periodic rotation, screen against known-compromised lists.
Patching — Critical and high-severity patches should be applied within days; test in staging when possible.
Playbook — Playbooks support consistency and training; SOAR platforms automate parts of them.
Quarantine — Quarantine reduces blast radius without destroying evidence.
Recovery — RTO sets how fast you must recover; RPO sets how much data you can afford to lose.
Response — SY0-701 process (objective 4.8): Preparation, Detection, Analysis, Containment, Eradication, Recovery, Lessons learned — know the exact order.
Retention — Set retention by legal, compliance, and investigation needs; longer is not always better.
SIEM — SIEM value is in correlation across sources — single-source rules belong in the source tool.
Smart Card — Smart cards plus PIN combine 'something you have' with 'something you know' — true MFA.
SOAR — SOAR shines when playbooks are repeatable; automate enrichment first, automate destructive action last.
SSO — SSO reduces password sprawl but raises the value of the identity provider — protect it with MFA.
Triage — Tier-1 triage is where many SOC programs live or die — well-tuned alerts make the difference.

Threats, Vulnerabilities, and Mitigations

Adware — Annoying but usually low-severity — escalates when it bundles with spyware or droppers.
Backdoor — Look for unusual listening ports, new local accounts, and scheduled tasks pointing to odd paths.
Botnet — Botnets power DDoS, credential stuffing, and spam. Look for unusual outbound C2 traffic.
Brute Force — Account lockout, rate limiting, MFA, and strong password requirements are the standard defenses.
CSRF — Anti-CSRF tokens and SameSite cookies are the standard defenses.
DDoS — Mitigations: cloud scrubbing services, rate limiting, anycast, and over-provisioning.
Exploit — Exploit + vulnerability + threat actor = active attack.
Injection — SQL, command, and LDAP injection are common — parameterized queries and input validation block them.
Keylogger — Hardware keyloggers between keyboard and PC bypass anti-malware entirely.
Malware — Know the families: virus, worm, trojan, ransomware, rootkit, spyware, adware, bot.
MITM — TLS with proper certificate validation and certificate pinning defeat most MITM attacks.
Payload — Same vulnerability can deliver many payloads — ransomware, backdoor, info-stealer.
Phishing — Spear phishing targets individuals; whaling targets executives.
Ransomware — Offline, immutable backups are the single most effective ransomware control.
Rootkit — Rootkits hide from the OS — offline scanning and trusted boot are the best detections.
Smishing — Often impersonates banks, delivery services, or boss/CEO requests for gift cards.
Spoofing — SPF, DKIM, and DMARC defend against email spoofing; DNSSEC defends against DNS spoofing.
Spyware — Often bundled with free downloads; keyloggers are a high-impact subtype.
Trojan — Trojans do not self-replicate — that distinguishes them from viruses and worms.
Virus — Unlike worms, viruses require user action (running a file) to propagate.
Vishing — Common in tech-support scams; train employees to verify via callback to a known number.
Worm — Worms exploit network services and vulnerabilities — patching and segmentation are key controls.
XSS — Stored, reflected, and DOM-based variants exist. Output encoding and CSP are key defenses.
Zero-day — Compensating controls (segmentation, EDR, virtual patches) matter most when no patch exists.

Security Program Management and Oversight

Acceptance — Document the rationale, owner, and review date for every accepted risk.
Assessment — Risk assessments inform treatment plans; vulnerability assessments inform remediation.
Audit — Internal audits drive improvement; external audits drive attestation and certification.
Compliance — Compliance is the floor, not the ceiling — being compliant is not the same as being secure.
Contract — Right-to-audit, breach notification, and data return/destruction are essential security clauses.
Framework — Common frameworks: NIST CSF, NIST SP 800-53, ISO 27001, CIS Controls.
GDPR — Key concepts: lawful basis, data subject rights, 72-hour breach notification, fines up to 4% of revenue.
Guideline — Guidelines are advisory; deviations do not constitute non-compliance.
HIPAA — Security Rule = technical, physical, administrative safeguards. Breach Notification Rule sets disclosure rules.
Inherent — Inherent − controls = residual. Boards often care about both.
ISO — ISO 27001 is the certifiable standard; 27002 is the control catalog.
Mitigation — Pair mitigation with monitoring; controls drift without continuous validation.
NIST — Know the six NIST CSF 2.0 functions: Govern, Identify, Protect, Detect, Respond, Recover — Govern was added in 2.0.
PCI — Scope reduction (tokenization, network segmentation) is the cheapest way to ease PCI compliance.
Policy — Policies say what; standards say how strictly; procedures say step-by-step; guidelines are advisory.
Procedure — Procedures are mandatory; guidelines are not — know the difference for the exam.
Residual — Residual risk is what leadership must accept, transfer, or further mitigate.
Risk — Risk = Likelihood × Impact (informal). Quantitative methods use ALE = SLE × ARO.
SLA — Tie SLA to penalties to make it enforceable; without consequences SLAs are aspirational.
SOX — IT general controls (ITGCs) — access, change, operations — are the SOX-relevant security work.
Standard — Standards translate broad policy into measurable, auditable requirements.
Tabletop — Tabletops surface gaps cheaply and build cross-team relationships — run them at least annually.
Transfer — You can transfer financial impact but never the reputational damage.
Vendor — Vendor risk management ranks vendors by data sensitivity and criticality; high-risk vendors need stronger controls.

Security Architecture

Backup — 3-2-1 rule: 3 copies, 2 different media, 1 offsite/immutable.
Cloud — Know who is responsible for what at each model — IaaS leaves most security to the customer; SaaS leaves least.
Container — Containers share the host kernel — kernel exploits affect all containers.
DMZ — On SY0-701 the objectives call this a 'screened subnet' — DMZ no longer appears, so expect the newer term on the exam. Same concept: hosts there should be hardened and isolated so a compromise can't reach internal data.
Failover — Active-active maximizes resource use; active-passive is simpler but wastes capacity.
Firewall — Stateful firewalls track connection state; NGFWs add IDS/IPS, app awareness, and TLS inspection.
Hypervisor — Type 1 runs on bare metal (ESXi, Hyper-V); Type 2 runs on a host OS (VirtualBox, VMware Workstation).
IaaS — Customer responsibility includes OS patching, security groups, IAM, and application security.
IDS — IDS = detect/alert; IPS = detect/block. IDS sits out-of-band; IPS sits in-line.
IoT — Treat IoT as untrusted: put it on isolated VLANs and monitor for anomalous traffic.
IPS — False positives on an IPS cause outages — tune aggressively before enabling block mode.
IPsec — Tunnel mode encrypts the whole packet; transport mode encrypts only the payload.
NAT — NAT is not a security control on its own — pair with a firewall.
PaaS — Customer is responsible for application security, data, and identity.
Proxy — Forward proxies protect outbound traffic; reverse proxies sit in front of servers.
Router — Use ACLs on routers for coarse filtering; rely on firewalls for stateful, application-aware policy.
SaaS — Customer is responsible for data, identity, and configuration — provider manages the stack.
SCADA — Air-gap and unidirectional gateways protect SCADA from IT-network compromise.
Segmentation — Microsegmentation extends the idea to per-workload policies in cloud and data centers.
Snapshot — Snapshots are NOT a substitute for off-host backups — they share fate with the primary storage.
Switch — Use 802.1X port-based authentication and VLANs to limit lateral movement.
TLS — Use TLS 1.2 minimum, prefer 1.3. Disable old versions and weak ciphers.
VPN — Split tunneling improves performance but reduces visibility; full tunnel is more secure.
WAF — WAFs complement secure code — they are not a substitute for it.

General Security Concepts

Accounting — Accounting is the third A in AAA — and the foundation of non-repudiation and audit trails.
Authentication — Authentication answers 'who are you?' — distinct from authorization which answers 'what can you do?'
Authorization — Apply least privilege — give only the minimum access needed for the role.
Availability — Backups, redundancy, and failover are availability controls — and DDoS attacks the opposite.
Baseline — Drift from a baseline is a leading indicator of misconfiguration or compromise.
Biometric — Biometrics cannot be revoked if compromised — combine with another factor.
CIA — Map every control to one or more triad pillars; encryption is C, hashing is I, redundancy is A.
Cryptography — Modern cryptography relies on key secrecy, not algorithm secrecy (Kerckhoffs's principle).
Encryption — Symmetric (AES) is fast and best for bulk data; asymmetric (RSA, ECC) is best for key exchange.
Gap — A gap analysis maps the deltas against a framework like NIST CSF or ISO 27001.
Governance — Governance sets the 'what,' management does the 'how' — and they should never be the same role.
Hashing — Hashing provides integrity, not confidentiality. Prefer SHA-256+; MD5 and SHA-1 are broken.
IAM — IAM covers the full identity lifecycle: provisioning, authentication, authorization, and de-provisioning.
Integrity — Hashing (SHA-256) and digital signatures are the primary controls for integrity.
Masking — Masking is presentation-layer; the data underneath is unchanged.
MFA — Two passwords are NOT MFA — both are 'something you know.' Combine different categories.
Nonrepudiation — Digital signatures provide non-repudiation; symmetric MACs do not because both parties share the key.
Obfuscation — Obfuscation is NOT a substitute for encryption — it slows attackers, it does not stop them.
PKI — Trust flows from a root CA through intermediates to end-entity certificates.
Principle — Least privilege and defense-in-depth show up on nearly every Security+ exam.
Salt — Use a unique salt per password and store it alongside the hash; pepper adds a server-wide secret.
Segregation — Pair with mandatory vacation and job rotation to detect long-running fraud.
Tokenization — Tokenization is reversible only through the vault; unlike encryption, the token itself has no value.
Zero Trust — Zero Trust replaces the perimeter — assume breach and authenticate every request.

Frequently asked questions

What version of Security+ is current in 2026?: SY0-701 is the current and only active version. It launched on 7 November 2023 and replaced the now-retired SY0-601 (English-language SY0-601 retired 31 July 2024). The official exam objectives document is Version 5.0; CompTIA also labels the exam series 'V7'.
Is a newer version coming, and should I wait?: A next version (widely referred to as SY0-801) has been signaled by training providers for a possible preview around late 2026 (an oft-cited estimate is ~20 October 2026), but CompTIA has not published a firm release date or an SY0-701 retirement date. Don't wait — study and sit SY0-701 now. When a new version launches, CompTIA typically runs both for roughly six months, and your earned certification stays valid for its full three years regardless.
How many questions and how long is the exam?: A maximum of 90 questions in 90 minutes, mixing multiple-choice questions with performance-based questions.
What score do I need to pass?: 750 on a scaled 100-900 range. It is not a simple percentage, so don't assume you need 83%.
Do I need experience or prerequisites?: There are no mandatory prerequisites. CompTIA recommends Network+ plus about two years in a security/systems administration role, but motivated beginners pass with focused study.
How do I keep the certification active?: It is valid for 3 years. Renew by earning 50 CEUs (a CE fee applies) or by completing CompTIA CertMaster CE, which satisfies the full requirement in one course; earning a higher-level cert (e.g., CySA+, CASP+/SecurityX) also renews it.