Skip to main content
Contact Us

SY0-701 exam format

What is on the CompTIA Security+ (SY0-701) Exam

Knowing the format before you sit Security+ is the difference between a 740 score (below the 750 pass mark) and a 790. This guide walks through every part of the exam: question types, time pressure, scoring, domain breakdown, and what to expect on exam day.

CompTIA Security+ certification badge

The headline numbers

Exam codeSY0-701. Replaced SY0-601 in November 2023. SY0-601 retired in mid-2024.
Number of questionsUp to 90.
Time limit90 minutes.
Pass mark750 out of 900 (around 83 percent).
FormatMix of multiple-choice (MCQ), multi-select, and performance-based questions (PBQs).
Cost in Australia$599 AUD ex GST through Mindset Cyber (CompTIA Authorised Partner).
Where to sitPearson VUE testing centre or Pearson OnVUE (online proctored).
LanguageEnglish in Australia. Japanese, German, Portuguese, Spanish, and Vietnamese available in other markets.
RecertificationEvery 3 years through 60 Continuing Education Units (CEUs).

Ready to book? Get your SY0-701 voucher from an Australian supplier, delivered within 24 hours and redeemable at any Pearson VUE testing centre worldwide.

Question types and why they matter

Multiple-choice

Roughly 70 to 80 questions. One question, four answers, pick one. CompTIA's style emphasises "best answer" rather than "only correct answer". Two options are often technically true but contextually wrong.

Multi-select

"Select TWO" or "Select THREE" in the prompt. Typically 10 to 15 questions. No partial credit: get one wrong and the whole question is wrong.

Performance-based

Simulated interfaces (network diagram, Linux CLI, firewall config, SIEM dashboard). 3 to 5 PBQs total, usually first in the exam. Each takes 3 to 5 times longer than an MCQ.

PBQ tasks include dragging labels onto a network diagram (place a WAF, IDS, load balancer), typing CLI commands in a simulated terminal, selecting checkbox configs, or ordering incident-response steps.

How the 90-minute timer actually works

CompTIA gives you 90 minutes for up to 90 questions. The "up to" matters. Your specific exam might have anywhere from 75 to 90 questions depending on adaptive question selection.

A realistic pacing plan:

  1. 0 to 45 minutes

    Multiple-choice and multi-select questions. Pace around 60 seconds per question. Mark anything you are unsure about and keep moving.

  2. 45 to 80 minutes

    PBQs and the marked-unsure questions. PBQs take 3 to 5 minutes each.

  3. 80 to 90 minutes

    Final review of marked questions.

If you find yourself at minute 60 still on MCQs with PBQs to come, you are behind pace. Speed up and do not second-guess answers you have already committed to. Second-guessing is responsible for more wrong answers than first instincts.

Scoring: what 750 out of 900 actually means

The scoring is not a flat percentage. CompTIA uses a scaled score in the 100 to 900 range. The pass mark is 750.

Two important things:

  1. Different questions are worth different weights. A PBQ is worth more than a single MCQ. Multi-select questions weight equally with MCQ but are all or nothing.
  2. The exam is partially adaptive. Get a question right and you will see a slightly harder follow-up. Get one wrong and you will see a slightly easier one. Your final scaled score reflects difficulty, not just count of correct answers.

You will not know your score during the exam. Results appear on screen within a minute of finishing, and a digital certificate plus badge follow within 24 hours via your CompTIA candidate account.

You cannot see which specific questions you got wrong. CompTIA reveals only your overall scaled score and your performance per domain (for example, "above competent" in Domains 1 to 3, "below competent" in Domain 4). That domain breakdown is useful for planning a retake if needed.

Domain breakdown: what is tested

CompTIA splits Security+ into 5 domains, with question count roughly weighted to the percentages below. Click any domain to see the official topic breakdown.

Domain Exam weight
1. General Security Concepts 12%
  • Security controls. Comparing technical, preventive, managerial, deterrent, operational, detective, physical, corrective, compensating, and directive controls.
  • Fundamental concepts. Confidentiality, integrity, availability (CIA); non-repudiation; authentication, authorisation, and accounting (AAA); zero trust; and deception or disruption technology.
  • Change management. Business processes, technical implications, documentation, and version control.
  • Cryptographic solutions. Public key infrastructure (PKI), encryption, obfuscation, hashing, digital signatures, and blockchain.
2. Threats, Vulnerabilities, and Mitigations 22%
  • Threat actors and motivations. Nation-states, unskilled attackers, hacktivists, insider threats, organised crime, shadow IT. Motivations: data exfiltration, espionage, financial gain.
  • Threat vectors and attack surfaces. Message-based, unsecure networks, social engineering, file-based, voice call, supply chain, and vulnerable software vectors.
  • Vulnerabilities. Application, hardware, mobile device, virtualisation, operating system, cloud-specific, web-based, and supply chain vulnerabilities.
  • Malicious activity. Analysing malware, password, application, physical, network, and cryptographic attacks.
  • Mitigation techniques. Segmentation, access control, configuration enforcement, hardening, isolation, and patching.
3. Security Architecture 18%
  • Architecture models. On-premises, cloud, virtualisation, Internet of Things (IoT), industrial control systems (ICS), and infrastructure as code (IaC).
  • Enterprise infrastructure. Applying security principles to infrastructure considerations, control selection, and secure communication or access.
  • Data protection. Comparing data types, securing methods, general considerations, and classifications.
  • Resilience and recovery. High availability, site considerations, testing, power, platform diversity, backups, and continuity of operations.
4. Security Operations 28%
  • Computing resources. Secure baselines, mobile solutions, hardening, wireless security, application security, sandboxing, and monitoring.
  • Asset management. Acquisition, disposal, assignment, and monitoring of hardware, software, and data assets.
  • Vulnerability management. Identifying, analysing, remediating, validating, and reporting vulnerabilities.
  • Alerting and monitoring. Monitoring tools and computing resource activities.
  • Enterprise security. Firewalls, IDS / IPS, DNS filtering, DLP, NAC, and EDR / XDR (endpoint and extended detection and response).
  • Identity and access management. Provisioning, SSO, MFA, and privileged access tools.
  • Automation and orchestration. Automation use cases, scripting benefits, and considerations.
  • Incident response. Processes, training, testing, root cause analysis, threat hunting, and digital forensics.
  • Data sources. Using log data and other sources to support investigations.
5. Security Program Management and Oversight 20%
  • Security governance. Guidelines, policies, standards, procedures, external considerations, monitoring, governance structures, and roles and responsibilities.
  • Risk management. Risk identification, assessment, analysis, register, tolerance, appetite, strategies, reporting, and business impact analysis (BIA).
  • Third-party risk. Vendor assessment, selection, agreements, monitoring, questionnaires, and rules of engagement.
  • Security compliance. Compliance reporting, consequences of non-compliance, monitoring, and privacy.
  • Audits and assessments. Attestation, internal and external audits, and penetration testing.
  • Security awareness. Phishing training, anomalous behaviour recognition, user guidance, reporting, and monitoring.

Source: CompTIA Security+ official certification page. Refer to CompTIA for the most current exam objectives PDF.

Domain 4 (Security Operations) is the biggest. IAM, log analysis, incident response, endpoint hardening. Allocate study time accordingly. Many candidates over-prepare on threats and vulnerabilities (the "fun" domain) and under-prepare on operations and governance.

For a detailed study plan that proportions correctly, see How to Pass CompTIA Security+ in Australia.

Pearson VUE vs Pearson OnVUE: which to choose

You can sit Security+ at a physical Pearson VUE testing centre or via Pearson OnVUE online proctoring from home. Both are valid. The result is the same digital certificate.

Pearson VUE (physical centre)

  • Pros: quieter, no environmental check failure risk, no own-equipment dependence, lockers for personal items.
  • Cons: travel time, fewer time-slot options, popular city-centre Saturdays book out weeks ahead.
  • Australian locations: Sydney (multiple), Melbourne, Brisbane, Perth, Adelaide, Canberra, Hobart, plus regional centres in Cairns, Townsville, Wollongong, Newcastle, Geelong, Gold Coast, Darwin.

Pearson OnVUE (online proctored)

  • Pros: sit from home, flexible time slots, no travel.
  • Cons: strict environmental rules. Closed private room, no other people in the room, clear desk, no second monitors (laptop closed if you are using an external display, or external display unplugged if you are on laptop), webcam and microphone running throughout, photo ID check.
  • Risks: failed environmental check on exam day means the exam is cancelled and the voucher is consumed. If you are not 100 percent confident your home setup will pass the pre-check, use a physical centre.

OnVUE is convenient but unforgiving. The most common reason candidates fail to start is having a second person walk into the room during the proctor's environmental scan.

Retake policy

CompTIA's retake policy:

  • After your first failed attempt.

    No waiting period. You can re-book immediately, but realistically you will need study time.

  • After a second failed attempt.

    14 days waiting period before sitting again.

  • After third or subsequent failures.

    14 days between each.

  • No limit on lifetime attempts.

    You can keep trying as long as you keep buying vouchers.

Each retake requires a new voucher purchase. If you have bought Mindset Cyber's Retake Assurance bundle ($799 AUD ex GST), the second voucher is included. You only pay if you need a third attempt.

Important distinction: the 14-day waiting period above is the CompTIA-mandated retake gap between exam attempts. It is not a refund window. Mindset Cyber's refund policy on unused unredeemed vouchers is 7 days from purchase, less a 10% admin fee, regardless of attempt count.

What you can and cannot bring to the exam

Allowed at a Pearson VUE physical centre

  • Photo ID (driver's licence, passport, Australian government photo ID).
  • The locker key they give you.

NOT allowed

  • Phone, smartwatch, fitness tracker.
  • Bag, laptop, USB.
  • Notes, books, study materials of any kind.
  • Food, drink (some centres allow water, check at booking).
  • Outer jackets (some centres ask you to leave them in the locker).

For OnVUE online proctored

  • Clear desk. Nothing on it except your computer and one source of clear water.
  • Closed room. No other people in or out during the exam.
  • Photo ID. Ready before the proctor session starts.
  • Functional webcam and microphone. The proctor will test before exam start.

OnVUE proctors will ask you to do a 360-degree room scan with your webcam at exam start. They are checking for second monitors, posted notes, other people, and study materials.

After you pass

Within 24 hours of passing, you will have:

  • A digital certificate downloadable from your CompTIA candidate account.
  • A digital badge issued by Credly that you can share on LinkedIn. Most candidates do this immediately. It is a fast LinkedIn signal to recruiters.
  • The right to use "CompTIA Security+ ce" after your name. "ce" stands for continuing education because you will need to renew with CEUs every 3 years.

A physical certificate is not included in the standard exam fee. CompTIA charges for a printed certificate separately if you want one mailed. Most candidates skip this and just use the digital version.

Frequently asked questions

How many questions are on the CompTIA Security+ SY0-701 exam?

Up to 90 questions in 90 minutes. The mix is roughly 70 to 80 multiple-choice questions, 10 to 15 multi-select questions, and 3 to 5 performance-based questions (PBQs) that simulate real interfaces. PBQs come first in the exam and take three to five times longer per question than multiple-choice.

What is a performance-based question (PBQ) on Security+?

A PBQ simulates a real interface such as a network diagram, a Linux command line, a firewall config screen, or a SIEM dashboard, and asks you to perform an action. You might drag and drop labels onto a network diagram, type a CLI command, select multiple checkboxes that represent the correct config for a scenario, or order steps in an incident-response process. Expect 3 to 5 PBQs on the exam.

What is the SY0-701 pass mark?

750 on a scaled 100 to 900 range, which is roughly 83 percent. CompTIA uses scaled scoring, not flat percentage. Different questions are worth different weights (PBQs more than MCQs), and the exam is partially adaptive, so your final scaled score reflects difficulty, not just count of correct answers.

Can I retake Security+ if I fail?

Yes. After your first failed attempt there is no waiting period and you can re-book immediately, though realistically you will need study time. CompTIA requires a 14-day waiting period before a third or subsequent attempt. There is no lifetime limit on attempts. Each retake requires a new voucher purchase. Mindset Cyber Retake Assurance ($799 AUD ex GST) bundles a second voucher in case you need it. Note: this is the retake gap between exam attempts, not a refund window. Unused unredeemed vouchers are refundable for 7 days from purchase, less a 10% admin fee.

What can I bring to the CompTIA Security+ exam?

At a Pearson VUE physical centre: photo ID and the locker key they give you. Not allowed: phone, smartwatch, fitness tracker, bag, laptop, USB, notes, books, food, drink (some centres allow water), outer jackets. For Pearson OnVUE online proctored: clear desk with nothing on it except your computer and one source of clear water, closed room with no other people, photo ID ready before the proctor session starts, functional webcam and microphone.

Where to buy your voucher

The voucher is the only thing you need before booking. The exam booking happens through your CompTIA candidate account, not at the voucher purchase point.

Mindset Cyber is an Australian CompTIA Authorised Partner. We sell the official SY0-701 voucher (identical to what you would get from CompTIA directly) priced in AUD with GST receipting and 24-hour email delivery.

Single user

$599 AUD ex GST

One official SY0-701 voucher. 12-month validity. Email delivered within 24 hours.

Buy now → Most popular

Voucher + Retake Assurance

$799 AUD ex GST

The same voucher plus a second voucher if the first attempt does not pass.

Buy now →