What is CompTIA SecAI+? A practical guide for security teams
AI is already changing cybersecurity work. Teams are being asked to secure AI systems, use AI in operations and navigate new governance demands.
SecAI+ is CompTIA's new certification aimed at helping cybersecurity professionals build practical AI security skills. The certification is less about learning AI for its own sake and more about learning how AI changes what security teams need to secure, decide and govern, explained James Stanger, CompTIA's Chief Technology Evangelist, in a recent Infosec webinar.
The market signal is already there. ISC2's 2025 Cybersecurity Workforce Study found AI was the most pressing skills needed for cybersecurity teams, cited by 41% of respondents — and 69% said their teams had already integrated AI tools, were actively testing them or were in early evaluation.
What Is CompTIA SecAI+?
CompTIA SecAI+ is CompTIA's first expansion-series certification for cybersecurity professionals. It's built for people who already work in security and now need to understand how AI changes their environment, their workflows and their responsibilities.
The certification launched in February 2026, and the current exam code is CY0-001. The exam includes up to 60 questions in a 60-minute format, and CompTIA positions it at an intermediate level with recommended experience of three to four years in IT and two-plus years of hands-on cybersecurity.
If you've already built a security foundation through experience or certifications like Security+, CySA+ or PenTest+ — or even an advanced credential like SecurityX — SecAI+ adds complementary AI security skills to that foundation rather than replacing anything you've already earned.
This isn't a general AI literacy certification, and it isn't an AI developer credential either. It's a security certification for practitioners who already understand core security work and now need to apply that knowledge in environments where AI is part of the picture.
Learn Python for Pentesting
Why SecAI+ matters now
Security teams are getting pressure from both directions.
On one side, AI is changing security operations. Teams are using it to summarize threat intelligence, accelerate analysis, support investigations and rethink parts of their workflow. On the other side, AI systems introduce risks that don't fit neatly into older security models: prompt injection, data poisoning, access-control issues, governance gaps and agent behavior that can move past intended boundaries.
Stanger explains the AI security trifecta during the Infosec webinar.
Stanger describes the challenge as an AI security trifecta:
- Secure AI systems
- Use AI to improve security workflows
- Govern AI responsibly
Cybersecurity professionals need to understand how to work with AI without letting speed outrun judgment.
"Security workers need to be speedy with a solution," Stanger said. "They need to be speedy and relevant. Not speedy and wrong."
AI can help teams move faster, but speed without judgment, controls or workflow clarity just creates a different set of problems. SecAI+ is meant to help practitioners use AI well without losing the security thinking that still has to sit behind the tools.
What SecAI+ covers at a high level
The certification is organized around four official domains. Together, they cover the trifecta Stanger described, plus the foundational AI cybersecurity concepts practitioners need to make sense of the rest.
- Domain 1: Basic AI Concepts Related to Cybersecurity (17%). This covers the AI concepts security practitioners need in order to understand how AI works in a security context, including prompt engineering, data security and the AI lifecycle.
- Domain 2: Securing AI Systems (40%). This is the largest domain. It covers threat modeling, guardrails, access controls, monitoring, auditing and defenses against AI-specific attacks such as prompt injection, data poisoning, model theft and excessive agency.
- Domain 3: AI-assisted Security (24%). This focuses on how AI can support security tasks such as summarization, anomaly detection, automation, incident management and related operational use cases.
- Domain 4: AI Governance, Risk, and Compliance (19%). This covers governance structures, responsible AI principles and compliance frameworks such as the EU AI Act and the NIST AI Risk Management Framework.
For a deeper breakdown of what those domains mean in practice, see our upcoming plain-English guide to the SecAI+ domains.
What this looks like in real security work
SecAI+ covers real security workflows like security analytics, pentesting, threat intelligence and governance. That's one of the most useful things about SecAI+, said Stanger. It's tied to work security teams already own.
Take security analytics. AI can help teams move through huge volumes of threat and operational data faster, especially when they need summaries, pattern recognition or a way to surface signals more quickly. But the practitioner still has to interpret the result, decide what matters and know what action should follow. That judgment doesn't go away.
The same applies to pentesting. Stanger described an example of feeding a packet capture from a pentest into ChatGPT and watching it identify sensitive information almost immediately. The point wasn't that AI replaced the analyst. It was that AI could surface signal faster while the practitioner still had to interpret the finding, understand the risk and decide what to do next. AI can help with reporting, context-setting and parts of the analysis, while the tester still owns the judgment.
And once AI agents start interacting with systems and data, the issue isn't just whether the model can answer a question. It's whether it has too much access or too much freedom to act. That's where concepts like excessive agency — when an AI agent can reach beyond its intended boundaries or permissions — become practical security problems, not abstract ones.
Stanger explains how AI is changing cybersecurity work during the Infosec webinar.
AI speeds up parts of the process. It doesn't replace skilled security people who know what they're looking at. But it is forcing cybersecurity professionals to rethink their workflows. As Stanger put it: "Efficiencies means you do a process faster. Shift left means do you even need that process at all."
That's the kind of change SecAI+ is built to help practitioners handle.
Who SecAI+ is really for
SecAI+ is aimed at security practitioners with an existing foundation, not people looking for an AI development credential. That includes security analysts, engineers, SOC staff, pentesters, managers responsible for AI adoption, GRC professionals and adjacent practitioners working in environments where AI is becoming part of the operational reality.
Whether you're coming from an existing cybersecurity certification, early in your security career or a seasoned practitioner, SecAI+ is worth considering because it adds AI security depth that older certifications weren't designed to cover. It's CompTIA's first AI-focused security certification, so it fills a gap in the path regardless of where you are in it.
Stanger was blunt about this fact in the webinar: you don't need to be an AI developer. SecAI+ is about extending existing security practice into AI-enabled environments, not becoming a model builder.
For the fuller role-fit view, read our upcoming article, Who should get SecAI+?
Is SecAI+ for you?
If you already work in security and AI is starting to show up in your tools, your workflows or your governance conversations, earning your CompTIA SecAI+ certification is a practical next step. It gives you a structured way to build around a gap the market is already calling out.
Even if AI hasn't fully hit your environment yet, the signal is clear: AI is the most critical skill needed for cybersecurity teams. That gap isn't closing on its own. Getting ahead of AI skills will only help position you and your organization for future success.
If you're still building core security fundamentals, SecAI+ may make more sense as a next-step certification rather than your first one. In that case, consider working towards something like the Security+ first.
Learn Web Server Protection
FAQ: Common questions about SecAI+
Is SecAI+ an entry-level certification?
No. CompTIA positions SecAI+ at an intermediate level and recommends prior IT experience plus hands-on cybersecurity experience. It builds on an existing security foundation rather than teaching security from scratch.
Do I need to be an AI developer to pursue SecAI+?
No. SecAI+ is designed for security practitioners, not AI developers. That's one of the strongest recurring themes from the Infosec SecAI+ webinar.
What does SecAI+ cover?
At a high level, it covers foundational AI concepts for cybersecurity, securing AI systems, AI-assisted security workflows and AI governance, risk and compliance.
How much security experience should you have before pursuing it?
CompTIA recommends roughly three to four years of IT experience and about two years of hands-on cybersecurity experience. That doesn't mean a prior certification is mandatory, but it does mean the certification assumes you already understand core security work.
Where to go next if you're evaluating SecAI+
If you want to learn more about SecAI+, the best next step is to watch the SecAI+ webinar with CompTIA's James Stanger. It gives you the clearest sense of why the certification exists, who it's for and how it connects to real security work.
If you're looking to get certified, Infosec partners with CompTIA to deliver a live, expert-led, three-day SecAI+ Boot Camp, which includes everything you need to prepare for and pass the exam, including a Triple Training Guarantee.
Learn Network Traffic Analysis for Incident Response
Get hands-on experience with nine courses covering how to collect, identify, extract and analyze network traffic. What you'll learn:- Traffic analysis case studies
- Common network threats
- Data analysis methods
- Tools like Wireshark
- And more
In this series
- What is CompTIA SecAI+? A practical guide for security teams
- CompTIA CySA+ Salary: What to expect in 2025
- How to become a cybercrime investigator
- CEH version comparison: V12 to V13 evolution guide
- SecurityX (CASP+) certification: Overview and career path [2025 update]
- Network+ certification: Overview and career path [2025 update]
- ISC2 CSSLP certification overview: What you need to know
- ISC2 CGRC: Overview & career path
- CRISC certification: Overview & career path [updated 2021]
- PMP certification: Overview and career path [updated 2021]
- ISACA CDPSE certification: Overview of the new ISACA privacy certification
- CGEIT certification: Overview and career path [updated 2021]
- What is a cyber range?
- Microsoft azure certification: Overview And career path
- CEH salary guide: What Certified Ethical Hackers really earn
- Average SecurityX (CASP+) salary [2025 update]
- CompTIA Network+ certification — A 2025 salary analysis
- CompTIA CySA+ exam (CSO-003): Your guide
- CCSP salary: How much can you make as a cloud security professional?
- Average Security+ salary (2025): Your guide to a prosperous cybersecurity career
- Average CGRC (Certified in Governance, Risk and Compliance) salary
- CRISC Frequently Asked Questions (FAQ) [updated 2022]
- Average CSSLP Salary in 2021
- ISACA CDPSE exam details and process
- How To Become CGEIT Certified – Certification Requirements [updated 2021]
- How to pick the best cyber range for your cybersecurity training needs and budget
- CEH exam eligibility: Application process & requirements guide
- SecurityX (CASP+) frequently asked questions (FAQ) [2025 update]
- CISSP domains overview: Your complete preparation guide
- CCSP exam and CBK changes in August 2024
- Comprehensive guide to CompTIA Security+ domains (2025)
- Average CRISC Salary [2023 update]
- CGRC certification job titles and career outlook
- ISC2 CSSLP exam details and process
- ISACA CDPSE certification exam: Overview of domains
- An Introduction to the PMP: Exam Details and Process [updated 2021]
- CGEIT certification exam: overview of domains [Updated 2021]
- 10 Success Tips: How to Pass Your Certified Ethical Hacker (CEH) Exam
- Network+: Exam details and process [2025 update]
- SecurityX (CASP+): Exam details and process [2025 update]
- How to become CCSP certified: Certification requirements
- Certified in Risk & Information Systems Control (CRISC) Exam Overview [updated 2022]
- ISC2 CGRC exam details and process
- Best CSSLP study resources and training materials
- ISACA CDPSE domain 1: Privacy governance
- 10 Tips for PMP Certification Exam Success [updated 2021]
- CGEIT certification exam details and process [updated 2021]
- Certified Ethical Hacker (CEH) study guides & resources [updated 2025]
- CompTIA SecurityX resources: Videos, books, tests and more!
- How to get the CompTIA Network+ certification: Requirements and step-by-step instructions [2025 update]
- CySA+ exam objectives: The 4 domains that will be covered
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
CompTIA CySA+
Discover the latest salary trends for CompTIA CySA+ certified professionals in 2024. Learn what factors influence your earning potential in the cybersecurity field.
Cybercrime investigator
Cybercrime has hit record levels, with an expected $7 trillion USD to be made from cybercriminal activity by 2021. Investigating these sorts of crimes can be
EC-Council CEH
CEH v13 is the world's first AI-powered ethical hacking certification. Discover what's new, how it compares to v12/v11 and why it's a career game-changer.
CompTIA SecurityX
Explore the expert-level CompTIA SecurityX certification, what to expect on the exam, the career benefits and more.
