CompTIA Security+

Security+ domain 4: Understanding security operations (701 exam update)

The Security+ certification, offered by CompTIA, is a globally recognized credential that serves as a benchmark for best practices in IT security. This certification covers essential principles for network security and risk management, making it the ideal place to start for an aspiring cybersecurity professional. 

CompTIA updates the Security+ exam approximately every three years to ensure it remains relevant despite the changing cybersecurity landscape. The latest iteration, the 701 exam, was introduced in November 2023. This update comes as the previous version, the 601 exam, was retired on July 31, 2024. These periodic updates are crucial as they reflect the current trends, threats and technologies professionals will encounter. 

This blog post dives deep into domain 4 of the exam, the largest domain, which covers security operations. We'll explore how the content has shifted, what new topics have been introduced and why these changes matter for aspiring security professionals.

Become a SOC Analyst: get Security+ certified!

More than 47,000 new SOC analysts will be needed by 2030. Get your CompTIA Security+ to leap into this rapidly growing field — backed with an Exam Pass Guarantee.

View Pricing

What's changed in Security+ domain 4? 

Security+ domain 4 received several updates on the new exam. The most visible change is that the name of this domain used to be "operations and incident response," but now it is "security operations." 

As Patrick Lane, Director of Certification Product Management at CompTIA, mentions in the webinar, CompTIA Security+: Everything you need to know about the SY0-701 update, this domain covers "the day-to-day operations. This is where we see continuous security monitoring. This is where you will be applying updates, doing security alerting, monitoring and finding anomalies that indicate bad behavior." 

Here's a breakdown of the new subdomains within security operations and how they compare to the old exam: 

• 4.1 Given a scenario, apply common security techniques to computing resources: This section emphasizes the practical application of security measures across various computing environments, integrating elements from the old exam's domain 2 and 3. 
• 4.2 Explain the security implications of proper hardware, software and data asset management: This subdomain emphasizes the importance of keeping an accurate inventory of your hardware, software and data. This completely new subdomain integrated parts of domain 2 and 5 of the old exam. 
• 4.3 Explain the various activities associated with vulnerability management: The objective in this subdomain continues to highlight the crucial role of identifying and patching vulnerabilities. Sections of the old exam's domain 1 and domain 3 have been moved to this subdomain. 
• 4.4 Explain security alerting and monitoring concepts and tools: This revamped subdomain focuses on understanding how to use various security tools and technologies to monitor your systems for suspicious activity continually. It integrates the older exam's subdomain 4.1 and 4.3. 
• 4.5 Given a scenario, modify enterprise capabilities to enhance security: This objective brings a more holistic view to security operations and emphasizes how different security controls and processes work together to create a strong security posture. It contains much of the material from the older exam's 4.5 objective, along with its 3.2 objective on implementing host and application security solutions. 
• 4.6 Given a scenario, implement and maintain identity and access management: This is a new objective in domain 4 that pulls from the old exam's 2.4 objective, "Summarize authentication and authorization design concepts." 
• 4.7 Explain the importance of automation and orchestration related to secure operations: This new objective in domain 4 explores automating routine tasks and workflows, pulling material from objective 2.3 in the older exam. 
• 4.8 Explain appropriate incident response activities: This new subdomain covers the fundamentals of how to identify, contain, eradicate and recover from security incidents. This material used to be in objective 4.2. 
• 4.9 Given a scenario, use data sources to support an investigation: New for the 701 exam, this objective recognizes the importance of digital forensics and incident response. These topics were covered in subdomain 4.5 of the older exam. 

Now we’ll explore each objective in more detail. 

Watch the full Security+ webinar with CompTIA to learn more.

4.1: Apply security to computing resources 

The objective in this subdomain is "given a scenario, apply common security techniques to computing resources," and Lane emphasized that it's all about putting your security knowledge into action. 

Imagine you're on the front lines, protecting various systems, from mobile devices and workstations to cloud infrastructure and industrial control systems (ICS/SCADA). In all of these scenarios, you'll need to choose the right security controls to harden these targets and keep them safe from threats. 

The key is understanding the different controls available, like secure baselines, encryption and authentication protocols. Also, consider how these controls are implemented across various deployment models, whether it's BYOD (bring your own devices) or corporate-owned devices. By the end of this objective, you'll be well-equipped to make informed decisions about securing your organization's computing resources, no matter the environment. 

4.2: Hardware, software and data asset management 

Ever heard the saying, "You can't secure what you don't have"? That perfectly captures the importance of this objective: Explain the security implications of proper hardware, software and data asset management. If you don't have a complete inventory of your devices, software and data, you're leaving the door wide open for security vulnerabilities. 

This objective covers the security implications of keeping a meticulous inventory of your IT assets. This includes everything from laptops on your employee's desk to the data stored in the cloud. By tracking these assets through their life cycle, from acquisition to disposal, you can identify vulnerabilities, prevent unauthorized access and ensure proper data retention. 

4.3: Vulnerability management 

In this objective, you learn to "explain various activities associated with vulnerability management." This objective focuses on identifying and patching vulnerabilities in your systems before attackers can exploit them. It's all about not waiting for the downpour to patch a leaky roof. 

Here, you'll explore various methods for spotting these weaknesses, from vulnerability scans to penetration testing. You'll also learn how to prioritize risks using tools like the Common Vulnerability Scoring System (CVSS) and develop a sound strategy for patching and remediation. A proactive approach to vulnerabilities is the best defense. 

4.4: Alert and monitoring concepts and tools 

This objective aims to "explain security alerting and monitoring concepts and tools," which all cybersecurity professionals should be able to do, because without monitoring and alerts, it is hard to tell when systems are under attack. 

It covers how to leverage log aggregation and SIEM (Security Information and Event Management) tools to collect data from various sources, like systems applications and network devices. But monitoring is just half of what you'll learn. You'll also explore how to configure alerts to notify you of potential security incidents and implement response procedures to investigate and resolve them. 

4.5: Enhance enterprise security 

Security isn't a one-time fix; it's a continuous process of adaptation and improvement. That's where the objective "given a scenario, modify enterprise capabilities to enhance security" comes in. Here, you'll develop your critical thinking skills to analyze security scenarios and identify areas where you can strengthen your organization's defenses. 

This objective covers a vast toolkit of security controls, from firewalls and intrusion detection systems (IDS/IPS) to email security protocols and endpoint detection and response (EDR) solutions. By understanding how these controls work together, you can make informed decisions about where to invest resources and plug security gaps in any given scenario. 

4.6: Identity and access management 

Data security hinges on who has access to what. That is the point of this objective: "Given a scenario, implement and maintain identity and access management." Here, you'll become an expert at granting users appropriate access to systems and data, ensuring they have what they need to do their jobs without compromising security. 

You'll learn about multi-factor authentication (MFA), a powerful security measure that requires users to provide additional verification beyond just a password. You'll also explore role-based access control, a system that grants permissions based on a user-specific job function. By mastering these IAM concepts, you'll ensure that only authorized users have access to sensitive information, keeping your data safe and secure. 

4.7: Automation and orchestration 

In the fast-paced world of cybersecurity, the power to automate repetitive tasks and orchestrate complex workflows isn't a superpower but a necessity. Once you complete this submodule, you can "explain the importance of automation and orchestration related to secure operations." 

Security automation is more than just saving time though. It also helps enforce security baselines and ensure consistent configurations across your infrastructure. This objective will equip you to identify the best use cases for automation, weighing the benefits like faster response times against potential drawbacks like complexity and cost. 

4.8: Incident response 

Security is about prevention and having a plan for when things go wrong. This is where the objective "explain appropriate incident response activities" comes in. Here, you'll examine the essential steps of a security incident response process. 

You'll learn how to handle a security incident from start to finish: from initial detection and containment to eradication, recovery and learning from the experience. This objective also covers digital forensics and evidence collection, which are crucial for legal and investigative purposes. 

4.9: Support investigations with data 

This objective, "given a scenario, use data sources to support an investigation," will teach you to be a digital detective. Here, you'll sharpen your skills and use log data and other forensic tools to track down the source of security incidents. 

This objective covers a variety of data sources you might encounter, from firewall logs to vulnerability scans. By learning how to analyze this data effectively, you can identify attack patterns, understand the scope of the incident and possibly help bring the attackers to justice or at least get them off your network. 

Preparing for your Security+ exam 

A firm grasp of security operations (domain 4) is essential for your Security+ exam success. This domain makes up 28% of the exam, focusing on the practical application of security practices. It tests your skills to secure IT systems, manage vulnerabilities and effectively respond to security incidents. 

But remember, it is only one of five domains. To be ready for the Security+ exam, make sure to explore the other domains: 

• Domain 1: General Security Concepts 
• Domain 2: Threats, Vulnerabilities and Mitigations 
• Domain 3: Security Architecture 
• Domain 5: Security Program Management and Oversight 

In addition to these articles, we offer a free webinar, CompTIA Security+: Everything you need to know about the SY0-701 update, and a free Security+ ebook to supplement your exploration. For even more details on the Security+ certification, check out our Security+ training hub.