Part of the Cybersecurity Learning Path Guide — This article is one deep-dive in our complete learning paths series.
How to Self-Study for Security+ in 90 Days
By HADESS Team | February 28, 2026 | Updated: February 28, 2026 | 13 min read
Table of Contents
- Is 90 Days Realistic?
- What You Need Before Starting
- Understanding the SY0-701 Exam
- The 90-Day Study Plan: Week by Week
- Weeks 1-3: General Security Concepts (Domain 1)
- Weeks 4-6: Threats, Vulnerabilities, and Mitigations (Domain 2)
- Weeks 7-8: Security Architecture (Domain 3)
- Weeks 9-10: Security Operations (Domain 4)
- Weeks 11-12: Security Program Management (Domain 5)
- Week 13: Final Review and Exam Prep
- Study Methods That Actually Work
- Practice Exams: How to Use Them
- Exam Day Strategy
- What to Do If You Fail
- Related Guides in This Series
- Take the Next Step
- Frequently Asked Questions
Is 90 Days Realistic?
Studying for Security+ in 90 days is realistic if you meet two conditions: you have basic IT knowledge (what an IP address is, how operating systems work, what a network does) and you can commit 15-20 hours per week to study.
If you have Network+ level knowledge or IT work experience, 90 days is comfortable. You could probably do it in 60. If you are starting from complete zero — no IT background at all — 90 days is tight. You would need to front-load networking and operating system fundamentals in the first few weeks, which compresses everything else.
This plan assumes you have the equivalent of A+ and Network+ knowledge. If you do not, add 4-6 weeks at the beginning to build those foundations. There is no shortcut around this. People who try to memorize Security+ material without understanding the underlying technology fail at higher rates and retain less even if they pass.
The 90-day timeline breaks down to roughly 13 weeks. Each week has specific objectives, study activities, and self-assessment checkpoints. Miss a week and you fall behind — the plan has no slack built in intentionally, because deadlines drive action.
What You Need Before Starting
Exam voucher or scheduled exam date. Buy your voucher or schedule your exam before you start studying. This is the single most effective motivational tool. A date on the calendar turns “I should study” into “I have to study.” The CompTIA website lists testing center options and online proctoring availability.
Primary study resource. Pick one structured course or textbook as your main guide. Do not use three different courses simultaneously — you will waste time on repeated material and confuse yourself with different explanations of the same concepts. Recommendations:
- Video: Professor Messer’s free Security+ course (thorough, well-structured)
- Textbook: Darril Gibson’s “Get Certified Get Ahead: SY0-701 Study Guide” or the official CompTIA study guide
- Course: Jason Dion’s Udemy course (regularly on sale for under $15)
Practice exam platform. You need access to realistic practice questions. Boson ExSim, Jason Dion’s practice exams, or CompTIA CertMaster Practice. Budget $30-60 for this. Free practice questions online are generally lower quality and do not simulate the exam experience well.
Note-taking system. Physical notebook, digital notes, flashcards — whatever works for you. The key is active engagement with the material, not passive highlighting. Write concepts in your own words.
Lab environment. A virtual machine setup for hands-on practice. Security+ has performance-based questions that test practical skills — configuring firewalls, analyzing logs, setting up VPNs. You need to have touched these things, not just read about them.
Understanding the SY0-701 Exam
The SY0-701 exam covers five domains:
| Domain | Weight | Description |
|---|---|---|
| 1. General Security Concepts | 12% | Security fundamentals, controls, concepts |
| 2. Threats, Vulnerabilities, and Mitigations | 22% | Attack types, indicators, mitigation techniques |
| 3. Security Architecture | 18% | Infrastructure design, security models |
| 4. Security Operations | 28% | Monitoring, incident response, tools |
| 5. Security Program Management | 20% | GRC, risk management, compliance |
Exam format: 90 questions, 90 minutes. Mix of multiple choice, multiple select, and performance-based questions (PBQs). Passing score: 750 out of 900.
Performance-based questions appear first in the exam. They present simulated environments where you configure settings, analyze data, or match items. These are time-consuming — budget 5-7 minutes each and skip them initially if they are going to eat into your time for the rest of the exam. You can return to them.
Study time should be allocated roughly proportional to domain weights. Domain 4 (Security Operations) at 28% deserves the most attention. Domain 1 (General Concepts) at 12% deserves the least, but do not neglect it — those are free points if you study them.
The 90-Day Study Plan: Week by Week
Weeks 1-3: General Security Concepts (Domain 1)
Week 1: Security Fundamentals
- CIA triad (confidentiality, integrity, availability) and how each applies to real systems
- AAA framework (authentication, authorization, accounting)
- Security control categories: preventive, detective, corrective, deterrent, compensating
- Physical security controls: locks, cameras, biometrics, mantraps
- Zero trust architecture principles and implementation concepts
Study the exam objectives for Domain 1 line by line. Watch or read the corresponding material from your primary resource. Create flashcards for terms you do not know.
Week 2: Cryptography Concepts
- Symmetric vs asymmetric encryption (AES, RSA, ECC)
- Hashing algorithms (SHA-256, MD5) and their uses
- Digital certificates, certificate authorities, and PKI
- Key exchange mechanisms (Diffie-Hellman)
- TLS/SSL handshake process
- Blockchain concepts as they relate to security
Cryptography trips up many self-study candidates. Do not just memorize algorithm names — understand why you would choose symmetric over asymmetric encryption in a given scenario.
Week 3: Identity and Access Management
- Authentication factors (something you know, have, are)
- Multi-factor authentication implementations
- SSO, SAML, OAuth, and OIDC
- Directory services and LDAP
- Access control models: DAC, MAC, RBAC, ABAC
- Privileged access management
Build a lab exercise: set up a local LDAP directory, create users and groups, and configure access policies. Even a simple setup teaches more than reading about it.
Weeks 4-6: Threats, Vulnerabilities, and Mitigations (Domain 2)
Week 4: Threat Actors and Attack Types
- Threat actor categories: nation-state, organized crime, hacktivist, insider, script kiddie
- Social engineering attacks: phishing, spear phishing, vishing, smishing, pretexting
- Malware types: ransomware, trojans, rootkits, fileless malware, logic bombs
- Application attacks: SQL injection, XSS, CSRF, buffer overflow
This domain is the heaviest at 22%. Spend extra time here. For each attack type, understand how it works, what it looks like in logs, and how to mitigate it.
Week 5: Vulnerability Types and Indicators
- Common vulnerability types: misconfigurations, default credentials, unpatched systems
- Application vulnerabilities: race conditions, improper input validation, API security issues
- Hardware vulnerabilities and supply chain risks
- Indicators of compromise vs indicators of attack
- Vulnerability scanning concepts and tools (Nessus, OpenVAS)
Practice reading vulnerability scan output. Download Nessus Essentials (free for limited use) and scan your lab machines. Understanding what a scan report tells you is directly tested.
Week 6: Mitigation Techniques
- Network segmentation and microsegmentation
- Hardening guides and benchmarks (CIS benchmarks)
- Patch management strategies
- Security baselines and configuration management
- Application security controls: input validation, parameterized queries, output encoding
Create a hardening checklist for a Windows and Linux system. Apply the hardening steps to your lab VMs. This hands-on experience matters for PBQs.
Weeks 7-8: Security Architecture (Domain 3)
Week 7: Network Security Architecture
- Firewalls (stateful, stateless, NGFW, WAF)
- Network security appliances: IDS, IPS, proxy servers, load balancers
- VPN types (site-to-site, remote access, IPsec, SSL/TLS)
- Network access control (NAC) and 802.1X
- DNS security: DNSSEC, DNS sinkholing
Configure a firewall in your lab. Set up iptables rules or Windows Defender Firewall with Advanced Security. Write rules that allow specific traffic and block everything else. Test that they work.
Week 8: Security Design and Cloud Concepts
- Defense in depth and layered security models
- Cloud deployment models: IaaS, PaaS, SaaS
- Cloud security controls: CASB, CSPM, CWPP
- Containerization and virtualization security
- Embedded systems and IoT security considerations
- Resilience and redundancy: RAID, clustering, backups
Cloud security questions have increased significantly in recent SY0-701 exams. Make sure you understand the shared responsibility model and can explain what the customer secures versus what the provider secures in each deployment model.
Weeks 9-10: Security Operations (Domain 4)
This is the largest domain at 28%. Give it proportional attention.
Week 9: Monitoring, Detection, and Response
- SIEM concepts and log management
- Security monitoring: network, endpoint, email, DNS
- Alert triage and incident classification
- Incident response process: preparation, identification, containment, eradication, recovery, lessons learned
- Digital forensics basics: evidence handling, chain of custody, volatility order
Set up a free Splunk instance, ingest some log data, and practice writing queries. Even basic familiarity with a SIEM interface helps with PBQs and scenario questions.
Week 10: Security Operations Continued
- Automation and orchestration (SOAR concepts)
- Vulnerability management lifecycle
- Penetration testing concepts: black box, white box, grey box
- Data protection: DLP, classification, retention policies
- Privacy concepts: GDPR basics, data sovereignty, right to be forgotten
Security operations questions on the exam are often scenario-based. Practice reading a scenario, identifying the problem, and selecting the best response from the options. This is different from memorizing definitions.
Weeks 11-12: Security Program Management (Domain 5)
Week 11: Risk Management
- Risk assessment methodologies: qualitative vs quantitative
- Risk calculations: SLE, ALE, ARO
- Risk response strategies: accept, mitigate, transfer, avoid
- Risk register and risk matrix
- Business impact analysis: RTO, RPO, MTBF, MTTR
Know the math. Quantitative risk analysis questions are straightforward if you can calculate ALE (Annual Loss Expectancy = SLE x ARO). They are easy points if you practice them.
Week 12: Governance and Compliance
- Security frameworks: NIST CSF, ISO 27001, CIS Controls
- Regulatory compliance: PCI DSS, HIPAA, SOX, GDPR
- Security policies, standards, procedures, and guidelines
- Third-party risk management and vendor assessment
- Security awareness training programs
- Audit types: internal, external, regulatory
This domain is theory-heavy. Focus on understanding the differences between frameworks and when each applies, rather than memorizing every detail of each one.
Week 13: Final Review and Exam Prep
Day 1-2: Take a full-length practice exam under timed conditions. Score it. Identify your weakest domains.
Day 3-4: Intensive review of weak areas only. Do not re-study material you already know well. Time is limited — focus where it matters most.
Day 5: Take a second full-length practice exam. Your score should be 80%+ to feel confident.
Day 6: Light review. Skim your notes. Review flashcards. Do not cram — at this point, rest and confidence matter more than more information.
Day 7: Exam day. Get sleep the night before. Eat before the exam. Arrive early or set up your online proctoring environment early.
Study Methods That Actually Work
Active recall. After reading a section, close the book and write down everything you remember. Check what you missed. This is uncomfortable and slow, but it is the most effective study technique research has identified.
Spaced repetition. Review material at increasing intervals — after 1 day, then 3 days, then 7 days, then 14 days. Anki (free flashcard app) automates this.
Practice questions after every section. Do not wait until the end to test yourself. Answer questions on each topic immediately after studying it. This reveals misunderstandings early.
Teach it to someone. Explain concepts out loud as if you are teaching a beginner. If you cannot explain it simply, you do not understand it well enough.
Hands-on labs. For every concept that involves a tool, configuration, or process — do it. Set up a VPN. Configure a firewall. Run a vulnerability scan. The PBQs on the exam reward people who have actually used these tools.
Practice Exams: How to Use Them
Do not use practice exams as a study tool until at least Week 10. Using them too early teaches you to recognize specific questions rather than understand the underlying concepts.
When you do start practice exams:
1. Take the first one cold, under timed conditions. This establishes your baseline. 2. Review every wrong answer. Understand why you got it wrong and why the correct answer is correct. 3. Review every question you guessed on correctly. Lucky guesses mask knowledge gaps. 4. Track your scores by domain. This tells you where to focus your remaining study time. 5. Target 85%+ on practice exams before sitting the real exam. Practice exams from good providers (Boson, Dion) are generally slightly harder than the real exam.
Exam Day Strategy
- Skip PBQs on the first pass. Flag them and return at the end. They take the most time and can derail your pacing.
- Eliminate obviously wrong answers first on multiple choice. You can often narrow to two choices.
- Watch for key words: “BEST,” “MOST,” “FIRST,” “LEAST.” These change the correct answer entirely.
- Manage your time. With 90 questions in 90 minutes, you have 1 minute per question. PBQs take longer, so move quickly through standard questions.
- Do not change answers unless you have a clear reason. First instincts on well-studied material are usually correct.
What to Do If You Fail
Failing is not the end. CompTIA allows a retake after 14 days. Use those 14 days:
1. Review your score report — it shows which domains you performed poorly in. 2. Focus exclusively on those domains. 3. Take additional practice exams targeting your weak areas. 4. Retake the exam.
Most people who fail are within 50-100 points of passing. A focused two-week effort on weak domains is usually enough to close that gap.
Related Guides in This Series
- CompTIA Certification Pathway: A+ to CASP+
- Cybersecurity Study Plan: 6-Month Schedule
- Free vs Paid Cybersecurity Courses: Full Comparison
Take the Next Step
Find the right study path based on your current skills and target role with the HADESS Roadmap Selector.
Frequently Asked Questions
Can I pass Security+ in 90 days with no IT experience?
A. It is possible but difficult. If you have zero IT background, you will need to spend the first 4-6 weeks on networking and operating system fundamentals before starting the Security+ material. This pushes the timeline to 120-150 days total. Starting with some IT knowledge makes 90 days much more realistic.
How many hours per week do I need to study?
A. Plan for 15-20 hours per week. This might be 2-3 hours on weekday evenings and 4-5 hours on each weekend day. Consistency matters more than volume — 2 hours every day beats 14 hours on Saturday. Your brain needs time to consolidate what you learn.
Are Professor Messer’s free videos enough to pass?
A. They cover the material well, but you need practice questions from a separate source. Messer’s videos plus a practice exam platform (Jason Dion’s or Boson) plus hands-on labs is a combination that works for most self-studiers.
What score should I aim for on practice exams before taking the real test?
A. Target 85% or higher on practice exams from reputable providers. Boson and Jason Dion’s exams are generally considered harder than the real exam, so an 80%+ on those correlates well with passing. If you are consistently scoring below 75%, you are not ready.
Should I study the SY0-701 or wait for the next version?
A. Study and take whatever version is currently available. Waiting for the next version means delaying your career progress. The content changes incrementally between versions — the fundamental security concepts remain the same.
— HADESS Team consists of cybersecurity practitioners, hiring managers, and career strategists who have collectively spent 50+ years in the field.
