How many security operations questions are on the Security+ exam?

Domain 4 (Security Operations) is 28% — the largest domain. Expect 18-22 questions on monitoring, incident response, log analysis, SIEM, forensics, and automation.

What is a SIEM and how is it tested?

SIEM aggregates logs, correlates events, generates alerts, and provides dashboards. The exam tests SIEM deployment, log integration, correlation rules, alert triage, and integration with SOAR and threat intelligence.

Security Orchestration, Automation, and Response automates incident response workflows triggered by SIEM alerts. Reduces MTTR and handles repetitive tasks so analysts focus on complex investigations.

CompTIA Security+ Security Operations Practice Questions 2026

Security Operations is the largest domain on the CompTIA Security+ exam at 28%, testing your ability to monitor security events, respond to incidents, analyze logs, conduct forensic investigations, and implement automation. This domain represents the day-to-day operational reality of security professionals — the continuous cycle of monitoring, detecting, responding to, and learning from security events that keeps organizations protected.

Exam Weight: Domain 4 — Security Operations (28% of exam)

What Are Security Operations on the Security+ Exam?

Security operations encompass the processes, technologies, and personnel that maintain an organization's security posture through continuous monitoring, threat detection, incident response, and forensic investigation. This domain covers the operational activities security teams perform daily in Security Operations Centers (SOCs).

Five major areas are tested: security monitoring using SIEM systems and log analysis; incident response following structured methodologies; digital forensics with evidence preservation; security automation through SOAR platforms; and vulnerability management operations including scanning and remediation.

At 28%, this is the single most impactful domain. Questions are heavily scenario-based: determining the correct IR phase, identifying which log source reveals specific evidence, or recommending forensic procedures for compromised systems. Practical understanding of operational workflows is essential.

Why Security Operations Matters for Security+

As the largest domain, security operations directly determines pass/fail for many candidates. Approximately 25 of your 90 scored questions test operational concepts. Heavy investment here yields the highest scoring return.

This domain aligns most closely with entry-level security roles: SOC analyst, incident responder, security administrator. These professionals spend their days triaging SIEM alerts, investigating incidents, analyzing logs, and following response procedures. The exam validates job readiness for these positions.

Modern security operations increasingly relies on automation. The exam tests SOAR concepts, automated playbooks, and threat intelligence integration. Understanding how these technologies reduce alert fatigue and improve response times is critical for both the exam and professional practice.

Key Security Operations Concepts to Master

SIEM Systems

Aggregates logs from firewalls, IDS/IPS, endpoints, servers, and applications. Correlation rules identify attack patterns across sources. Dashboards provide real-time visibility. SIEM is the SOC backbone, enabling detection, investigation, and response at scale.

Incident Response Phases

Preparation (policies, playbooks, tools, training). Detection & Analysis (SIEM alerts, log analysis, incident classification). Containment, Eradication & Recovery (isolate, remove threat, restore, verify). Post-Incident (lessons learned, reporting, process improvement).

Digital Forensics

Chain of custody documents evidence handling. Order of volatility: CPU registers → cache → RAM → disk → remote logs → physical media. Forensic imaging creates bit-for-bit copies with write blockers. Hash verification ensures integrity. Legal hold preserves data from deletion.

Log Analysis

System logs (OS events), security logs (auth attempts), application logs (errors, transactions), firewall logs (traffic decisions), DNS logs (queries), proxy logs (web access), email logs (routing). Correlating across sources reconstructs attack timelines.

SOAR Platforms

Automates repetitive IR tasks via playbooks: SIEM alert → enrich with threat intel → check reputation → block IP → create ticket → notify analyst. Reduces MTTR, handles alert volume, ensures consistent response procedures across the security team.

Threat Intelligence

Strategic (executive trends), Tactical (TTPs for teams), Operational (campaign details), Technical (IoCs — IPs, hashes, domains). Sources: OSINT, ISACs, commercial feeds, government advisories. STIX/TAXII standards for sharing. Intelligence drives proactive defense.

Sample Security Operations Questions

Question 1: Incident Response Phase

After detecting ransomware on a workstation, an analyst immediately disconnects it from the network while keeping it powered on. Which IR phase is this?

A) Preparation B) Detection and Analysis C) Containment D) Post-Incident Activity

Answer: C) Containment — Disconnecting isolates the system to prevent spread (containment). Keeping it on preserves volatile RAM evidence. Detection already occurred; containment is the immediate response.

Question 2: Forensic Evidence Collection

A forensic investigator arrives at a compromised server. Per order of volatility, which evidence should be collected FIRST?

A) Hard drive image B) RAM contents C) System logs on disk D) Network captures

Answer: B) RAM contents — RAM is more volatile than disk and lost when powered off. Captures running processes, encryption keys, and in-memory malware. Collection order: registers/cache → RAM → disk → remote logs.

Question 3: SIEM Correlation

SIEM shows 500 failed logins from one IP in 5 minutes, then one successful login. What attack pattern is this?

A) Phishing B) Brute force C) Insider threat D) SQL injection

Answer: B) Brute force — Rapid failed attempts followed by success is classic brute force. Response: lock the account, reset credentials, investigate the session, block the source IP.

Question 4: Chain of Custody

During a forensic investigation, what must be maintained to ensure digital evidence is admissible in court?

A) Encryption at rest B) Chain of custody C) Data classification D) Access control lists

Answer: B) Chain of custody — Chain of custody documents every person who handled the evidence, when, how, and why. Any gap can render evidence inadmissible. It proves evidence wasn't tampered with between collection and presentation.

Common Mistakes to Avoid

✗ Mixing up IR phases — containment comes BEFORE eradication; stop the spread before removing the threat
✗ Forgetting order of volatility — always collect RAM before disk images; powering off destroys volatile evidence
✗ Confusing SIEM (detection/alerting) with SOAR (automation/response) — SIEM detects, SOAR acts
✗ Breaking chain of custody — any documentation gap makes evidence potentially inadmissible
✗ Skipping post-incident phase — lessons learned improve defenses and are heavily tested on the exam

Study Checklist for Security Operations

☑ Memorize all NIST IR phases with example actions for each
☑ Explain SIEM components: aggregation, correlation, alerting, dashboards
☑ List the order of volatility from most to least volatile
☑ Describe chain of custody requirements and documentation
☑ Differentiate log types and investigation use cases
☑ Explain SOAR capabilities and playbook automation
☑ Know threat intelligence types: strategic, tactical, operational, technical
☑ Understand forensic imaging, write blockers, and hash verification
☑ Review STIX/TAXII threat intelligence sharing standards
☑ Practice mapping scenario actions to correct IR phases

Frequently Asked Questions

How many security operations questions are on the exam?

Domain 4 is 28% — the largest. Expect 18-22 questions on monitoring, IR, forensics, SIEM, and automation.

What is a SIEM?

Aggregates logs, correlates events, generates alerts, provides dashboards. Backbone of SOC operations for detection and investigation.

What are the incident response phases?

Preparation → Detection & Analysis → Containment/Eradication/Recovery → Post-Incident. Know actions for each phase.

What forensic concepts are tested?

Chain of custody, order of volatility, forensic imaging, write blockers, hash verification, legal hold.

What log types should I know?

System, security, application, firewall, IDS/IPS, proxy, DNS, email, and audit logs.

What is SOAR?

Automates IR workflows via playbooks triggered by SIEM alerts. Reduces MTTR and ensures consistent response.

Practice Security Operations Questions Now

Our Smart Practice practice tests generate unlimited security operations questions for the CompTIA Security+ exam. Get instant feedback with detailed explanations.

Start Free Practice Test →