Domain 4 of 5

Security Operations

Domain · 28% of the SY0-701 exam

Security Operations is the run-the-SOC story, walked in order

Assuming you know the controls the earlier domains built, Domain 4, at 28% of SY0-701 the largest and most procedural, is the day-to-day operation of a security program, and by the end you can place any scenario in its stage of the one ordered pipeline its nine subtopics form. You harden and baseline the computing resources (4.1), you cannot protect what you have not inventoried so you manage assets (4.2), you continuously find and prioritize their weaknesses (4.3), you watch them with alerting and monitoring (4.4), you operate the enterprise capabilities (firewalls, IDS/IPS, email authentication, EDR/DLP) that enforce and detect (4.5), you decide who may touch what through identity and access management (4.6), you make the repetitive parts run themselves with automation and orchestration (4.7), and when a control nonetheless fails you respond to the incident (4.8) and reconstruct what happened from the data sources you collected (4.9). The exam rarely asks you to define a term in isolation; it hands you a scenario and asks which stage of this pipeline you are in, so anchoring each verb to its place in the pipeline is worth more than memorizing any single list.

Prevention, detection, and response are different layers: answer at the right one

The domain's controls fall into three roles (three layers of defense) that the exam loves to contrast, and a correct answer matches the role to what the scenario actually needs. Preventive controls stop the bad thing before it happens: hardening and secure baselines (4.1), firewall rules and DNS filtering and SPF/DKIM/DMARC (4.5), least privilege and MFA (4.6), and automated guardrails (4.7). Detective controls reveal that something is wrong: alerting and monitoring with a SIEM (4.4), file integrity monitoring and behavioral EDR/UBA (4.5), and the investigation data sources (4.9). Responsive controls act after detection: quarantine and remediation (4.4), and the full incident-response lifecycle (4.8). A recurring trap offers a preventive fix to a detection problem or a single-host tool to a cross-system question; the discipline is to name the role the scenario is missing and pick the control that fills it.

Centralized, off-host collection is what makes detection and investigation survivable

Several subtopics quietly depend on one shared idea: signal must be shipped off the host that generates it. NIST SP 800-92 recommends centralized log collection precisely because an attacker who compromises a host can tamper with or delete the logs stored on it, but cannot reach the copy already shipped to a SIEM. That same off-host record is the durable evidence base for investigation (4.9), where logs already centralized survive a wipe on the compromised endpoint, and it underpins incident response (4.8), where the timeline is reconstructed by correlating many sources on a common clock. A SIEM is therefore the correlation hub for monitoring (4.4) and the evidence vault for forensics at once: the answer whenever a scenario spans multiple systems, because no single sensor or log sees the whole story.

Lifecycle thinking beats point-in-time thinking across the whole domain

Four of the nine subtopics are explicitly framed as repeating lifecycles, and treating them as one-time acts is the single most common wrong answer. A secure baseline is establish-then-deploy-then-maintain, decaying into configuration drift if never re-enforced (4.1). Asset management is procure-assign-track-dispose, where an un-inventoried laptop or an un-sanitized disposed disk is the gap an attacker or auditor finds (4.2). Vulnerability management is identify-analyze-respond-validate-report, where a raw scan report is an input, never the finish line: you confirm the finding, choose a response, then re-scan to prove it fixed (4.3). Incident response runs preparation-detection-analysis-containment-eradication-recovery-lessons-learned, and the order is enforced: you cannot eradicate before you contain, nor recover before you eradicate (4.8). When an answer treats any of these as 'done once', it is almost always the distractor.

Automation is a force multiplier that moves risk rather than removing it

Automation and orchestration (4.7) cut across the whole domain: SOAR playbooks run against the alerts from 4.4, guardrails enforce the baselines of 4.1, automated provisioning and deprovisioning execute the identity lifecycle of 4.6, and continuous integration bakes security checks into the pipeline. The benefit the exam wants named is the workforce multiplier: a small team covering work that would otherwise need many more analysts by removing humans from repetitive, error-prone loops. But CompTIA insists you also weigh the considerations: complexity, cost, single point of failure, technical debt, and ongoing supportability. A pipeline that provisions access at machine speed is also a high-value target that mis-acts at machine speed if compromised, which is why high-judgment or legally weighty actions keep a human in the loop.

Which Security Operations subtopic answers the question

If the scenario is about…Reach for subtopicControl roleThe exam's tell
Hardening a device, golden images, MDM/WPA3, secure app codingComputing Resource Security (4.1)Preventiveestablish / deploy / maintain a baseline; match the technique to the target
Inventory, ownership, classification, secure disposal/sanitizationAsset Management (4.2)Preventive / foundationalprocure → assign → track → dispose; Clear vs Purge vs Destroy
Finding, confirming, prioritizing, and remediating weaknessesVulnerability Management (4.3)Detective → responsiveCVE names, CVSS scores; remediate / mitigate / accept / transfer, then re-scan
Aggregating logs, correlating events, firing and tuning alertsAlerting and Monitoring (4.4)Detectivea SIEM correlates across sources; tune alerts, never disable them
Configuring firewalls, IDS/IPS, DNS/email filtering, EDR/DLPEnterprise Network Security (4.5)Preventive + detectivemodify EXISTING capabilities (the dial, not the diagram)
Account lifecycle, access models, MFA, SSO, privileged accessIdentity and Access Management (4.6)Preventiveprovision/deprovision vs the authorization decision; factor categories, least privilege
Scripting repetitive work, guardrails, SOAR playbooks, CI/CDAutomation and Orchestration (4.7)Force multiplieruse cases / benefits / considerations; workforce multiplier vs single point of failure
Reacting to a confirmed incident through to lessons learnedIncident Response (4.8)Responsivecontain → eradicate → recover order; tabletop vs simulation
Choosing which log or capture answers an investigative questionInvestigation Data Sources (4.9)Investigativematch the source to the question; metadata vs payload; order of volatility

Subtopics in this domain