The SSCP exam covers seven domains that together describe the work of a security practitioner — not a security manager. That distinction matters more than people realize. If you've studied for CISSP and then pivoted to SSCP, you'll feel the difference in the first practice question. SSCP rewards the right operational answer. CISSP rewards the right governance answer. Same universe, different gravity.
This guide walks through all seven SSCP exam domains, what's inside each, and the places candidates actually lose points.
The Seven Domains at a Glance
The current SSCP exam outline weights the domains like this:
| Domain | Name | Weight |
|---|---|---|
| 1 | Security Operations and Administration | 16% |
| 2 | Access Controls | 15% |
| 3 | Risk Identification, Monitoring, and Analysis | 15% |
| 4 | Incident Response and Recovery | 14% |
| 5 | Cryptography | 9% |
| 6 | Network and Communications Security | 16% |
| 7 | Systems and Application Security | 15% |
Notice how flat this is. Only Domain 5 stands out as noticeably lighter. Everything else sits between 14% and 16%. There's no single domain that can carry you or sink you — unlike CISSP, where Domain 1 at 16% and Domain 3 at 13% dominate a lot of study time. You need to be at least competent across all seven.
If you're curious how this compares to CISSP's eight-domain model, the CISSP exam domains guide has a side-by-side view.
Domain 1: Security Operations and Administration (16%)
This is the foundation. Policies, procedures, control classifications, asset management, change management, the (ISC)² Code of Ethics — the stuff that isn't technically hard but is everywhere on the exam.
One pattern I've seen: candidates coming from CompTIA backgrounds (Security+, Network+) breeze through the technical domains and then stall on Domain 1 because they've never had to formally classify a control. They know what a firewall does. They've never had to say "a firewall is a technical preventive control, and when you combine it with egress logging, the logging piece is technical detective." The exam tests that kind of layered classification constantly.
A few things worth memorizing cold:
- The four control types by nature: administrative, technical, physical
- The control functions: preventive, detective, corrective, deterrent, compensating, recovery
- The difference between policies, standards, procedures, and guidelines (the exam will give you a scenario and ask which document type applies)
- CIA triad, plus non-repudiation, authenticity, and accountability — these extensions come up more than you'd expect
And know the Code of Ethics canons. Ethics questions aren't frequent, but when they show up they're usually easy points if you've read the canons once.
Domain 2: Access Controls (15%)
The most formulaic domain on the exam. If you learn the access control models and authentication factors, a good chunk of this domain is pattern recognition.
The four models are where questions cluster:
| Model | How access is decided | Typical environment |
|---|---|---|
| DAC | Object owner decides | Personal systems, small teams |
| MAC | System enforces via labels and clearances | Military, classified government |
| RBAC | Role assignment; users inherit role permissions | Enterprise |
| ABAC | Evaluated attributes at access time (user, resource, environment) | Modern cloud, dynamic systems |
When a scenario mentions security clearances or sensitivity labels, it's MAC. When it mentions job titles or departments, it's RBAC. When the file owner makes the call, it's DAC. When the system evaluates attributes at runtime ("if user is in Engineering AND device is managed AND time is during business hours"), it's ABAC.
Authentication factors are also tested cold: know the five (something you know, have, are, do, and where you are), and know that "two passwords" is not multi-factor — it's two instances of the same factor.
Domain 3: Risk Identification, Monitoring, and Analysis (15%)
Risk concepts and the monitoring side of operations. For most candidates, this domain is a mix of easy wins (the vocabulary) and one hard part (the quantitative math).
The math is actually where you should focus. It's small — maybe three or four formulas — and if you drill it, it's the fastest points on the exam. Walk through a full example once and it'll stick:
You own a web server worth $100,000. A ransomware incident would take out roughly 40% of its value. That's your Exposure Factor (0.4), which makes your Single Loss Expectancy $40,000 (asset value × EF). Your team estimates that a successful ransomware hit happens about once every five years — that's an Annualized Rate of Occurrence of 0.2. Multiply SLE by ARO and you get an Annualized Loss Expectancy of $8,000.
Now someone pitches you a control that costs $5,000 per year and cuts the ARO in half. Worth it? New ALE is $4,000. Savings = $4,000. Control costs $5,000. Not worth it.
If you can do that kind of walkthrough in under 90 seconds with the numbers changed, you've banked the quantitative questions.
On the risk-response side, know the four responses (avoid, transfer, mitigate, accept) and when each applies. Transferring a risk usually means insurance or a contractual shift — it doesn't eliminate the risk, it just moves who eats the loss.
Domain 4: Incident Response and Recovery (14%)
Two big themes: the incident response lifecycle, and the recovery metrics. Most of the domain falls into one or the other.
The IR lifecycle is preparation, detection and analysis, containment, eradication, recovery, lessons learned. Memorize the order. The exam loves asking "what step comes next" questions where the wrong-but-tempting answer is actually two steps ahead.
The recovery metrics are where candidates get confused. Here's the thing that actually matters: RTO and RPO are time measured from different reference points. RTO is forward-looking — how long can you be down before it's a real problem? RPO is backward-looking — how much data loss, measured in time, can you tolerate? If your last backup was at 2am and the system goes down at 10am, your actual data loss is eight hours. Your RPO needs to be at least that lenient, or you need to back up more often.
MTD is the hard ceiling — the absolute maximum the business can tolerate. And the relationship worth knowing: RTO + WRT ≤ MTD. If restoring systems takes four hours (RTO) and the business needs another two hours to return to normal operations (WRT), your MTD has to be at least six. If it's not, your recovery plan isn't actually adequate.
Forensics gets a couple of questions too — chain of custody, order of volatility, evidence preservation. Don't overstudy this, but don't skip it.
Domain 5: Cryptography (9%)
The smallest domain by weight, and that's led a lot of candidates to under-study it. I think that's a mistake. Crypto concepts bleed into Domain 2 (authentication), Domain 6 (secure protocols), and Domain 7 (certificates and signing). Under-studying this domain costs you points across three other domains.
You don't need algorithm math. You need use cases:
- Bulk data encryption → symmetric (AES)
- Key exchange, authentication, non-repudiation → asymmetric (RSA, ECC)
- Integrity only → hashing (SHA-256)
- Integrity + sender authenticity → digital signature (hash, then sign with private key)
- All of the above combined → digital envelope / hybrid encryption (what TLS actually does)
PKI is worth a separate pass. Know the roles (CA, RA, subscriber, relying party), the lifecycle (request, issue, use, renew, revoke), and how revocation is checked (CRL vs OCSP, with OCSP being the modern default).
Common-attack questions are straightforward if you know the names — brute force, dictionary, rainbow table, birthday, replay, meet-in-the-middle, side-channel. Pair each with its countermeasure.
Domain 6: Network and Communications Security (16%)
This is the domain that most defines whether you pass SSCP. It's tied for the largest at 16%, and it's where SSCP tests practitioner depth in a way CISSP doesn't. CISSP might ask about "defense in depth" as a concept. SSCP will ask you which port RDP runs on, which firewall type inspects application-layer traffic, and whether WPA3 uses SAE or PSK.
If you're coming in without a networking background, this is where you spend the most time. Period.
Ports and protocols. Know them cold. Not approximately — exactly. At minimum: SSH 22, Telnet 23 (and know it's insecure), SMTP 25, DNS 53, HTTP 80, POP3 110, NTP 123, IMAP 143, SNMP 161/162, LDAP 389, LDAPS 636, HTTPS 443, SMB 445, RDP 3389, MySQL 3306, MS SQL 1433, Syslog 514. If you don't currently know these from memory, make flashcards. This is one of the few places the SSCP exam rewards straight memorization.
The OSI and TCP/IP models. You'll get asked what layer a given protocol operates at, what a given attack targets, and what a given device does. A common question format: "A firewall that inspects up to Layer 7 is a..." (answer: application-layer firewall or WAF, depending on context). Learn the layers in order (Physical, Data Link, Network, Transport, Session, Presentation, Application) and know at least one protocol and one attack at each.
Network architecture. VLANs, subnets, DMZs, network segmentation, zero trust concepts. Questions here are more conceptual. You'll see scenarios that describe a network setup and ask which architectural principle it violates or implements.
Firewalls. Stateless, stateful, proxy, application-layer (WAF), next-generation (NGFW). Know what each can and can't inspect. A stateful firewall tracks connection state but doesn't inspect payload. A proxy terminates the connection on both sides and can inspect everything. A NGFW adds deep packet inspection, IDS/IPS integration, and application awareness.
Wireless. WEP is broken (known since 2001). WPA used TKIP, also broken. WPA2 uses AES-CCMP and is still acceptable for most purposes. WPA3 adds SAE for better handshake security and protects against offline dictionary attacks. 802.1X is the enterprise authentication standard — know it's not a wireless standard per se, but it's used to authenticate wireless clients via RADIUS.
Network attacks. ARP poisoning, DNS cache poisoning, MITM, session hijacking, DDoS (know the difference between volumetric, protocol, and application-layer attacks), replay, evil twin, deauth attacks on wireless. For each, know the target, the mechanism, and the primary defense.
VPNs. Site-to-site vs remote access, IPsec vs SSL/TLS VPNs. IPsec operates at Layer 3 and is typically used for site-to-site. SSL/TLS VPNs operate at higher layers and are common for remote user access. Know the modes of IPsec (transport vs tunnel) and the two protocols within IPsec (AH for authentication only, ESP for encryption and authentication).
A practical study pattern that works for this domain: build a single table with columns for protocol, port, layer, purpose, and most common attack. Fill it in by hand. Redo it without looking once a week until you can do the whole thing in ten minutes. That exercise alone will cover most of the testable ground.
Domain 7: Systems and Application Security (15%)
The endpoint, server, cloud, mobile, and application domain. Broad and shallow rather than narrow and deep.
Malware types are where the exam gets specific. A virus infects host files and needs user action (running the file). A worm self-propagates over networks without user interaction. A trojan is disguised as something legitimate. A rootkit hides at the OS or kernel level and is difficult to detect or remove. Logic bombs trigger on a condition. Ransomware encrypts and extorts. Know the distinctions cold — the exam will describe behavior and ask you to name the malware type.
Cloud content here is thinner than you might expect. The shared responsibility model and the service models (IaaS, PaaS, SaaS) are fair game, but you won't be asked CCSP-level cloud questions. If you have a CCSP background, most of this domain is trivial for you. If you're going for CCSP next, good news — a lot of what you learn here will scale up. If you want a fuller sense of how the two certs relate, the SSCP vs Security+ comparison covers the overlap with the CompTIA side too.
Application security gets a few questions on input validation, output encoding, and session management. Know why each matters. Input validation prevents injection attacks. Output encoding prevents XSS. Session management (token generation, timeout, regeneration) prevents hijacking.
How the Domains Actually Interact on the Exam
Real SSCP questions frequently touch multiple domains. A phishing scenario might combine Domain 4 (incident response), Domain 7 (malware), and Domain 1 (user awareness training). A question about a compromised wireless network could cross Domains 6, 2, and 4.
The single biggest mental shift for candidates coming from CISSP study: when you have a choice between the governance answer and the operational answer, pick the operational one. SSCP asks what a practitioner would actually do, not what a CISO would approve. If the question gives you "conduct a risk assessment" vs "isolate the affected host and preserve logs," SSCP usually wants the second.
Where to Spend Your Study Time
If you're trying to decide what to prioritize, I'd rank it like this — but the ranking is about study leverage, not about what's on the exam most:
- Domain 6 — the largest technical domain, and the one where unprepared candidates lose the most points
- Domain 1 — 16% weight, and the concepts are frameworks you can memorize
- Domain 3 — the math is the easiest quick win on the whole exam
- Domain 5 — small but high-leverage because concepts reappear in other domains
- Domain 2 — straightforward if you drill the four AC models
- Domain 4 — know the lifecycle and the recovery metrics and you're mostly there
- Domain 7 — study last, mostly for the malware distinctions and cloud basics
That order isn't the same as the domain weights, and that's intentional. You want to spend time where the return on hours studied is highest, not where the exam is biggest. For a full study timeline, how long to study for SSCP breaks out week-by-week plans based on your starting point.
So Where Are You Actually Weak?
Most candidates guess wrong about their weak domains. People from networking backgrounds assume Domain 6 is safe and find out too late they're weak on Layer 7 firewalls. People from GRC backgrounds think they'll coast through Domain 1 and get blindsided by control classification questions. The only way to know is to test yourself across all seven domains at once, not one at a time.
A free SSCP diagnostic will tell you in about 25 minutes — per-domain accuracy, no signup, no sales pitch. That's a better starting point than any study guide.