Back to blog
Study Tips10 min read

How to Pass the Microsoft SC-200 Exam in 2026: An 8-Week Study Plan for the New 28 July Objectives

Microsoft updates the SC-200 objectives on 28 July 2026, adding Sentinel Graph, KQL jobs in Data lake, summary rule tables and embedded Security Copilot. Here is an 8-week SC-200 study plan built around the new skills measured, not the old ones.

Tom Ashford

Tom Ashford · Security Certifications Lead

16 July 2026

If you have an SC-200 exam booked for August or later, the exam you sit is not the one most study guides on the internet describe. Microsoft refreshed the skills measured for Exam SC-200 on 28 July 2026, and the new objectives pull in agentic AI, embedded Security Copilot, Sentinel Graph, KQL jobs in the Data lake and the Sentinel MCP Server. This SC-200 study plan is built around those new objectives, so you spend your eight weeks preparing for the version you will actually face.

The good news is that this is a refresh, not a rebuild. The three functional groups and their weights are unchanged, so if you have already started studying, you have not wasted your time. The bad news is that the newest topics are exactly the ones with the least free content available, and they sit inside the domain worth the most marks.

What Changed in the SC-200 on 28 July 2026

Microsoft's official study guide now lists the objectives as "skills measured as of July 28, 2026". The headline is that the structure held steady while the detail moved.

The domain weights are identical to the previous version:

Functional groupWeightChange on 28 July 2026
Manage a security operations environment40 to 45%Objectives refreshed, weight unchanged
Respond to security incidents35 to 40%Minor changes, weight unchanged
Perform threat hunting20 to 25%Objectives refreshed, weight unchanged

What actually moved is the vocabulary and the tooling. The refreshed objectives now explicitly name:

  • Investigating incidents by using agentic AI, including embedded Microsoft Security Copilot. This sits inside the Respond group.
  • Analysing relationships between entities by using Sentinel Graph, plus creating hunting graphs including blast radius.
  • Creating and managing KQL jobs in Data lake, a new hunting objective.
  • Creating and managing summary rule tables for querying.
  • Hunting for threats by using Notebooks, including connection to the Sentinel MCP Server.
  • Managing data retention across XDR and Sentinel tables, including the Analytics, Data lake and XDR tiers.
  • Managing security incidents by using case management.

Exam Tip: Microsoft updates the English version of an exam first and localises other languages roughly eight weeks later. If you are sitting the SC-200 in a language other than English before late September 2026, check the Schedule Exam section on the exam details page, because you may still be taking the previous objectives.

Does an updated exam invalidate the SC-200 you already hold?

No. A new version of the skills measured does not expire or downgrade a certification you have already earned. The SC-200 remains an annual renewal, and you renew for free by passing a shorter unproctored assessment on Microsoft Learn rather than resitting the full exam.

SC-200 Exam Format and Pass Mark

Before you plan eight weeks around it, get the basics straight.

  • Pass mark: A score of 700 or greater is required to pass, on a scale that tops out at 1000. This is confirmed on Microsoft's own scoring page and is not a percentage, so do not translate it into "70% correct".
  • Cost: The exam is 165 USD in most regions, though local taxes and exchange rates move that figure around.
  • Question count and length: Microsoft does not publish a fixed number. Candidates typically report somewhere in the region of 40 to 60 items and roughly two hours in the chair. Plan for the upper end of both and you will not be caught out.
  • Question style: Expect multiple choice, drag and drop, case studies and, importantly, KQL you have to read and interpret rather than merely recognise.
  • Renewal: Associate certifications expire annually, renewed free on Microsoft Learn.

Exam Tip: The single most common reason capable engineers fail the SC-200 is treating it as a Sentinel exam. Sentinel is the largest single product, but Defender XDR, Defender for Endpoint, Defender for Cloud, Entra ID and Purview all carry marks. A hunting specialist who cannot configure ASR rules will still fall short of 700.

The 8-Week SC-200 Study Plan

This plan assumes roughly 8 to 10 hours a week. If you already work in a SOC on the Microsoft stack, you can compress it to six weeks by merging weeks 1 and 2. If you are coming from a non-Microsoft SIEM, give yourself ten and add extra KQL reps.

The sequencing is deliberate. It front-loads the 40 to 45% domain, saves hunting for when your KQL has matured, and reserves the final fortnight for the new 28 July topics while they are still fresh in your memory on exam day.

Weeks 1 and 2: Manage a Security Operations Environment (the big one)

This group is worth 40 to 45%, more than any other, so it gets two full weeks.

Week 1, cover automation and configuration:

  • Email and alert notifications in Defender XDR, including tuning, suppression and correlation.
  • Defender for Endpoint advanced features, rules settings and custom data collection.
  • Security policies including attack surface reduction rules.
  • Automated investigation and response, and automatic attack disruption.
  • Device groups, permissions and automation levels.
  • Sentinel automation rules and playbooks.

Week 2, cover the Sentinel platform and data ingestion:

  • Sentinel roles, and workbooks.
  • Data retention across the Analytics, Data lake and XDR tiers. This is refreshed content, so give it real attention.
  • SOC optimisation recommendations.
  • Data connectors, Windows Security events via AMA and data collection rules, Windows Event Forwarding, Syslog and CEF via AMA.
  • Azure activity collection via Azure Policy and diagnostic settings.
  • Ingesting threat indicators and creating custom log tables.

Week 3: Configure Detections

Still inside the largest domain, but this deserves its own week because it is where the exam gets specific.

  • Custom detection rules via Advanced Hunting in Defender XDR, and managing them.
  • Sentinel analytics rules across all four types: scheduled, near real time (NRT), threat intelligence and machine learning. Know when each is appropriate.
  • Mapping attack vector coverage with the MITRE ATT&CK matrix.
  • Configuring anomalies in Sentinel.

Exam Tip: Learn the decision boundary between a scheduled rule and an NRT rule, and what NRT gives up in exchange for speed. Questions in this area reward knowing the constraint, not the marketing description.

Weeks 4 and 5: Respond to Security Incidents

Worth 35 to 40%, so two weeks again.

Week 4, work through the response surfaces one product at a time: Defender for Office 365 including automatic attack disruption, Purview-identified compromised entities, Defender for Cloud workload protections, Defender for Cloud Apps, compromised identities in Entra ID, Defender for Identity alerts, and Sentinel incidents.

Week 5, go deeper on endpoint and investigation:

  • Device timelines, live response, collecting investigation packages.
  • Evidence and entity investigation.
  • Multi-stage, multi-domain and lateral movement attacks.
  • Case management for security incidents, and investigating incidents using agentic AI with embedded Security Copilot. Both are refreshed objectives.
  • Investigating M365 activity via Purview Audit, Content search in eDiscovery, and Microsoft Graph activity logs.

Week 6: KQL and Threat Hunting Fundamentals

The hunting group is only 20 to 25%, but KQL bleeds into the other two groups, which is why it gets a dedicated week rather than a footnote.

Drill until these are automatic:

  • Picking the right table for a query. This is an explicit objective and it is where most people lose easy marks.
  • The core operators: where, project, summarize, extend, join.
  • Time filtering with ago() and between().
  • String parsing with parse and extract.
  • Building Advanced Hunting queries and interpreting threat analytics.

Write queries by hand. Reading them is not the same skill as producing them under time pressure.

Week 7: The New Hunting Objectives

This is the week that separates a plan built for the 28 July objectives from one that is not. Every item here is new or refreshed content with comparatively little free material available.

  • Sentinel Graph: analysing relationships between entities.
  • Hunting graphs, including blast radius.
  • KQL jobs in Data lake: creating and managing them.
  • Summary rule tables: creating and managing them for querying.
  • Notebooks, including connecting to the Sentinel MCP Server.

Get hands-on here rather than reading about it. A free Microsoft 365 developer tenant plus an Azure subscription will let you touch most of this directly, and an hour in the portal will stick better than three hours of documentation.

Week 8: Practice Exams and Weak-Spot Repair

Do not spend this week rereading. Spend it testing.

  1. Sit a full-length practice exam under timed conditions early in the week.
  2. Score it by domain, not overall. An aggregate score hides the domain that will sink you.
  3. Spend three or four days exclusively on your two weakest domains.
  4. Sit a second full-length paper two days before the exam.
  5. The day before, review only your own error log. No new material.

If your practice scores are strong everywhere except hunting, resist the urge to relax. Hunting questions are frequently the longest to read and the easiest to run out of time on.

Old Objectives vs New Objectives: Where to Spend Your Extra Hours

If you started studying before the refresh, you do not need to start over. You need a top-up. These are the areas to add.

TopicStatus on the new objectivesPriority
Sentinel Graph and entity relationshipsNewHigh
Hunting graphs and blast radiusNewHigh
KQL jobs in Data lakeNewHigh
Summary rule tablesNewHigh
Sentinel MCP Server via NotebooksNewMedium
Embedded Security Copilot and agentic AI investigationNewMedium
Data retention across Analytics, Data lake and XDR tiersRefreshedMedium
Case managementRefreshedMedium
Core KQL, analytics rules, Defender XDR responseUnchangedMaintain

Common SC-200 Mistakes to Avoid

Studying Sentinel to the exclusion of everything else. Sentinel is the biggest product on the exam, not the whole exam. The Manage group alone spans Defender for Endpoint policies, device groups and ingestion plumbing.

Learning KQL by reading it. You will be asked to identify the correct table and interpret real queries. Recognition is not the same as fluency.

Assuming 700 means 70%. It is a scaled score. Aiming for "just over the line" on practice tests leaves no margin for a bad question run.

Ignoring preview features. Microsoft states that most questions cover generally available features, but the exam may include preview features where they are commonly used. Given how much of the new content is recent, this matters more on this refresh than usual.

Sitting a localised exam without checking the version. If your language has not updated yet, you may be studying objectives that are not on your paper, or vice versa.

Is the SC-200 Still Worth It in 2026?

Yes, and arguably more so after this refresh. The addition of Security Copilot, Sentinel Graph and Data lake objectives drags the certification towards what modern SOC work actually looks like, which makes it a better signal to employers than a credential still testing 2021 tooling.

It also sits at a sensible point in a Microsoft security path. If you are weighing it against the identity-focused alternative, our breakdown of SC-200 vs SC-300 covers which to take first. If you are looking further up the stack, AZ-500 vs SC-500 is the natural next comparison, and the SC-100 study plan covers the architect-level exam above it.

Ready to Start Practising?

Reading objectives will not get you to 700. Answering questions will.

CertCrush gives you practice questions written against current exam objectives, with explanations that tell you why each wrong answer is wrong, so your weak domains surface before exam day rather than on it. Score by domain, fix the gap, sit the real thing with evidence you are ready.

Create your free CertCrush account and start practising today, or browse the full course catalogue to see everything we cover.

SC-200Microsoft SentinelDefender XDRKQLstudy plansecurity operationsMicrosoft certification
Tom Ashford

Written by

Tom Ashford · Security Certifications Lead

Tom spent over a decade in security operations and consulting before turning to full-time exam-prep writing. He covers the big security certifications — CISSP, CISM, CISA, Security+ and the rest of the alphabet — with a soft spot for the questions everyone gets wrong. His rule for every article: if it doesn’t help you score marks, it doesn’t go in.

All articles by Tom

Want a SC-200 practice course?

We don’t cover this exam yet — we build the most-requested courses first. One click tells us you want it.

Ready to crush this exam?

Set your exam date, follow a daily plan, and watch your readiness score climb — realistic practice with an explanation for every answer.