You have decided to sit CompTIA SecAI+, and now you need a plan that actually gets you to a pass rather than a pile of half-read objectives. This guide gives you exactly that: a realistic eight-week study plan for the CompTIA SecAI+ (CY0-001) exam, built around the way the exam is weighted and the mistakes that catch most candidates out.
SecAI+ launched on 17 February 2026 as the first certification in CompTIA's new Expansion Series. It is a vendor-neutral, mid-level credential for security professionals who already understand core cybersecurity and now need to prove they can secure AI systems, use AI to defend an organisation, and govern all of it responsibly. Because it is new, the exam pool is still settling and the study material online is patchy, which is exactly why a structured plan matters.
This is not a "watch one course and hope" guide. Follow the eight weeks below, put the hours in, and you will walk into the test centre knowing where your marks are coming from.
What the CompTIA SecAI+ (CY0-001) Exam Actually Looks Like
Before you plan your revision, you need to know the shape of the thing you are revising for. Here are the confirmed exam facts.
- Exam code: CY0-001 (Version 1)
- Questions: a maximum of 60, a mix of multiple-choice and performance-based questions (PBQs)
- Time: 60 minutes
- Passing score: 600 on a scale of 100 to 900
- Recommended experience: 3 to 4 years of IT experience with roughly 2 years hands-on in cybersecurity, plus prior study to the level of Security+, CySA+ or PenTest+
Exam Tip: SecAI+ builds on Security+, CySA+ and PenTest+ rather than replacing them. If your core security fundamentals are shaky, fix those first. The exam assumes you already know what a SIEM, a threat actor and a control framework are.
Sixty questions in sixty minutes is one question per minute, and the PBQs eat time. That time pressure is a real factor, so speed on the PBQs is part of your study plan, not an afterthought.
The Four Domains and Their Weightings
Everything in your revision should be scaled to how heavily each domain is weighted. This is the single most important table in the whole guide.
| Domain | Topic | Weight |
|---|---|---|
| 1.0 | Basic AI Concepts Related to Cybersecurity | 17% |
| 2.0 | Securing AI Systems | 40% |
| 3.0 | AI-assisted Security | 24% |
| 4.0 | AI Governance, Risk, and Compliance | 19% |
Look at Domain 2.0. Securing AI Systems is 40 percent of the exam on its own, which is almost as much as the other three domains combined. If you run short on time in any week, you protect your Domain 2.0 revision first. A candidate who is strong on Securing AI Systems and merely competent everywhere else passes. A candidate who is weak on Domain 2.0 usually does not.
The Skills the Exam Is Testing
CompTIA states that a successful SecAI+ candidate can secure AI systems using technical controls, use AI to improve an organisation's security posture and automate security tasks, and understand how governance, risk and compliance affect AI on a global scale.
In practice that means you need to be comfortable with:
- Core AI terminology: machine learning, deep learning, natural language processing, model training and automation, explained in security terms rather than data-science theory
- AI-specific threats: automated phishing, polymorphic malware, adversarial machine learning, data poisoning, model theft and the malicious use of generative AI
- Defensive controls for AI: securing training data, protecting models and pipelines, input and output validation, and monitoring model behaviour
- Using AI defensively: threat detection, alert triage, security automation and reducing analyst workload
- Governance: risk frameworks, compliance obligations, responsible-AI principles and how regulation shapes deployment
Keep that list beside you. Every study session should map to one of those buckets so you are never revising in the abstract.
The 8-Week CompTIA SecAI+ Study Plan
This plan assumes 8 to 10 hours of study per week. If you can only manage 5 to 6 hours, stretch it to ten or twelve weeks rather than cutting the content. The order is deliberate: fundamentals first, then the heaviest domain, then application, then governance, then pure exam practice.
Weeks 1 to 2: Fundamentals and Domain 1.0 (Basic AI Concepts)
Start with Domain 1.0. It is only 17 percent of the marks, but it is the vocabulary every other domain is written in, so getting it solid early pays off for the whole plan.
- Learn how machine learning, deep learning and NLP work at a conceptual level, and more importantly how each one is used and attacked in a security context.
- Map the AI threat landscape: know the difference between adversarial machine learning, data poisoning, model inversion and prompt injection, and be able to give a one-line example of each.
- Read the official CY0-001 exam objectives end to end at least once so you know the full scope.
By the end of week 2 you should be able to explain, out loud and without notes, what an AI model is, how it is trained, and three distinct ways an attacker can abuse one.
Weeks 3 to 4: Domain 2.0 (Securing AI Systems), Part One
This is the big one at 40 percent, so it gets a full four weeks split across two blocks. Weeks 3 and 4 cover the defensive foundations.
- Securing the AI pipeline: protecting training data, data integrity, and the supply chain that feeds a model.
- Model security: guarding against model theft, tampering and unauthorised access.
- Input and output controls: validation, filtering, guardrails and why they matter for generative systems.
Exam Tip: For Domain 2.0, think like a defender protecting an asset, not a data scientist building a model. The exam rewards candidates who can pick the right control for a specific AI threat, so practise matching threats to controls until it is automatic.
Weeks 5 to 6: Domain 2.0 Part Two and Domain 3.0 (AI-assisted Security)
Finish Securing AI Systems in the first half of week 5, then move into Domain 3.0, which is 24 percent of the exam and where a lot of your existing security operations knowledge transfers.
- Wrap up Domain 2.0: monitoring model behaviour in production, detecting drift and abuse, and incident response for AI systems.
- Domain 3.0: using AI for threat detection, automating triage and response, and reducing false positives.
- Understand the trade-offs: where AI-assisted security helps, and where over-reliance on it creates new risk.
Start doing timed PBQ practice this fortnight. The performance-based questions are where slow candidates lose marks, and they are much easier to handle once you have seen the common scenario types.
Week 7: Domain 4.0 (AI Governance, Risk, and Compliance)
Domain 4.0 is 19 percent and often the domain technical candidates neglect. Do not. It is very learnable and the marks are there for the taking.
- Learn the major AI risk and governance frameworks and what each is for.
- Understand global compliance pressures and how regulation shapes where and how AI can be deployed.
- Get comfortable with responsible-AI concepts: bias, transparency, accountability and explainability, framed as governance controls rather than ethics theory.
Because this domain is concept-heavy and light on hands-on skill, it revises well with flashcards and short daily bursts.
Week 8: Full Practice Exams and Weak-Spot Repair
The final week is pure exam conditioning. No new material.
- Sit at least two or three full, timed practice exams under real conditions: 60 questions, 60 minutes, no interruptions.
- After each one, review every question you got wrong and every one you guessed, and trace it back to the domain it came from.
- Spend your remaining hours on your two weakest domains only. For most people that is Domain 2.0 depth and Domain 4.0 recall.
Exam Tip: Aim to comfortably clear the equivalent of 600 out of 900 on your practice exams before you book the real thing. If you are scraping a pass in practice, give yourself another week rather than gambling on the day.
How to Handle the Performance-Based Questions
The PBQs are the part candidates fear most, and they are the biggest time sink in a 60-minute exam. Three tactics keep them from wrecking your pace.
- Flag and move. If a PBQ is going to take more than a couple of minutes, flag it, answer all the multiple-choice questions first to bank those marks, then come back with your remaining time.
- Read the scenario for the ask, not the detail. Most PBQs describe an AI system under a specific threat and ask you to choose or order the correct controls. Identify the threat first, then the control, and ignore the noise.
- Practise them timed from week 5. Familiarity is the whole game. A PBQ type you have seen three times before is a two-minute question, not a five-minute panic.
Common Mistakes That Fail SecAI+ Candidates
- Under-weighting Domain 2.0. Spreading your time evenly across four domains means under-preparing the 40 percent that decides the exam. Weight your hours to the marks.
- Treating it like a data-science exam. SecAI+ is a security certification. You are not being asked to build models, you are being asked to secure and defend them.
- Skipping governance. Domain 4.0 is 19 percent of easy, learnable marks. Ignoring it because it is not technical is a common and avoidable error.
- No timed practice. Sixty questions in sixty minutes with PBQs is tight. If your first timed run is on exam day, the clock will beat you.
Is CompTIA SecAI+ Worth the Effort?
If you already hold Security+ or CySA+ and your organisation is deploying AI tools, SecAI+ is one of the clearest ways to prove you can secure that shift. AI security roles command strong salaries in 2026, and most security professionals do not yet hold a dedicated, vendor-neutral AI security credential, so the certification still carries first-mover value. For a fuller breakdown of the career side, see our guide on CompTIA SecAI+ domains, cost and career value and what jobs SecAI+ unlocks.
If you are still weighing SecAI+ against your next CompTIA step, our comparisons of SecAI+ vs CySA+ and SecAI+ vs ISACA AAISM will help you decide before you commit eight weeks to it.
Ready to Start Practising?
A study plan gets you organised, but questions get you exam-ready. The fastest way to find out whether your Domain 2.0 knowledge holds up under exam pressure is to answer realistic CY0-001 questions against the clock and review every explanation until the gaps close.
CertCrush gives you exam-style SecAI+ practice questions with detailed answer explanations, so you can drill each domain, master the performance-based scenarios, and track your readiness week by week against this plan. Do not walk into CY0-001 hoping. Walk in knowing.
Create your free CertCrush account and start practising CompTIA SecAI+ questions today. Browse everything on offer on our courses page, and turn this eight-week plan into a first-time pass.
