- SC-200 Domain Overview: How the Exam Is Weighted
- Domain 1: Manage a Security Operations Environment (40-45%)
- Domain 2: Respond to Security Incidents (35-40%)
- Domain 3: Perform Threat Hunting (20-25%)
- Question Format and What the Exam Actually Tests
- Registration, Pricing, and Renewal Mechanics
- Mapping Study Time to Domain Weight
- Who Hires for This Skill Set
- FAQ
- Domain 1 (Manage a security operations environment) carries the most weight at 40-45% of the exam.
- Domain 2 (Respond to security incidents) is nearly as large at 35-40% and centers on Sentinel and Defender XDR workflows.
- Domain 3 (Perform threat hunting) is smallest at 20-25% but leans heavily on KQL fluency.
- The exam runs 100 minutes, requires a 700 score to pass, and costs $165 for US-proctored attempts.
SC-200 Domain Overview: How the Exam Is Weighted
Every version of the SC-200 exam is built from three official domain groups published on the Microsoft Learn study guide. These aren't arbitrary categories - they map directly to the daily responsibilities of a security operations analyst working across Microsoft Sentinel, Microsoft Defender XDR, Microsoft Entra ID, Microsoft Purview, and Microsoft Defender for Cloud. Understanding the weight of each domain is the single most useful piece of information you can have before you start studying, because it tells you where to spend your limited prep hours.
The three domains are:
- Domain 1: Manage a security operations environment - 40-45%
- Domain 2: Respond to security incidents - 35-40%
- Domain 3: Perform threat hunting - 20-25%
Together, Domains 1 and 2 make up roughly three-quarters of the scored content, which means threat hunting - while important and often the most technically interesting part of the job - is the domain you should treat as a refinement layer rather than your primary focus. For a deeper walkthrough of how to sequence your prep around this weighting, see our SC-200 Study Guide 2026: How to Pass on Your First Attempt.
Domain 1: Manage a Security Operations Environment (40-45%)
This is the largest domain on the exam and covers the configuration side of a SOC - the work that happens before an incident ever fires an alert. It tests whether you can stand up, tune, and maintain the tooling that the rest of the SOC depends on.
Manage a security operations environment
Candidates must understand how to configure and maintain Microsoft Sentinel and Microsoft Defender XDR as the backbone of a security operations program.
- Configuring Microsoft Sentinel workspaces, data connectors, and content hubs
- Implementing analytics rules and automation rules within Sentinel
- Configuring Microsoft Defender XDR settings across endpoints, identities, and cloud apps
- Managing Microsoft Defender for Cloud posture and workload protections
- Applying Microsoft Purview data governance and compliance controls relevant to security operations
- Integrating Microsoft Entra ID signals into detection and response workflows
Because this domain is so broad, many candidates underestimate how much configuration detail is tested - not just "what does this feature do" but "where do you enable it, and what are the dependencies." If you've been working hands-on in a lab tenant, this is where that time pays off. If you haven't, budget extra hours here rather than assuming familiarity with security concepts alone will carry you. Our dedicated breakdown at SC-200 Domain 1: Manage a security operations environment (40-45%) - Complete Study Guide 2026 goes deeper into each subtopic with configuration-level detail.
Domain 2: Respond to Security Incidents (35-40%)
Domain 2 is where the exam shifts from "how do you set things up" to "what do you do when something happens." This domain tests investigation and remediation skills across the same toolset - Sentinel, Defender XDR, Entra ID, and Purview - but from the perspective of an analyst actively working a live incident.
Respond to security incidents
Candidates must demonstrate the ability to investigate, correlate, and remediate incidents using Microsoft's unified security stack.
- Investigating and triaging incidents in Microsoft Sentinel and Defender XDR
- Correlating alerts across identity, endpoint, email, and cloud app signals
- Remediating threats detected by Microsoft Defender for Cloud and Defender XDR
- Using Security Copilot and AI-assisted workflows to accelerate investigation
- Managing incident lifecycle tasks: classification, assignment, and closure
- Applying automation (playbooks, automation rules) to standardize response
This domain is also where AI agents and Copilot-style tooling show up on the exam sandbox, reflecting how Microsoft has shifted SOC workflows toward AI-assisted triage. Expect scenario-based questions that describe a partial incident timeline and ask you to identify the next correct action, not just recall a definition. For a topic-by-topic breakdown, see SC-200 Domain 2: Respond to security incidents (35-40%) - Complete Study Guide 2026.
Key Takeaway
Domains 1 and 2 overlap heavily on the same tools (Sentinel, Defender XDR) but test different skills - configuration versus investigation. Study them together by tool, not separately by domain label.
Domain 3: Perform Threat Hunting (20-25%)
The smallest domain by weight, but the one most likely to expose weak KQL skills. Threat hunting on the SC-200 exam is about proactive detection - searching for indicators of compromise before an alert exists, not reacting to one that already fired.
Perform threat hunting
Candidates must be comfortable writing and interpreting Kusto Query Language (KQL) queries to hunt across large datasets.
- Writing KQL queries to identify anomalies and threat indicators
- Creating and managing hunting queries and bookmarks in Sentinel
- Using threat intelligence to inform hunting hypotheses
- Building and interpreting workbooks for proactive detection
- Leveraging AI agents and Copilot to accelerate hunting workflows
Even though this domain carries the lowest weight, KQL fluency also bleeds into Domains 1 and 2 through analytics rule creation and incident investigation. Practically, this means KQL practice has an outsized return on study time relative to its labeled percentage. Our domain-specific guide at SC-200 Domain 3: Perform threat hunting (20-25%) - Complete Study Guide 2026 walks through common query patterns tested on the exam.
Question Format and What the Exam Actually Tests
Microsoft doesn't publish an exact question count for SC-200, but most Microsoft certification exams fall in the 40-60 question range, delivered within a 100-minute time limit. The exam sandbox includes a mix of formats rather than a single style, so you should expect variety rather than a straightforward multiple-choice test:
- Standard multiple choice
- Drag-and-drop matching
- Hot area (click-to-select regions)
- Build list (sequencing steps in order)
- Case studies with multiple related questions
- Active screen simulations
- Possible lab-style tasks
One detail that surprises first-time candidates: Microsoft Learn access is available during the exam within its own dedicated pane, and the exam timer keeps running while you use it. This isn't a substitute for knowing the material - it's meant for quick syntax or reference lookups, not for learning a topic from scratch mid-exam. If you're unsure whether your current knowledge is exam-ready, our How Hard Is the SC-200 Exam? Complete Difficulty Guide 2026 breaks down where candidates typically struggle by question format.
Registration, Pricing, and Renewal Mechanics
SC-200 is delivered through Pearson VUE, either at a physical test center or via online proctoring, which gives candidates flexibility in scheduling. Pricing is region-based; in the United States, the Associate-level exam is typically priced at $165 plus applicable taxes, with no separate member or non-member pricing tier published by Microsoft.
| Exam Detail | Specification |
|---|---|
| Delivery method | Pearson VUE test center or online proctoring |
| Exam duration | 100 minutes |
| Passing score | 700 or greater |
| US price | $165 plus applicable taxes |
| Prerequisites | None formal, but working knowledge of Sentinel, Defender XDR, Entra ID, Purview, and KQL expected |
| Certification validity | 12 months, renewable free via online Learn assessment |
Because the certification expires after 12 months, factor renewal into your long-term plan from day one rather than treating the exam as a one-time event. For a full cost breakdown including retake considerations, see SC-200 Certification Cost 2026: Complete Pricing Breakdown. If you're still weighing whether the investment makes sense for your career stage, Is the SC-200 Certification Worth It? Complete ROI Analysis 2026 covers that decision in more depth.
Mapping Study Time to Domain Weight
A simple way to allocate prep time is to roughly mirror the exam's domain weighting rather than splitting your schedule evenly across three domains. Below is one way to structure a multi-week plan around the actual percentages rather than generic study advice.
Domain 1 Foundations
- Configure a Sentinel workspace and connect at least two data sources
- Practice enabling Defender XDR policies across endpoint and identity
- Review Purview and Defender for Cloud posture settings
Domain 2 Investigation Skills
- Work through simulated incidents in Sentinel and Defender XDR
- Practice writing automation rules and playbooks
- Study Security Copilot workflows for incident triage
Domain 3 and KQL Sprint
- Write hunting queries daily against sample datasets
- Build and interpret workbooks tied to threat intel
- Revisit weak KQL patterns identified in Domains 1 and 2 review
Practice Exams and Gap Review
- Take full-length timed practice tests
- Review missed questions by domain, not just overall score
- Revisit Microsoft Learn modules for lowest-scoring domain
This sequencing works because Domain 1 knowledge is a prerequisite for understanding Domain 2 scenarios - you can't investigate an incident in a Sentinel workspace you don't understand how to configure. Practicing with realistic questions throughout this timeline, such as those available on our SC-200 practice test platform, helps confirm which domain actually needs more attention rather than relying on gut feel.
Who Hires for This Skill Set
SC-200 is aimed squarely at security operations analysts, threat hunters, and SOC tier 1/2/3 staff who work daily inside Sentinel and Defender XDR. Organizations running Microsoft's security stack - which spans enterprises of nearly every size given Microsoft 365 and Azure adoption - look for this credential as validation that a candidate can operate the tools from day one rather than needing extensive onboarding.
Common titles associated with this certification include SOC analyst, security operations engineer, threat hunter, incident responder, and security engineer roles with a Microsoft-centric tech stack. If you're mapping the certification to career outcomes, SC-200 Jobs lists the roles most frequently associated with the credential, and SC-200 Salary Guide 2026: Complete Earnings Analysis covers compensation considerations by role and experience level.
If you're still new to the certification itself and want the basics before diving into domain-level prep, start with What Is SC-200? or SC-200 Certification for an overview, and SC-200 Training for structured learning path options.
Key Takeaway
Employers hiring against SC-200 expect hands-on comfort with Sentinel and Defender XDR - not just theoretical security knowledge. Lab time matters more than memorization for long-term job readiness.
Frequently Asked Questions
Start with Domain 1 (Manage a security operations environment) since it carries the most weight at 40-45% and its configuration knowledge underpins the incident response scenarios tested in Domain 2.
No. While Domain 3 (Perform threat hunting) is built around KQL, analytics rules in Domain 1 and incident correlation in Domain 2 also require reading or writing KQL queries.
Microsoft does not publish an exact count for SC-200 specifically, but most Microsoft certification exams contain 40-60 questions delivered within the exam's 100-minute time limit.
There are no formal prerequisites, but Microsoft expects candidates to understand Sentinel, Defender XDR, Entra ID, Purview, Defender for Cloud, and KQL well enough to apply them in scenario-based questions.
The certification is valid for 12 months. Renewal is free and completed by passing an online assessment through Microsoft Learn before the expiration date.
- SC-200 Domain 1: Manage a security operations environment (40-45%) - Complete Study Guide 2026
- SC-200 Domain 2: Respond to security incidents (35-40%) - Complete Study Guide 2026
- SC-200 Domain 3: Perform threat hunting (20-25%) - Complete Study Guide 2026
- SC-200 Study Guide 2026: How to Pass on Your First Attempt