SC-200 logo
Focused certification exam prep
Start practice

SC-200 Exam Domains 2026: Complete Guide to All 3 Content Areas

TL;DR
  • Domain 1 (Manage a security operations environment) carries the most weight at 40-45% of the exam.
  • Domain 2 (Respond to security incidents) is nearly as large at 35-40% and centers on Sentinel and Defender XDR workflows.
  • Domain 3 (Perform threat hunting) is smallest at 20-25% but leans heavily on KQL fluency.
  • The exam runs 100 minutes, requires a 700 score to pass, and costs $165 for US-proctored attempts.

SC-200 Domain Overview: How the Exam Is Weighted

Every version of the SC-200 exam is built from three official domain groups published on the Microsoft Learn study guide. These aren't arbitrary categories - they map directly to the daily responsibilities of a security operations analyst working across Microsoft Sentinel, Microsoft Defender XDR, Microsoft Entra ID, Microsoft Purview, and Microsoft Defender for Cloud. Understanding the weight of each domain is the single most useful piece of information you can have before you start studying, because it tells you where to spend your limited prep hours.

The three domains are:

  • Domain 1: Manage a security operations environment - 40-45%
  • Domain 2: Respond to security incidents - 35-40%
  • Domain 3: Perform threat hunting - 20-25%

Together, Domains 1 and 2 make up roughly three-quarters of the scored content, which means threat hunting - while important and often the most technically interesting part of the job - is the domain you should treat as a refinement layer rather than your primary focus. For a deeper walkthrough of how to sequence your prep around this weighting, see our SC-200 Study Guide 2026: How to Pass on Your First Attempt.

Why the Weighting Matters: Microsoft doesn't publish exact question-per-domain counts, but the percentage ranges are the closest thing to a syllabus you'll get. Treat Domain 1 and Domain 2 as your primary study blocks and Domain 3 as a focused KQL and hypothesis-hunting sprint near the end.

Domain 1: Manage a Security Operations Environment (40-45%)

This is the largest domain on the exam and covers the configuration side of a SOC - the work that happens before an incident ever fires an alert. It tests whether you can stand up, tune, and maintain the tooling that the rest of the SOC depends on.

Manage a security operations environment

Candidates must understand how to configure and maintain Microsoft Sentinel and Microsoft Defender XDR as the backbone of a security operations program.

  • Configuring Microsoft Sentinel workspaces, data connectors, and content hubs
  • Implementing analytics rules and automation rules within Sentinel
  • Configuring Microsoft Defender XDR settings across endpoints, identities, and cloud apps
  • Managing Microsoft Defender for Cloud posture and workload protections
  • Applying Microsoft Purview data governance and compliance controls relevant to security operations
  • Integrating Microsoft Entra ID signals into detection and response workflows

Because this domain is so broad, many candidates underestimate how much configuration detail is tested - not just "what does this feature do" but "where do you enable it, and what are the dependencies." If you've been working hands-on in a lab tenant, this is where that time pays off. If you haven't, budget extra hours here rather than assuming familiarity with security concepts alone will carry you. Our dedicated breakdown at SC-200 Domain 1: Manage a security operations environment (40-45%) - Complete Study Guide 2026 goes deeper into each subtopic with configuration-level detail.

Domain 2: Respond to Security Incidents (35-40%)

Domain 2 is where the exam shifts from "how do you set things up" to "what do you do when something happens." This domain tests investigation and remediation skills across the same toolset - Sentinel, Defender XDR, Entra ID, and Purview - but from the perspective of an analyst actively working a live incident.

Respond to security incidents

Candidates must demonstrate the ability to investigate, correlate, and remediate incidents using Microsoft's unified security stack.

  • Investigating and triaging incidents in Microsoft Sentinel and Defender XDR
  • Correlating alerts across identity, endpoint, email, and cloud app signals
  • Remediating threats detected by Microsoft Defender for Cloud and Defender XDR
  • Using Security Copilot and AI-assisted workflows to accelerate investigation
  • Managing incident lifecycle tasks: classification, assignment, and closure
  • Applying automation (playbooks, automation rules) to standardize response

This domain is also where AI agents and Copilot-style tooling show up on the exam sandbox, reflecting how Microsoft has shifted SOC workflows toward AI-assisted triage. Expect scenario-based questions that describe a partial incident timeline and ask you to identify the next correct action, not just recall a definition. For a topic-by-topic breakdown, see SC-200 Domain 2: Respond to security incidents (35-40%) - Complete Study Guide 2026.

Key Takeaway

Domains 1 and 2 overlap heavily on the same tools (Sentinel, Defender XDR) but test different skills - configuration versus investigation. Study them together by tool, not separately by domain label.

Domain 3: Perform Threat Hunting (20-25%)

The smallest domain by weight, but the one most likely to expose weak KQL skills. Threat hunting on the SC-200 exam is about proactive detection - searching for indicators of compromise before an alert exists, not reacting to one that already fired.

Perform threat hunting

Candidates must be comfortable writing and interpreting Kusto Query Language (KQL) queries to hunt across large datasets.

  • Writing KQL queries to identify anomalies and threat indicators
  • Creating and managing hunting queries and bookmarks in Sentinel
  • Using threat intelligence to inform hunting hypotheses
  • Building and interpreting workbooks for proactive detection
  • Leveraging AI agents and Copilot to accelerate hunting workflows

Even though this domain carries the lowest weight, KQL fluency also bleeds into Domains 1 and 2 through analytics rule creation and incident investigation. Practically, this means KQL practice has an outsized return on study time relative to its labeled percentage. Our domain-specific guide at SC-200 Domain 3: Perform threat hunting (20-25%) - Complete Study Guide 2026 walks through common query patterns tested on the exam.

KQL Is Cross-Domain: Because Domains 1 and 2 both require writing or reading KQL-based analytics and hunting queries, weak query skills quietly cost points outside of Domain 3 too. Don't treat KQL as a 20-25% problem - treat it as a foundational skill that touches nearly every question type.

Question Format and What the Exam Actually Tests

Microsoft doesn't publish an exact question count for SC-200, but most Microsoft certification exams fall in the 40-60 question range, delivered within a 100-minute time limit. The exam sandbox includes a mix of formats rather than a single style, so you should expect variety rather than a straightforward multiple-choice test:

  • Standard multiple choice
  • Drag-and-drop matching
  • Hot area (click-to-select regions)
  • Build list (sequencing steps in order)
  • Case studies with multiple related questions
  • Active screen simulations
  • Possible lab-style tasks

One detail that surprises first-time candidates: Microsoft Learn access is available during the exam within its own dedicated pane, and the exam timer keeps running while you use it. This isn't a substitute for knowing the material - it's meant for quick syntax or reference lookups, not for learning a topic from scratch mid-exam. If you're unsure whether your current knowledge is exam-ready, our How Hard Is the SC-200 Exam? Complete Difficulty Guide 2026 breaks down where candidates typically struggle by question format.

Case Studies Reward Reading Skills: Case-study question sets on SC-200 often reuse the same scenario across several questions. Read the entire scenario before jumping to answers - details buried early in the case often determine the correct answer to a later question.

Registration, Pricing, and Renewal Mechanics

SC-200 is delivered through Pearson VUE, either at a physical test center or via online proctoring, which gives candidates flexibility in scheduling. Pricing is region-based; in the United States, the Associate-level exam is typically priced at $165 plus applicable taxes, with no separate member or non-member pricing tier published by Microsoft.

Exam DetailSpecification
Delivery methodPearson VUE test center or online proctoring
Exam duration100 minutes
Passing score700 or greater
US price$165 plus applicable taxes
PrerequisitesNone formal, but working knowledge of Sentinel, Defender XDR, Entra ID, Purview, and KQL expected
Certification validity12 months, renewable free via online Learn assessment

Because the certification expires after 12 months, factor renewal into your long-term plan from day one rather than treating the exam as a one-time event. For a full cost breakdown including retake considerations, see SC-200 Certification Cost 2026: Complete Pricing Breakdown. If you're still weighing whether the investment makes sense for your career stage, Is the SC-200 Certification Worth It? Complete ROI Analysis 2026 covers that decision in more depth.

Mapping Study Time to Domain Weight

A simple way to allocate prep time is to roughly mirror the exam's domain weighting rather than splitting your schedule evenly across three domains. Below is one way to structure a multi-week plan around the actual percentages rather than generic study advice.

Weeks 1-2

Domain 1 Foundations

  • Configure a Sentinel workspace and connect at least two data sources
  • Practice enabling Defender XDR policies across endpoint and identity
  • Review Purview and Defender for Cloud posture settings
Weeks 3-4

Domain 2 Investigation Skills

  • Work through simulated incidents in Sentinel and Defender XDR
  • Practice writing automation rules and playbooks
  • Study Security Copilot workflows for incident triage
Week 5

Domain 3 and KQL Sprint

  • Write hunting queries daily against sample datasets
  • Build and interpret workbooks tied to threat intel
  • Revisit weak KQL patterns identified in Domains 1 and 2 review
Week 6

Practice Exams and Gap Review

  • Take full-length timed practice tests
  • Review missed questions by domain, not just overall score
  • Revisit Microsoft Learn modules for lowest-scoring domain

This sequencing works because Domain 1 knowledge is a prerequisite for understanding Domain 2 scenarios - you can't investigate an incident in a Sentinel workspace you don't understand how to configure. Practicing with realistic questions throughout this timeline, such as those available on our SC-200 practice test platform, helps confirm which domain actually needs more attention rather than relying on gut feel.

Who Hires for This Skill Set

SC-200 is aimed squarely at security operations analysts, threat hunters, and SOC tier 1/2/3 staff who work daily inside Sentinel and Defender XDR. Organizations running Microsoft's security stack - which spans enterprises of nearly every size given Microsoft 365 and Azure adoption - look for this credential as validation that a candidate can operate the tools from day one rather than needing extensive onboarding.

Common titles associated with this certification include SOC analyst, security operations engineer, threat hunter, incident responder, and security engineer roles with a Microsoft-centric tech stack. If you're mapping the certification to career outcomes, SC-200 Jobs lists the roles most frequently associated with the credential, and SC-200 Salary Guide 2026: Complete Earnings Analysis covers compensation considerations by role and experience level.

If you're still new to the certification itself and want the basics before diving into domain-level prep, start with What Is SC-200? or SC-200 Certification for an overview, and SC-200 Training for structured learning path options.

Key Takeaway

Employers hiring against SC-200 expect hands-on comfort with Sentinel and Defender XDR - not just theoretical security knowledge. Lab time matters more than memorization for long-term job readiness.

Frequently Asked Questions

Which SC-200 domain should I study first?

Start with Domain 1 (Manage a security operations environment) since it carries the most weight at 40-45% and its configuration knowledge underpins the incident response scenarios tested in Domain 2.

Is KQL only tested in the threat hunting domain?

No. While Domain 3 (Perform threat hunting) is built around KQL, analytics rules in Domain 1 and incident correlation in Domain 2 also require reading or writing KQL queries.

How many questions are on the SC-200 exam?

Microsoft does not publish an exact count for SC-200 specifically, but most Microsoft certification exams contain 40-60 questions delivered within the exam's 100-minute time limit.

Do I need prior Microsoft Sentinel experience before attempting SC-200?

There are no formal prerequisites, but Microsoft expects candidates to understand Sentinel, Defender XDR, Entra ID, Purview, Defender for Cloud, and KQL well enough to apply them in scenario-based questions.

What happens after my SC-200 certification expires?

The certification is valid for 12 months. Renewal is free and completed by passing an online assessment through Microsoft Learn before the expiration date.

Ready to pass your SC-200 exam?

Put this into practice with free SC-200 questions across every exam domain.