CompTIA SecAI+ (CY0‑001) Practice Exams
About the CompTIA SecAI+ exam
Exam at a glance
CompTIA's AI-augmented cybersecurity credential, released February 17, 2026 — the first CompTIA specialty exam focused specifically on the intersection of cybersecurity and artificial intelligence.
Domain weighting
- Basic AI concepts related to cybersecurity: 17%
- Securing AI systems: 40%
- AI-assisted security: 24%
- AI governance, risk, and compliance: 19%
The largest single domain is Securing AI systems (40%) — defending against adversarial machine learning, prompt injection, jailbreaks, model extraction, and training data poisoning. If you only have time to deep-dive one area, this is the one.
Who it's for
SecAI+ targets security professionals whose role is shifting into AI-related work:
- SOC analysts integrating AI-augmented detection and LLM-assisted triage into day-to-day workflows.
- Security engineers defending pipelines that include ML / LLM components — model registries, inference endpoints, RAG stacks, vector databases.
- Incident responders handling AI-specific incidents: prompt injection, model theft, training data poisoning, deepfake-driven social engineering.
- AI / ML engineers extending into security — adding red-team practices, supply-chain controls, and runtime defenses to model development.
- GRC professionals mapping AI usage to emerging regulation (EU AI Act, NIST AI RMF, ISO/IEC 42001, sector-specific AI rules).
Prerequisites
No hard prerequisites. CompTIA's recommended profile is 3–4 years in IT plus 2+ years of hands-on cybersecurity experience. Holding Security+ (SY0-701), CySA+ (CS0-003), PenTest+ (PT0-003), or an equivalent security credential is recommended. Working familiarity with AI / ML fundamentals — model lifecycle, training data, inference, RAG, LLM workflows — is also expected. Candidates with no AI exposure should budget extra time on foundational AI concepts before exam day.
Why take this certification
- Fills a gap general security certs don't cover. Security+, CySA+, and CASP/SecurityX address broad cybersecurity, but AI-specific threats — prompt injection, model poisoning, deepfake-driven phishing, training data leakage — get only superficial treatment. SecAI+ is the first major vendor-neutral cert focused on this surface area.
- Cross-functional value. The cert proves you can both defend AI systems and use AI tools responsibly in security ops, making it relevant to SOC, AppSec, MLOps, and GRC roles simultaneously.
- Aligned with new regulation. The EU AI Act, NIST AI RMF, ISO/IEC 42001, and sector-specific AI rules are creating compliance obligations that traditional security certs don't address. SecAI+ governance topics map directly to those requirements.
- Future-proof skill set. AI-augmented attacks (LLM-generated phishing, AI-assisted malware, deepfake fraud) and AI-augmented defense (LLM-assisted SOC, AI threat hunting) are both growing. Proving competence in both directions hedges your career against the shift.
What you'll learn in the SecAI+ exam
SecAI+ covers two complementary tracks: defending AI systems against new attack classes, and using AI tools to extend the capability of human security teams. Expect scenario-driven questions that describe an AI workload or a security operations situation and ask which control, mitigation, or workflow fits — plus performance-based items where you walk through a simulated environment.
AI / ML security fundamentals
- Model attacks: training data poisoning, model extraction, model inversion, membership inference, adversarial examples (FGSM, PGD), evasion attacks.
- LLM-specific risks: direct and indirect prompt injection, jailbreaks, system prompt leakage, RAG poisoning at multiple layers, insecure output handling, overreliance on model output.
- Training data risks: sensitive data leakage in training corpora, regurgitation attacks, training data extraction from deployed models.
- Detection of AI-generated threats: deepfake media (image, audio, video), AI-crafted phishing and BEC, AI-generated malware variants and obfuscation patterns.
Securing AI systems (largest domain — 40%)
- Secure AI development lifecycle — data sanitization, provenance tracking, model validation, red-teaming, pre-deployment evaluation against adversarial inputs.
- MLOps security — model registries, signed model artifacts, supply-chain controls for foundation-model dependencies, secrets management in training pipelines.
- Securing inference infrastructure — API rate limiting, output filtering, content safety classifiers, prompt and response logging.
- RAG security — vector database access control, embedding poisoning defenses, retrieval-time injection prevention, source-document trust boundaries.
- Identity and access controls for model endpoints, embeddings stores, fine-tuning workflows, and human reviewer pipelines.
AI-assisted security operations
- LLM-assisted SOC triage — alert summarization, false-positive reduction, analyst copilot patterns, prompt-engineered detection rules.
- AI-powered threat hunting — anomaly detection at scale, behavioral baselining with ML, large-context log analysis.
- Generative AI for incident response — runbook drafting, stakeholder communication generation, post-incident report assembly.
- SOAR + AI integration — when AI augmentation is appropriate, when human-in-the-loop is mandatory, guardrails for autonomous response actions.
AI governance, risk, and compliance
- EU AI Act — risk-tiered obligations for AI systems sold or operated in the EU.
- NIST AI Risk Management Framework — Govern / Map / Measure / Manage functions and their operational controls.
- ISO/IEC 42001 — AI management system standard for enterprise governance.
- Sector-specific AI regulations across healthcare, finance, and public sector.
- Responsible AI considerations — bias detection, fairness metrics, transparency, explainability, human oversight requirements.
How the practice exams help
Each free question and every premium exam mirrors the scenario-driven format CompTIA uses across its intermediate certifications — long stem describing an AI workload or security ops situation, four to six plausible options, one or two correct. Detailed explanations cover not just why the right answer is right but why the distractors are wrong, so you learn the trade-offs rather than memorizing answers.
How to prepare for the SecAI+ exam
SecAI+ sits at the intersection of two disciplines that few candidates have equal depth in. A realistic prep plan accounts for whichever direction you're coming from:
- Establish baseline security and AI knowledge (1–2 weeks). If your background is security but light on AI, spend a focused week on AI / ML fundamentals — model lifecycle, training vs inference, foundation models vs fine-tunes, prompts and RAG. If your background is AI / ML but light on security, brush up on Security+ (SY0-701) topics — confidentiality / integrity / availability, threat modeling, IAM, network basics.
- Work through the OWASP top-ten lists (1–2 weeks). The OWASP LLM Top 10 and OWASP ML Security Top 10 are the de-facto reference for AI-specific risks and align tightly with the "Securing AI systems" domain. Read each entry's example attacks and recommended mitigations.
- Work through CompTIA CertMaster Learn + Practice (3–5 weeks). The official CY0-001 courseware maps directly to the four published domains and includes performance-based question simulations that mirror the live exam format.
- Hands-on AI security labs (1–2 weeks). Spin up a sandbox LLM (local model via Ollama or a sandboxed API key) and practice: crafting prompt-injection payloads, testing output filters, simulating data exfiltration via prompt manipulation, exercising RAG poisoning. Sites like PortSwigger's LLM attack labs and the HackTheBox AI track are useful sandboxes. Try AI-assisted SOC workflows in a free-tier SIEM.
- Governance frameworks (3–5 days). Read summaries of the EU AI Act, the NIST AI RMF, and ISO/IEC 42001. Don't memorize statute text — focus on risk tiers, the four NIST functions (Govern, Map, Measure, Manage), and how each maps to operational controls.
- Practice exams (1 week). Take timed practice tests to identify weak areas and build endurance for the 60-minute time limit, which is tighter than most CompTIA intermediate exams. Detailed explanations on every answer option help you learn the reasoning, not just memorize answers. Aim for consistent 80%+ scores before scheduling.
Recommended timeline
8–12 weeks of focused study (8–12 hours per week) for security professionals with some AI familiarity. AI / ML engineers without security background should budget 12–16 weeks. Pure beginners in both fields should earn Security+ first before attempting SecAI+.
Official resources
Download the official CompTIA SecAI+ exam page for current objectives and CertMaster Learn / Practice access. Supplement with the OWASP LLM Top 10, OWASP ML Top 10, NIST AI RMF documentation, ISO/IEC 42001, and the EU AI Act summary materials linked above. Vendor AI-security blogs (Anthropic, OpenAI, Google DeepMind, Microsoft Security) regularly publish applied case studies useful for scenario practice.
Frequently asked questions
Are these actual exam questions?
No. All Nex Arc CompTIA SecAI+ practice questions are original content based on the provider's published exam objectives, AI security best practices, and real-world scenarios across every topic the exam covers. We do not offer brain dumps, leaked questions, or actual exam content. Using or distributing real exam questions violates certification provider agreements and can result in certification revocation.
When was CompTIA SecAI+ released?
CompTIA SecAI+ (CY0-001) was released on February 17, 2026. It is CompTIA's first specialty credential focused specifically on the intersection of cybersecurity and artificial intelligence. The exam is currently available for registration through Pearson VUE at testing centers and via online proctoring.
How many questions are in the CompTIA SecAI+ exam?
The CompTIA SecAI+ exam contains a maximum of 60 questions, delivered in a mix of multiple-choice and performance-based formats. You have 60 minutes to complete the exam — notably shorter than most CompTIA intermediate exams (Security+ and CySA+ each allow 90 minutes), so time management is a meaningful part of your prep.
What's the SecAI+ passing score?
The passing score for CY0-001 is 600 out of 900 on CompTIA's scaled scoring model. This is lower than the 750/900 threshold used by Security+ and most other intermediate CompTIA exams, reflecting the specialty nature of SecAI+ and the relative novelty of AI security as a discipline. Performance-based questions still weigh more heavily than straightforward multiple-choice items.
How do I access the full SecAI+ practice exam?
Click on the Buy Now button in the sidebar to purchase the complete CompTIA SecAI+ course. After payment, you'll have instant access to 18 practice exams with detailed explanations and lifetime access.
What are the prerequisites for the SecAI+ exam?
CompTIA does not enforce hard prerequisites, but the recommended profile is 3-4 years of broad IT experience plus 2+ years of hands-on cybersecurity work. CompTIA suggests candidates hold Security+ (SY0-701), CySA+ (CS0-003), PenTest+ (PT0-003), or an equivalent security credential before attempting SecAI+. Working familiarity with AI/ML fundamentals — model lifecycle, training data, inference, RAG, LLM workflows — is also expected.
How long is the SecAI+ certification valid?
CY0-001 is valid for three years from the date you pass the exam. CompTIA's Continuing Education (CE) program lets you renew by earning CE units through approved training, conferences, related higher-tier exams, published research, or by retaking the current version of the exam.
What's the exam cost and can I retake it if I fail?
The CY0-001 exam is approximately $404 USD in the US (CompTIA's standard intermediate-tier list price; regional pricing and partner discounts apply). If you fail your first attempt, you can retake the exam immediately with no waiting period. A 14-day waiting period applies between subsequent attempts. Each attempt requires a new exam voucher; CompTIA Academic Store discounts and bulk voucher pricing can reduce the cost.
What topics does SecAI+ cover?
CY0-001 has four official domains: Basic AI concepts related to cybersecurity (17%), Securing AI systems (40%), AI-assisted security (24%), and AI governance, risk, and compliance (19%). The largest single domain — Securing AI systems at 40% — covers defending against adversarial machine learning, prompt injection, jailbreaks, model extraction, and training data poisoning. The AI-assisted security domain covers using AI tools (LLM-assisted SOC triage, AI threat hunting, generative AI in incident response) to extend human security teams.
How does SecAI+ compare to Security+?
Security+ (SY0-701) is a broad foundational cybersecurity credential covering threats, cryptography, identity, network defense, and governance across the full IT estate. SecAI+ (CY0-001) is a specialty credential focused exclusively on AI-related threats (prompt injection, model theft, training data poisoning, deepfakes, AI-generated phishing) and AI-enabled defense workflows. The two are complementary, not overlapping — many security professionals hold both, using Security+ to prove breadth and SecAI+ to prove AI-specific depth as their responsibilities shift toward AI systems.