SC-200 exam domains
The SC-200 exam is weighted across 3 domains. Pick any domain below to drill it — or read the full breakdown in the FAQ.
| Exam domain | Exam weight | Practice |
|---|---|---|
| Manage a security operations environment | 43% | Practice this topic |
| Respond to security incidents | 37% | Practice this topic |
| Perform threat hunting | 20% | Practice this topic |
Sample SC-200 questions
A sample of the SC-200 questions on this hub. Each links through to the full question, the correct answer, and an explanation of why every other option is wrong.
- During an incident in Microsoft Defender XDR, an alert from Microsoft Defender for Cloud Apps flags a third-party OAuth application in your Entra ID t…View question
- A SOC analyst is investigating a Defender XDR incident that flags a user account exhibiting anomalous behavior: the user signed in from an unmanaged p…View question
- Your organization uses Microsoft Defender for Cloud with security alerts streamed into Microsoft Defender XDR. During an incident investigation in the…View question
- You manage Microsoft Defender for Endpoint for a large enterprise. The SOC wants unsanctioned and unmanaged devices discovered on the corporate networ…View question
- Your organization plans to deploy Microsoft Defender for Endpoint attack surface reduction (ASR) rules to block credential stealing from LSASS. The se…View question
- Your organization has enabled the ASR rule "Block Office applications from creating child processes" in Block mode across all Windows devices. A finan…View question
- Your organization uses Microsoft Defender for Endpoint. The SOC team wants critical production servers in a device group named 'Prod-Servers' to have…View question
- Your organization uses Microsoft Defender for Endpoint. The SOC lead wants brand-new, never-before-seen executable files that arrive on endpoints to b…View question
- Your organization uses Microsoft Defender for Endpoint. You have created three device groups, each with a machine membership rule and a different auto…View question
- During an incident investigation, you connect a live response session to a compromised Windows server and locate a suspicious executable at C:\Temp\sv…View question
Key SC-200 terms
Start with these terms, then explore the full glossary. Each links to a plain-English definition written for the SC-200 exam.
SC-200 frequently asked questions
What is the SC-200 certification?+
Microsoft positions SC-200 as validating the skills of an analyst who reduces organizational risk by triaging and responding to incidents, hunting for threats, and engineering detections across multi-cloud and on-premises environments.
It centers on Microsoft Defender XDR, Microsoft Sentinel, Microsoft Entra ID, Microsoft Purview, and Defender for Cloud, and expects proficiency with KQL for hunting and automation of responses — including agentic AI with Security Copilot.
What topics are on the SC-200 exam?+
The SC-200 exam is organised into three weighted domains. The percentages below are the midpoints of Microsoft’s published ranges, normalized to total 100. Managing the security operations environment is by far the largest area.
Manage a security operations environment (43%)
The heaviest domain. It covers configuring automation for Defender XDR and Sentinel (rules, playbooks, attack disruption), configuring Defender for Endpoint (advanced features, ASR rules, device groups), setting up the Sentinel SIEM (roles, retention, workbooks, SOC optimization), ingesting data via connectors, and configuring detections and analytics rules.
Respond to security incidents (37%)
Covers responding to alerts and incidents across Microsoft Defender XDR (Office 365, Purview, Defender for Cloud, Cloud Apps, Entra ID, Identity, Sentinel), investigating with agentic AI and embedded Security Copilot, responding in Defender for Endpoint (device timelines, live response), and investigating Microsoft 365 activities.
Perform threat hunting (20%)
Covers detecting threats with Defender XDR (choosing tables, KQL, Advanced Hunting, threat analytics, hunting graphs) and with the Sentinel platform (hunting queries, KQL jobs in Data lake, summary rules, Notebooks and the Sentinel MCP Server).
Is the SC-200 hard?+
SC-200 is an associate exam but a demanding one: it expects working knowledge of a broad Microsoft security stack and the ability to write KQL, not just recognize product names.
The difficulty comes from breadth across Defender XDR, Sentinel, and related services, and from hunting and detection questions that require reading and reasoning about KQL. Practising scenario questions and KQL until they are automatic is the key.
How many questions are on the SC-200 exam and how long is it?+
Microsoft does not fix a single public question count for SC-200; it typically presents roughly 40–60 questions in a mix of formats — multiple choice, multiple response, and case studies — with about 100 minutes of working time.
Our full-length practice mock uses a 60-question, 100-minute session so you can rehearse pacing under realistic time pressure before test day.
What score do you need to pass the SC-200?+
Microsoft scores SC-200 on a scale of 1 to 1,000, and the passing score is 700. That is a scaled score rather than a raw 70%, because Microsoft adjusts for question difficulty, and there is no penalty for wrong answers, so you should never leave a question blank. Our practice mock uses a 70% threshold to give you a comparable target.
How much does the SC-200 exam cost?+
The SC-200 exam fee is set by Microsoft and varies by region — check the Microsoft certification page for current pricing. Microsoft associate certifications are valid for one year and can be renewed for free through an online assessment on Microsoft Learn. Everything on this hub is free.
Who should take the SC-200?+
SC-200 is aimed at security operations analysts and SOC analysts who triage, investigate, and respond to threats, and at security engineers moving into detection and response.
Microsoft recommends familiarity with Microsoft security, compliance, and identity solutions, Microsoft 365, Azure services, and Windows, Linux, and mobile operating systems, plus experience with KQL, though there is no formal prerequisite.
What jobs and salaries can the SC-200 lead to?+
SC-200 maps to roles such as security operations analyst, SOC analyst, threat hunter, and detection engineer, where investigating and responding to threats on Microsoft’s stack is the core of the job.
How much any certification affects pay depends heavily on geography, seniority, and hands-on experience, so treat any single salary figure with caution. SC-200 is best viewed as validation of SOC-analyst skill on Microsoft security tools rather than a guaranteed raise on its own.
How long does it take to study for the SC-200?+
Candidates with security-operations experience often need six to ten weeks; those newer to Microsoft’s stack should plan longer. The most efficient path is to study each domain while practising in a Defender and Sentinel trial tenant, drilling KQL as you go.
Review every explanation, including for questions you answered correctly, because SC-200 distractors are built from plausible but incorrect configurations or queries. Use the per-domain results here to find and shore up your weakest area, then finish with full-length timed mocks.
How should you prepare for the SC-200?+
Study the three domains above, giving the most time to managing the security operations environment, then drill scenario questions domain by domain. Every MockAPI question reveals a full explanation and tells you why each wrong answer is wrong — essential for an exam that turns on exact configurations and KQL.
When you can answer scenarios comfortably, move to full-length timed mocks, ideally alongside hands-on practice with Sentinel and Advanced Hunting. Use the glossary to keep the services straight, and aim to score consistently above the pass mark before you book.
Can you take the SC-200 exam online?+
Yes. Microsoft delivers SC-200 through Pearson VUE, so you can test at a physical Pearson VUE centre or online with remote proctoring (OnVUE). The online exam requires a private, quiet room, a clear workspace, a webcam and microphone, a stable connection, and government-issued photo ID, with a proctor monitoring you and a room scan before you start.
If you do not pass, Microsoft requires a 24-hour wait before a second attempt; after that, a 14-day wait applies between further attempts, with a limit of five attempts in a 12-month period, and each attempt needs its own registration.
What certification should you take after the SC-200?+
After SC-200, common next steps include the Cybersecurity Architect Expert (SC-100), the Identity and Access Administrator (SC-300), or the Information Security Administrator (SC-401), depending on your focus.
For many, the real next step is working in a Microsoft-based SOC. Pairing SC-200 with hands-on detection-and-response experience is what turns the certificate into a career.