Microsoft · Associate

Microsoft Security Operations Analyst (SC-200) practice exam & study guide

The Microsoft Security Operations Analyst (SC-200) is Microsoft’s associate certification for SOC analysts. It validates the ability to manage a security operations environment, respond to security incidents, and perform threat hunting using Microsoft Defender XDR, Microsoft Sentinel, and Kusto Query Language (KQL).

SC-200 is a hands-on, scenario-driven exam for security operations analysts. Questions test how you configure, investigate, and hunt across Microsoft’s security stack, not just what the products are.

This free hub gives you everything you need to prepare: a syllabus breakdown by exam domain, realistic scenario-style practice questions with teacher-style explanations, a glossary of the Microsoft security-operations services the exam relies on, and full-length timed mock exams that mirror the real testing experience.

60
Questions
100 min
Time limit
70%
Mock pass %
3
Domains

Start studying SC-200

New here? Follow the three steps below in order. Everything is free and needs no account.

  1. 1
    Learn the plan

    See all 3 domains in exam-weight order.

    Open study path
  2. 2
    Drill by domain

    Practice one topic at a time with explained answers.

    Start with the first domain
  3. 3
    Sit a timed mock

    60 questions · 100 min · 70% to pass our mock.

    Take the mock exam

All SC-200 study resources

SC-200 exam domains

The SC-200 exam is weighted across 3 domains. Pick any domain below to drill it — or read the full breakdown in the FAQ.

Exam domainExam weightPractice
Manage a security operations environment43%Practice this topic
Respond to security incidents37%Practice this topic
Perform threat hunting20%Practice this topic

Sample SC-200 questions

A sample of the SC-200 questions on this hub. Each links through to the full question, the correct answer, and an explanation of why every other option is wrong.

Key SC-200 terms

Start with these terms, then explore the full glossary. Each links to a plain-English definition written for the SC-200 exam.

SC-200 frequently asked questions

What is the SC-200 certification?+

Microsoft positions SC-200 as validating the skills of an analyst who reduces organizational risk by triaging and responding to incidents, hunting for threats, and engineering detections across multi-cloud and on-premises environments.

It centers on Microsoft Defender XDR, Microsoft Sentinel, Microsoft Entra ID, Microsoft Purview, and Defender for Cloud, and expects proficiency with KQL for hunting and automation of responses — including agentic AI with Security Copilot.

What topics are on the SC-200 exam?+

The SC-200 exam is organised into three weighted domains. The percentages below are the midpoints of Microsoft’s published ranges, normalized to total 100. Managing the security operations environment is by far the largest area.

Manage a security operations environment (43%)

The heaviest domain. It covers configuring automation for Defender XDR and Sentinel (rules, playbooks, attack disruption), configuring Defender for Endpoint (advanced features, ASR rules, device groups), setting up the Sentinel SIEM (roles, retention, workbooks, SOC optimization), ingesting data via connectors, and configuring detections and analytics rules.

Respond to security incidents (37%)

Covers responding to alerts and incidents across Microsoft Defender XDR (Office 365, Purview, Defender for Cloud, Cloud Apps, Entra ID, Identity, Sentinel), investigating with agentic AI and embedded Security Copilot, responding in Defender for Endpoint (device timelines, live response), and investigating Microsoft 365 activities.

Perform threat hunting (20%)

Covers detecting threats with Defender XDR (choosing tables, KQL, Advanced Hunting, threat analytics, hunting graphs) and with the Sentinel platform (hunting queries, KQL jobs in Data lake, summary rules, Notebooks and the Sentinel MCP Server).

Is the SC-200 hard?+

SC-200 is an associate exam but a demanding one: it expects working knowledge of a broad Microsoft security stack and the ability to write KQL, not just recognize product names.

The difficulty comes from breadth across Defender XDR, Sentinel, and related services, and from hunting and detection questions that require reading and reasoning about KQL. Practising scenario questions and KQL until they are automatic is the key.

How many questions are on the SC-200 exam and how long is it?+

Microsoft does not fix a single public question count for SC-200; it typically presents roughly 40–60 questions in a mix of formats — multiple choice, multiple response, and case studies — with about 100 minutes of working time.

Our full-length practice mock uses a 60-question, 100-minute session so you can rehearse pacing under realistic time pressure before test day.

What score do you need to pass the SC-200?+

Microsoft scores SC-200 on a scale of 1 to 1,000, and the passing score is 700. That is a scaled score rather than a raw 70%, because Microsoft adjusts for question difficulty, and there is no penalty for wrong answers, so you should never leave a question blank. Our practice mock uses a 70% threshold to give you a comparable target.

How much does the SC-200 exam cost?+

The SC-200 exam fee is set by Microsoft and varies by region — check the Microsoft certification page for current pricing. Microsoft associate certifications are valid for one year and can be renewed for free through an online assessment on Microsoft Learn. Everything on this hub is free.

Who should take the SC-200?+

SC-200 is aimed at security operations analysts and SOC analysts who triage, investigate, and respond to threats, and at security engineers moving into detection and response.

Microsoft recommends familiarity with Microsoft security, compliance, and identity solutions, Microsoft 365, Azure services, and Windows, Linux, and mobile operating systems, plus experience with KQL, though there is no formal prerequisite.

What jobs and salaries can the SC-200 lead to?+

SC-200 maps to roles such as security operations analyst, SOC analyst, threat hunter, and detection engineer, where investigating and responding to threats on Microsoft’s stack is the core of the job.

How much any certification affects pay depends heavily on geography, seniority, and hands-on experience, so treat any single salary figure with caution. SC-200 is best viewed as validation of SOC-analyst skill on Microsoft security tools rather than a guaranteed raise on its own.

How long does it take to study for the SC-200?+

Candidates with security-operations experience often need six to ten weeks; those newer to Microsoft’s stack should plan longer. The most efficient path is to study each domain while practising in a Defender and Sentinel trial tenant, drilling KQL as you go.

Review every explanation, including for questions you answered correctly, because SC-200 distractors are built from plausible but incorrect configurations or queries. Use the per-domain results here to find and shore up your weakest area, then finish with full-length timed mocks.

How should you prepare for the SC-200?+

Study the three domains above, giving the most time to managing the security operations environment, then drill scenario questions domain by domain. Every MockAPI question reveals a full explanation and tells you why each wrong answer is wrong — essential for an exam that turns on exact configurations and KQL.

When you can answer scenarios comfortably, move to full-length timed mocks, ideally alongside hands-on practice with Sentinel and Advanced Hunting. Use the glossary to keep the services straight, and aim to score consistently above the pass mark before you book.

Can you take the SC-200 exam online?+

Yes. Microsoft delivers SC-200 through Pearson VUE, so you can test at a physical Pearson VUE centre or online with remote proctoring (OnVUE). The online exam requires a private, quiet room, a clear workspace, a webcam and microphone, a stable connection, and government-issued photo ID, with a proctor monitoring you and a room scan before you start.

If you do not pass, Microsoft requires a 24-hour wait before a second attempt; after that, a 14-day wait applies between further attempts, with a limit of five attempts in a 12-month period, and each attempt needs its own registration.

What certification should you take after the SC-200?+

After SC-200, common next steps include the Cybersecurity Architect Expert (SC-100), the Identity and Access Administrator (SC-300), or the Information Security Administrator (SC-401), depending on your focus.

For many, the real next step is working in a Microsoft-based SOC. Pairing SC-200 with hands-on detection-and-response experience is what turns the certificate into a career.