SC-200 Exam Overview and Study Strategy

What the SC-200 exam actually tests

The Microsoft Security Operations Analyst certification (SC-200) is a role-based credential that validates your ability to detect, investigate, and respond to threats using Defender XDR, Sentinel, and Defender for Cloud. The certification is operational, not theoretical. Candidates configure real environments, write KQL, and make triage decisions on active incidents. The passing score is 700 on a 1000-point scale using scaled scoring. Microsoft lists the exam duration as 100 minutes, and it typically contains 40-60 questions including case studies. The exam costs $165 USD, delivered through Pearson VUE at a testing center or online proctored. The certification earns the Microsoft Certified: Security Operations Analyst Associate credential, which ZipRecruiter data puts at an average salary of approximately $101,000 in the United States, with the majority of positions ranging between $79,000 and $122,000. The credential is one of the more practical Microsoft security certifications because the exam tests what the job actually requires, not what a product marketing team wants you to know.

The April 2026 restructure moved the exam from four domains to three, shifted weight heavily toward environment management, and added explicit objectives around Security Copilot and agentic AI. The protection-configuration domain that previously covered Defender product setup was absorbed into the environment management domain. The exam's direction is unmistakable: configuring Defender products is prerequisite knowledge that you should arrive with. Operating the environment those products create is the skill being tested. If a study guide you are using still separates "Configure protections and detections" into its own 15-20% domain, or weights incident response at 25-30%, it is based on the pre-April structure and will misallocate your study time.

Domain 1: Manage a security operations environment (40-45%)

The heaviest domain. Nearly half the exam tests whether you can configure and maintain a Sentinel workspace, connect data sources, build detection rules, and manage automation. Four objective groups cover this domain: Defender XDR and Sentinel automation configuration, Sentinel SIEM platform configuration, data ingestion and normalization, and detection configuration including scheduled rules, NRT rules, threat intelligence rules, machine learning rules, MITRE ATT&CK coverage mapping, anomaly detection, and workbook creation.

The weight doubling from the pre-April structure (20-25% to 40-45%) is the single biggest change in the update. The exam is telling you where analysts spend most of their time: configuring and maintaining the SOC platform, not just reacting to alerts on it. Expect questions about workspace design decisions (single workspace vs. multi-workspace), data connector configuration and troubleshooting, Data Collection Rule (DCR) configuration for filtering ingestion at the source, automation rule sequencing and playbook trigger conditions, and analytics rule tuning parameters like lookback windows, frequency, alert grouping, and entity mapping.

The April 2026 update added objectives for KQL jobs in Data Lake, Summary rule tables for efficient querying of large historical datasets, and the Sentinel MCP Server for AI-assisted analysis. These reflect where the platform is heading. You do not need deep expertise in every new feature, but you do need to recognize where each one belongs in a SOC workflow and when to use it over the alternative.

Course mapping: Modules 1, 6, 7, 8, 10, and 11 cover this domain. Module 6 (KQL) is the most important single module for Domain 1 performance. Module 10 (detection engineering) covers analytics rule configuration at production depth. Module 8 (data connectors) covers the ingestion objectives.

Figure 0.2 — The SC-200 exam restructured from four domains to three in April 2026. Domain 1 carries the heaviest weight, absorbing the previous "Configure protections and detections" domain into environment management.

Domain 2: Respond to security incidents (35-40%)

The second-largest domain tests investigation and remediation across all Defender products. Two objective groups: investigating and remediating Defender XDR incidents (including case management, device timelines, live response, investigation packages, and evidence collection), and investigating incidents using agentic AI and embedded Copilot for Security.

The Copilot addition matters for exam preparation. The exam now explicitly tests whether you can use Copilot to summarize incidents, generate guided response steps, analyze scripts, and assess device posture. The tested skill is evaluation, not usage. Can you identify when Copilot's incident summary misses a correlated alert? Can you recognize when its suggested response actions are incomplete? Module 5 covers Security Copilot at this operational depth, including the critical evaluation skills the exam tests.

The case study format is where Domain 2 carries real weight. The exam presents multi-paragraph scenarios describing an active incident and asks four to six questions about how you would investigate and respond. A typical case study describes an AiTM compromise that escalated to BEC with inbox rule manipulation, lateral movement to a second mailbox, and an attempted wire transfer modification. The questions test your reasoning through the attack chain: which KQL table reveals the inbox rule creation? Which Defender product shows the lateral movement? What containment actions do you take and in what order? What evidence do you preserve before resetting the password?

These questions cannot be answered by memorizing feature descriptions. They require having investigated similar attacks yourself. The Phase 4 modules (12-16) build exactly this capability. Each module walks through a complete multi-product incident of the kind the exam presents, with the same tools, the same KQL queries, and the same decision-making under ambiguity.

Course mapping: Modules 1, 2, 3, 4, 5, 9, and 12-16. Module 2 (Defender for Endpoint) covers device timelines, process trees, live response, and evidence collection procedures. Modules 12-16 provide the deepest preparation for case study questions.

Domain 3: Perform threat hunting (20-25%)

The smallest domain by weight, but the one where KQL fluency separates candidates who pass from candidates who score well. Two objective groups: detecting threats using Defender XDR (KQL table identification, query construction, Advanced Hunting, threat analytics interpretation, hunting graph creation with blast radius analysis) and detecting threats using the Sentinel platform (hunting query management, KQL jobs, Summary rule tables, and Notebook-based hunting including the Sentinel MCP Server connection).

Domain 3 questions typically present a hunting hypothesis and ask which KQL table contains the evidence, what operators to use, or how to structure the query. A question might describe a suspected credential harvesting campaign and ask which Advanced Hunting table you would query to find OAuth consent grants created in the last 72 hours. If you have written that query before, the answer is immediate. If you are reasoning from a memorized table list, you are spending exam time on something that should be automatic.

The new objectives around Sentinel Graph, hunting graphs with blast radius analysis, and Notebooks with MCP Server connections reflect Microsoft's investment in graph-based investigation and AI-assisted hunting. Sentinel Graph allows you to traverse entity relationships visually: starting from a compromised user, following the entities they interacted with, and identifying the blast radius of the compromise. The MCP Server connection allows AI models to query Sentinel data through a standardized protocol, enabling natural-language hunting queries that the model translates to KQL. Both capabilities are new enough that exam questions are likely to test conceptual understanding rather than deep configuration.

Course mapping: Modules 6 and 11. Module 6 builds KQL fluency from first principles, including filtering, aggregation, joins, time-series analysis, and the operators that appear in every hunting session. Module 11 teaches hypothesis-driven hunting methodology and the program framework that makes hunting sustainable rather than ad hoc.

What changed in April 2026

The additions reflect where Microsoft's security platform is heading operationally. Security Copilot is now an explicit investigation tool tested in Domain 2. Sentinel Graph for entity relationship analysis appears as a new hunting objective. KQL jobs and Summary rule tables for data lake integration are new to Domain 3. The Sentinel MCP Server, which allows AI models to query security data through a standardized protocol, is entirely new. These are production features that organizations are deploying now. The exam tests whether you can work in environments where they exist.

The removals are equally instructive for understanding the role's evolution. "Manage assets and environments" was deleted as a standalone objective group. "Configure protections in Microsoft Defender security technologies," which previously covered protection policy configuration for Defender for Cloud Apps, Office 365, Endpoint, and Cloud, was removed entirely as a tested domain. Three years ago, a security operations analyst spent substantial time deploying and configuring individual Defender products. Now most of that configuration is handled by Intune policies, security baselines, and template-driven deployments managed by platform engineering teams. The analyst's value has shifted to operating the platform after configuration: triaging the incidents those configurations generate, hunting for threats the automated detections miss, and engineering the custom detections that close the gaps specific to their organization's threat profile.

The weight redistribution tells the same story. Domain 1 (environment management) effectively doubled from 20-25% to 40-45%. Domain 2 (incident response) increased from 25-30% to 35-40%. The former protection-configuration domain was eliminated. The exam now spends 75-85% of its questions on operating and investigating, with the remainder on hunting. Configuration knowledge is assumed, not tested.

Scheduling and preparation

Schedule the exam after completing at least through Phase 3 (Module 11). At that point you will have configured a Sentinel workspace, connected data sources, built detection rules, written KQL across every major table, and learned hunting methodology. Phase 4 (Modules 12-16) adds investigation depth that strengthens Domain 2 performance, but it is not strictly required if your practice assessment scores are strong.

At five to eight hours per week alongside a full-time role, plan for ten to sixteen weeks to reach Phase 3 completion. Add two to four more weeks for Phase 4 if you want investigation confidence that makes Domain 2 case studies feel routine. Do not schedule the exam before completing Module 6 (KQL). Domains 1 and 3 both test KQL competence heavily, and without it the detection and hunting questions are guesswork.

The exam contains 40-60 questions delivered over 100 minutes. Question types include standard multiple choice, multiple select with a specified count ("choose two"), drag-and-drop ordering for process sequencing, and scenario-based case studies with four to six questions each. The case studies typically appear near the end and carry disproportionate weight. You cannot go back to previous case study questions after completing a case study section, so read carefully before answering.

Use the SC-200 practice assessment on Microsoft Learn as a diagnostic. Take it once before starting the course to identify weak areas. Take it again after Phase 3 to measure progress. Take it a final time after Phase 4 to confirm readiness. If any domain scores below 70%, review the mapped course modules before scheduling.

The certification is valid for one year, renewable through a free, unproctored, open-book assessment on Microsoft Learn. Set a calendar reminder for 11 months after certification. The renewal assessment tests current platform features, which means the operational competence you build through the course supports renewal directly. Memorized feature descriptions from static study guides go stale within months as Microsoft updates the portal, adds features, and retires old ones.