CompTIA SecOT+ Course: Complete Study Guide for the SOT-001 Exam
Table of Contents
CompTIA SecOT+ (SOT-001) is the certification for control engineers and cybersecurity professionals who secure operational technology (OT) and industrial control systems (ICS). It validates your ability to understand OT systems and safety, manage OT risk, apply OT threat intelligence, design secure OT architecture, run OT security operations, and lead OT incident response. This course covers all six exam domains so you build the practical skills the test demands. CompTIA recommends at least 3 years of hands-on OT experience and 2 years implementing cybersecurity in OT environments.
| Domain | Title | Exam Weight |
|---|---|---|
| 1.0 | OT Systems and Safety Foundations | 14% |
| 2.0 | OT Risk Management | 17% |
| 3.0 | OT Threat Intelligence | 14% |
| 4.0 | OT Cybersecurity Architecture, Design, and Engineering | 18% |
| 5.0 | OT Security Operations | 22% |
| 6.0 | OT Incident Management | 15% |
Exam details: Multiple-choice and performance-based questions. The exam targets practitioners who combine control-engineering knowledge with cybersecurity practice. Always confirm the current question count, time limit, and passing score on the official CompTIA objectives page before you sit the exam.
Resources
- Tips for Passing CompTIA Exams
- CompTIA SecOT+ Practice Test - Test your readiness
- Official SOT-001 Exam Objectives
- Cybersecurity Career Playbook
- CompTIA Security+ Course - Recommended foundation
- CompTIA CySA+ Course - Recommended for security operations
- Additional Learning Resources
Domain 1: OT Systems and Safety Foundations (14%)
OT Systems and Safety Foundations
- Put safety first, including lockout/tagout, job safety analysis, personal protective equipment, and safety briefings and outbriefs
- Identify OT components, including sensors, actuators, controllers, PLCs, HMIs, variable frequency drives, intelligent electronic devices, and remote terminal units
- Distinguish OT systems, including SCADA, distributed control systems, safety instrumented systems, historians, engineering workstations, and manufacturing execution systems
- Understand control logic and programming, including ladder logic, function block diagrams, structured text, process variables, and set points
- Compare OT protocols by transport, including serial Modbus and DNP3, Ethernet Profinet and OPC UA, and wireless VSAT and 802.11
- Contrast legacy and modern infrastructure, including embedded and real-time operating systems, virtualization, software-defined networking, and cloud
- Recognize the realities of IT/OT convergence and the role of real-time and embedded operating systems
Domain 2: OT Risk Management (17%)
OT Risk Management
- Define risk fundamentals, including risk appetite, likelihood, impact, inherited risk, and residual risk
- Apply risk frameworks and standards, including ISA/IEC 62443, NIST, and NERC CIP
- Conduct risk assessments, including qualitative and quantitative methods, architecture reviews, penetration tests, and adversarial emulation
- Choose risk treatments, including acceptance, transfer, avoidance, and mitigation
- Manage governance artifacts, including policies, standard operating procedures, RACI models, and risk registers
- Handle agreements and third parties, including MSAs, SLAs, MOUs, statements of work, and supply chain risk
- Control change, including change management workflows and rollback plans
Domain 3: OT Threat Intelligence (14%)
OT Threat Intelligence
- Use intelligence disciplines, including HUMINT, SIGINT, OSINT, IMINT, and MASINT
- Apply analysis models, including the Diamond Model, the intelligence life cycle, MITRE ATT&CK for ICS, and the ICS Cyber Kill Chain
- Study landmark OT threats, both direct attacks like Stuxnet, TRISIS, BlackEnergy, Industroyer, and FrostyGoop, and indirect events like Colonial Pipeline, SolarWinds, and NotPetya
- Profile threat actors, including nation-states, advanced persistent threats, hacktivists, cybercriminals, and intentional and unintentional insiders
- Recognize OT threat vectors, including removable media, phishing and vishing, lateral movement, IT-to-OT pivots, and rogue base stations
- Share and consume intelligence using indicators of compromise, YARA, STIX, ISACs, and threat feeds
Domain 4: OT Cybersecurity Architecture, Design, and Engineering (18%)
OT Cybersecurity Architecture, Design, and Engineering
- Apply design principles, including least privilege, defense in depth, compartmentalization, redundancy, high availability, and operational resilience
- Secure physical access, including access control vestibules, biometric access, bollards, port blockers, and distribution frames
- Harden devices, including Secure Boot, Trusted Platform Modules, tamper detection, drive encryption, code signing, and default password changes
- Segment the network, including the industrial demilitarized zone, zones and conduits, VLANs, data diodes, and unidirectional gateways
- Deploy detection and management, including OT-aware intrusion detection, host-based controls, out-of-band management, and jump boxes
- Control identity and access, including RBAC, ABAC, MAC, multifactor authentication, PKI, RADIUS, TACACS+, and privileged access management
Domain 5: OT Security Operations (22%)
OT Security Operations
- Build and maintain an asset inventory using passive, active, and manual discovery, plus a configuration management database
- Collect and analyze operational data, including packet captures, syslog, process logs, historians, SIEM, SOAR, and a collection management framework
- Detect threats through baselining, threat hunting, and IDS rule tuning
- Manage vulnerabilities, including triage, exposure and exploitability, software bills of materials, the National Vulnerability Database, and remediation verification
- Apply patches and compensating controls, including mitigating controls, version management, and scheduling planned downtime
- Secure media and field devices, including removable media scanning, sanitization kiosks, write blockers, media destruction, and calibration equipment
At 22% this is the heaviest-weighted domain, so build deep hands-on familiarity with asset visibility, monitoring, and vulnerability management in OT.
Domain 6: OT Incident Management (15%)
OT Incident Management
- Follow a response model, including the PICERL phases and the Incident Command System adapted for ICS (ICS4ICS)
- Coordinate response and communication, including crisis management, IT and OT coordination, mutual aid, ISACs, and escalation
- Prepare plans and playbooks, including incident response plans, runbooks, decision matrices, and incident response retainers
- Practice with exercises, including tabletop, purple-team, and full simulation drills, plus flyaway kits
- Recognize OT-specific incident effects, including loss of view, loss of control, loss of safety, and manipulation of view and control
- Perform investigation and forensics, including chain of custody, memory capture, historian data, sequence of events, and root cause analysis
- Execute containment through recovery, including isolation, quarantine, eradication, bare metal restore, hot swaps, lessons learned, and mandatory reporting
Work through all six domains, then test your readiness with the CompTIA SecOT+ Practice Test before exam day. SecOT+ pairs well with Security+ and CySA+, so review those foundations if you need them. For more certification courses and hands-on playbooks, visit Courses and Playbooks .
