01 What is CompTIA SecAI+ (CY0-001)?
CompTIA SecAI+ is the first vendor-neutral cert focused on AI security. It tests whether you can secure AI systems, assess AI-specific risks, implement governance frameworks, and defend against adversarial ML attacks.
Most security certs bolt on an AI chapter as an afterthought. Most AI certs ignore security entirely. SecAI+ was built for people who work at the intersection. If you're securing AI systems, advising on AI risk, or building security into ML pipelines, this is your cert.
Mix of multiple-choice and performance-based questions, proctored through Pearson VUE (testing center or online). CompTIA recommends 3-4 years of hands-on cybersecurity experience with AI exposure, but there are no formal prerequisites. Anyone can register.
SecAI+ is not an entry-level cert. If you are new to cybersecurity, start with Security+. SecAI+ assumes you already understand network security, risk management, incident response, and governance fundamentals. What it tests is your ability to apply those concepts in AI-specific contexts.
02 Exam Domains and Weighting
Four weighted domains. The percentages tell you where to spend your study time.
| Domain | Weight |
|---|---|
| 1.0 Basic AI Concepts Related to Cybersecurity | 17% |
| 2.0 Securing AI Systems | 40% |
| 3.0 AI-assisted Security | 24% |
| 4.0 AI Governance, Risk, and Compliance | 19% |
Domain 1: Basic AI Concepts Related to Cybersecurity (17%)
The basics. AI/ML terminology (supervised vs. unsupervised, neural networks, deep learning), risk assessment frameworks for AI, data classification for training data, and security implications of different deployment models (on-prem, cloud, edge, hybrid).
Domain 2: Securing AI Systems (40%)
40% of the exam. This is where the meat is. Secure data pipelines, model training integrity, supply chain security for ML libraries and pre-trained models, secure API design for model serving, input validation, and testing methodologies. DevSecOps but for ML pipelines.
Domain 3: AI-assisted Security (24%)
How threat actors attack AI systems and how you defend against them. Adversarial ML techniques (evasion, poisoning, model extraction, model inversion), prompt injection, LLM jailbreaking, deepfakes, and threat modeling with MITRE ATLAS.
Domain 4: AI Governance, Risk, and Compliance (19%)
The regulatory domain. AI ethics, bias detection, explainability, EU AI Act risk tiers, NIST AI RMF, ISO/IEC 42001, and organizational AI policies. Technical people tend to underestimate this section. Don't.
Practice all exam domains with 670+ questions
This is the app I built to study for this exam. 670+ questions, spaced repetition, domain analytics. 50 questions free.
Get SecAI+ Prep on Google Play03 Study Strategy: 8-12 Week Plan
Cramming won't work here. The four domains require different types of thinking: conceptual, technical, and regulatory. Spread it over 8-12 weeks. Here's the plan I followed.
Foundations and Domain 1
Read the official exam objectives cover-to-cover. Study AI/ML fundamentals, security basics as they apply to AI, and risk assessment frameworks. Start daily practice questions to baseline your knowledge.
Domain 2: Securing AI Systems
Deep dive into the heaviest domain. Study secure ML pipelines, data integrity, supply chain security, and secure API design. Practice hands-on with ML frameworks if possible. Start using spaced repetition for review.
Domain 3: AI-assisted Security
Study adversarial ML techniques, prompt injection, MITRE ATLAS, and AI-specific attack vectors. Read published research on model poisoning and evasion attacks. This domain pairs well with hands-on labs.
Domain 4: Governance, Risk, and Compliance
AI governance frameworks (NIST AI RMF, EU AI Act, ISO 42001), ethics, bias mitigation. Lighter weight but the regulatory questions are tricky. Don't skip this.
Review, Practice Exams, and Weak Areas
Take full-length timed practice exams. Identify weak domains using analytics. Focus spaced repetition on questions you are getting wrong. Aim for 85%+ on practice tests before scheduling the real exam.
Spaced Repetition Strategy
Instead of re-reading material, you actively recall it at increasing intervals. SM-2 (same algorithm Anki and my app use) schedules questions based on how well you know each one. Get it wrong, it comes back tomorrow. Get it right five times, it shows up next month.
Do your reviews first thing in the morning. 15-20 minutes on due cards, then move to new material. I found this worked way better than doing reviews at the end of the day when I was already fried.
Practice Test Strategy
Don't save practice tests for the end. Start taking short quizzes from week one to find your gaps. Longer exams (30-50 questions) by week five. Full timed exams by week nine. Track your scores. If they plateau, change your approach for those domains.
04 Key Frameworks and Standards
You will get tested on these. Not trivia questions about who published what, but scenario-based questions about when to use each one and how they differ.
NIST AI Risk Management Framework (AI RMF)
The big one. Four core functions: Govern (accountability and culture), Map (contextualize risks), Measure (analyze and assess), and Manage (prioritize and act). This is probably the most heavily tested framework on the exam. Know the four functions and their sub-categories cold.
OWASP Top 10 for Large Language Models (LLMs)
The ten most critical security risks for LLM apps. Prompt injection, insecure output handling, training data poisoning, model DoS, supply chain issues, sensitive data disclosure, insecure plugins, excessive agency, overreliance, model theft. Maps straight to Domain 3. Read it.
MITRE ATLAS (Adversarial Threat Landscape for AI Systems)
ATT&CK but for AI/ML systems. Catalogs adversarial techniques, tactics, and real-world case studies. Covers recon through impact: ML model access, adversarial attacks, data manipulation. If you know ATT&CK, the structure is familiar. The techniques are AI-specific.
EU AI Act
EU's AI regulation. Four risk tiers: Unacceptable (banned), High risk (heavy compliance), Limited risk (transparency obligations), Minimal risk (no requirements). Know what falls into each tier and the compliance obligations. Yes, this is on the exam even if you're U.S.-based.
ISO/IEC 42001: AI Management System
First international standard for AI management systems. Same Plan-Do-Check-Act structure as ISO 27001. If you already know 27001, this maps pretty cleanly. Know how it connects to existing ISO frameworks and where it fits in an organization's AI governance strategy.
For each framework, create a one-page cheat sheet that answers: (1) Who published it? (2) What is its purpose? (3) What are its core components or functions? (4) When would you use it vs. the others? Being able to compare and contrast frameworks is a common exam question pattern.
05 Study Resources and Tools
No single resource covers everything. You'll need a mix. Here's what's actually worth your time.
Official CompTIA Materials
CompTIA SecAI+ Exam Objectives
Free PDF from CompTIA. The definitive list of every topic that can appear on the exam. Study this first.
CompTIA CertMaster Learn
Official self-paced online course with interactive lessons, videos, and knowledge checks per objective.
CompTIA CertMaster Practice
Official adaptive practice test engine. Good for identifying weak areas, though question variety is limited.
Practice Question Banks
Supplementary Reading
NIST AI RMF Documentation
Full text of the AI Risk Management Framework and the companion AI RMF Playbook. Free from nist.gov.
OWASP Top 10 for LLM Applications
Detailed writeups for each of the ten LLM-specific vulnerabilities. Essential for Domain 3 preparation.
MITRE ATLAS Knowledge Base
Case studies and technique descriptions for adversarial ML attacks. The AI equivalent of the ATT&CK matrix.
Online Courses
Communities
r/CompTIA (Reddit)
Active community with exam experiences, study tips, and resource recommendations from recent test-takers.
CompTIA Community Forums
Official CompTIA discussion forums with certification-specific boards and study group coordination.
The only SecAI+ practice test app
670+ questions across every objective. 50 free to try. Premium from $2.99/week or $25 lifetime.
Download SecAI+ Prep06 Sample Questions with Explanations
Three questions pulled from the app. These reflect the style and difficulty you'll see on the real exam.
NIST AI RMF is the right call because the question asks about systematically identifying risks before deployment. That's exactly what AI RMF's Govern-Map-Measure-Manage structure is built for. OWASP Top 10 for LLMs (A) is LLM-specific, not general fraud detection. MITRE ATLAS (C) catalogs attack techniques but isn't a risk management framework. ISO/IEC 42001 (D) is about organizational AI management processes, not initial risk identification.
Data poisoning corrupts training data to degrade model performance over time, which matches the gradual accuracy drop. Model inversion (A) reconstructs training data from outputs but doesn't hurt accuracy. Evasion attacks (B) fool individual predictions, not overall performance. Model extraction (D) copies the model through queries but doesn't affect the original.
Unacceptable risk (prohibited). The EU AI Act explicitly bans real-time remote biometric identification in public spaces for law enforcement, with very narrow exceptions. This is a specific prohibited use case. High risk (B) is for things like credit scoring or hiring tools. Limited risk (C) is chatbots with transparency requirements. Minimal risk (D) is spam filters and video game AI.
Notice the pattern: every question is scenario-based. You need to know when to apply each framework, how to diagnose attacks from symptoms, and what regulations actually mean in practice. Memorizing definitions won't cut it.
07 Exam Day Tips
No hack replaces preparation. But these tips help you avoid throwing away points you actually know.
Budget Your Time
Budget roughly 1 minute per question. Flag difficult questions and come back to them. Do not spend more than 2 minutes on any single question during your first pass. Use remaining time to review flagged items.
Read Every Word
CompTIA loves qualifiers like "MOST likely," "BEST," and "FIRST." Two answers may both be technically correct, but only one is the BEST answer for the specific scenario described. The scenario context matters.
Process of Elimination
If you are not sure, eliminate obviously wrong answers first. Getting from four options to two gives you a 50% chance even if you need to guess. Never leave a question blank.
Handle Performance-Based Questions
Performance-based questions (PBQs) often appear at the beginning. Many candidates skip them, do the multiple-choice questions first, then return to PBQs with remaining time. This is a valid strategy.
The Night Before
Do a light review of your cheat sheets the evening before. Do NOT cram. Get a full night of sleep. Eat a solid breakfast. Bring your two forms of ID. Arrive 30 minutes early.
Trust Your Preparation
If you have been scoring 85%+ on full practice exams consistently, you are ready. Anxiety during the exam is normal. Trust the work you have put in and move methodically through each question.
08 Frequently Asked Questions
Start studying today
670+ questions. Spaced repetition. Domain analytics. 50 questions free. The app I built to prep for this exact exam.
Get SecAI+ Prep on Google Play