- What Performance-Based Questions Actually Test on SecAI+
- The PBQ Formats You Will Encounter
- Which Domains Drive the Most PBQs
- Mastering Domain 2: Securing AI Systems
- Domain 3 in Practice: AI-Assisted Security Tasks
- A Domain-Anchored Preparation Schedule
- Test-Day Mechanics and Time Management
- Frequently Asked Questions
- SecAI+ (CY0-001) includes performance-based questions within a 60-question, 60-minute exam-leaving almost no buffer time per question.
- Domain 2 (Securing AI Systems) carries 40% of exam weight and is the most likely source of complex, scenario-driven PBQs.
- PBQs appear early in the exam; skipping and returning wastes the limited time-practice pacing under real conditions before test day.
- The passing score is 600 on a 100-900 scale; PBQs are weighted more heavily than multiple-choice, making them disproportionately important.
What Performance-Based Questions Actually Test on SecAI+
Performance-based questions are not simply harder multiple-choice items. They require you to demonstrate a skill inside a simulated environment or structured scenario rather than select a memorized answer. On the CompTIA Security AI+ exam (CY0-001), that distinction matters enormously because the subject matter blends traditional cybersecurity controls with entirely new attack surfaces introduced by machine learning pipelines, large language models, and AI-assisted threat detection tools.
A candidate who has memorized definitions of model poisoning or adversarial inputs but has never worked through a scenario that asks them to identify the correct mitigation control within a specific AI deployment context will struggle. PBQs reward applied understanding. They expose whether you can map a problem to the right control category, configure a conceptual environment correctly, or sequence a set of actions in the proper order-all under time pressure.
Before diving into preparation tactics, it is worth understanding what kinds of tasks PBQs simulate on this specific exam, because the SecAI+ PBQ pool is shaped by its four domains and their relative weights in ways that differ meaningfully from older CompTIA certifications.
The PBQ Formats You Will Encounter
CompTIA uses several distinct PBQ interaction types, and SecAI+ likely draws on a subset of them given its technical focus. Understanding each format in advance eliminates the cognitive shock of encountering an unfamiliar interface on exam day.
Drag-and-Drop Matching
You are presented with a list of terms, controls, or attack types on one side and a set of categories, system components, or policy slots on the other. The task is to match each item correctly. On SecAI+, expect these to involve pairing AI-specific threats (prompt injection, data poisoning, model inversion) with the appropriate control layer: model controls, gateway controls, access controls, or monitoring and auditing controls-all sub-topics within Domain 2.
Scenario-Based Configuration
A simulated dashboard, policy editor, or network diagram is presented. You must click, toggle, or select options to configure a system correctly. On SecAI+, this could involve setting appropriate access controls for an AI inference endpoint, selecting the right data security controls for a training dataset, or configuring an AI gateway policy to block a category of adversarial input.
Ordered Sequencing
You must arrange a series of steps in the correct procedural order-for example, the correct sequence for auditing an AI model's output for compliance with a governance framework (Domain 4), or the correct incident response sequence when an AI-assisted security tool generates a confirmed false negative on a live threat.
Multiple-Response
Select all correct answers from a list of six or more options. These blur the line between PBQ and multiple-choice but are graded on full correctness, making partial credit unlikely. These appear frequently when a question asks which combination of controls addresses a specific AI risk scenario.
Key Takeaway
Practice each PBQ format type deliberately, not just the content behind it. Encountering a drag-and-drop interface for the first time during the actual exam will cost you more than not knowing one control's name.
Which Domains Drive the Most PBQs
The four SecAI+ exam domains are not weighted equally, and that unequal weighting shapes both the volume and complexity of PBQs you should expect.
| Domain | Weight | PBQ Likelihood | Primary PBQ Theme |
|---|---|---|---|
| Domain 1: Basic AI Concepts Related to Cybersecurity | 17% | Low-Moderate | Classifying AI attack types; identifying threat vectors in AI system diagrams |
| Domain 2: Securing AI Systems | 40% | High | Applying model, gateway, access, and data security controls; configuring monitoring and auditing |
| Domain 3: AI-Assisted Security | 24% | Moderate-High | Using AI tools within a security workflow; interpreting AI-generated alerts; validating AI output |
| Domain 4: AI Governance, Risk, and Compliance | 19% | Moderate | Sequencing governance steps; mapping AI risk to compliance frameworks |
The weighting tells a clear story: approximately four out of every ten scored questions draw from Domain 2. Even if only half of those are PBQs, that domain is where exam outcomes are won or lost. Candidates who have reviewed the SecAI+ Prerequisites and Experience Requirements 2026 will recognize that CompTIA designed this exam for practitioners who have already dealt with real security architecture-and Domain 2's PBQs will probe exactly that experience.
Mastering Domain 2: Securing AI Systems
At 40% of the exam, Domain 2 demands the most concentrated preparation. Its sub-topics are not generic security concepts rebranded with AI terminology-they represent genuinely distinct control categories that apply to machine learning systems and AI-enabled services in ways that differ from traditional application security.
Domain 2: Securing AI Systems (40%)
Candidates must be able to identify, select, and apply the correct controls across five distinct control categories for AI deployments.
- Model controls: Protecting the model artifact itself-integrity verification, version control, adversarial robustness testing, and preventing unauthorized model extraction or inversion attacks.
- Gateway controls: Filtering and validating inputs and outputs at the API or inference gateway layer-rate limiting, input sanitization, prompt injection defenses, and output filtering for sensitive data exposure.
- Access controls: Applying least privilege to model training pipelines, inference endpoints, and AI platform administrative interfaces; managing API keys and service accounts for AI workloads.
- Data security controls: Securing training data, validation datasets, and inference logs-covering data provenance, differential privacy techniques, encryption at rest and in transit, and supply chain controls for third-party datasets.
- Monitoring and auditing for AI systems: Implementing logging strategies for model inputs and outputs, detecting concept drift and data poisoning through behavioral monitoring, and generating audit trails for compliance.
PBQs in this domain often present a partially configured AI deployment and ask you to identify what is missing or misconfigured. For example, a scenario might show an AI inference API with authentication enabled but no output filtering policy, and ask you to drag the missing control into the correct position. Without hands-on familiarity with how these control categories relate to each other architecturally, the scenario will feel abstract even if you recognize the terminology.
To build that applied understanding, work through SecAI+ practice scenarios that force you to make control-selection decisions in context, rather than simply quizzing you on definitions.
Domain 3 in Practice: AI-Assisted Security Tasks
Domain 3 (AI-Assisted Security, 24%) is the second most likely source of PBQs and tests a fundamentally different skill set than Domain 2. Where Domain 2 asks you to secure an AI system, Domain 3 asks you to use AI tools as part of a security workflow-and to do so critically.
PBQs here might present an AI-generated threat alert with supporting evidence and ask you to validate whether the AI's conclusion is accurate, identify what additional context is needed, or determine the appropriate next action in an incident response process. They might also ask you to configure an AI-assisted SIEM rule, select appropriate AI tools for a specific threat hunting task, or interpret the output of an AI anomaly detection system in context.
The Critical Validation Skill
One of the highest-value competencies tested in Domain 3 is the ability to validate AI output rather than accept it uncritically. Expect PBQs that give you an AI-generated security recommendation and ask you to evaluate it for accuracy, bias, or inappropriate confidence given the available data. This requires understanding how AI systems fail-a concept that bridges Domain 1 (Basic AI Concepts) and Domain 3 practically.
Candidates who want a deeper view of what background qualifies someone to handle these scenarios should review the SecAI+ Prerequisites and Experience Requirements 2026, which outlines the hands-on cybersecurity experience CompTIA expects you to bring to this material.
A Domain-Anchored Preparation Schedule
Generic study schedules do not work for SecAI+ because the domain weights are highly uneven. The following schedule reflects those weights directly, front-loading Domain 2 while ensuring every domain receives deliberate PBQ practice before test day.
Domain 1 + Domain 2 Foundation (Basic Concepts + AI System Architecture)
- Map AI attack categories (poisoning, evasion, inversion, extraction) to the control categories in Domain 2-this cross-domain connection appears directly in PBQs.
- Build a personal reference diagram showing how model controls, gateway controls, and access controls layer in a typical AI deployment.
- Complete 20-30 Domain 1 and Domain 2 multiple-choice practice questions daily on the SecAI+ practice platform to identify weak vocabulary before PBQ work begins.
Domain 2 Deep Work (Securing AI Systems - PBQ Focus)
- Spend the majority of study time on data security controls and monitoring/auditing-these sub-topics are complex and PBQ-heavy.
- Practice drag-and-drop and configuration PBQ formats specifically; use spaced repetition only on control definitions, not on scenario practice, which requires full cognitive load.
- Review a real AI API security configuration (e.g., Azure AI Content Safety or AWS Bedrock guardrails documentation) to ground abstract controls in real implementations.
Domain 3 + Domain 4 Applied Practice
- Work through AI-assisted security workflow scenarios: threat hunting with AI tools, validating AI alert outputs, and interpreting anomaly detection results.
- Study Domain 4 governance and compliance frameworks as they apply specifically to AI systems-EU AI Act risk categories and NIST AI RMF are high-value reference points.
- Practice sequencing PBQs for Domain 4 governance steps and Domain 3 incident response flows.
Full Simulation and Gap Closing
- Take at least two timed, full-length practice exams that include PBQs-strictly 60 minutes, no pausing.
- Score each PBQ attempt by domain and close any gap above 20% between your weakest and strongest domain before scheduling your Pearson VUE appointment.
- Review the Exam Objectives Document Version 1.1 one final time to confirm you have not missed any sub-topic that could appear in a scenario.
Test-Day Mechanics and Time Management
The SecAI+ exam gives you 60 minutes for up to 60 questions. That is an average of one minute per question with zero buffer. PBQs routinely take two to four minutes each. This arithmetic creates a real constraint: if you encounter five PBQs in the first fifteen minutes and spend three minutes on each, you have burned 25% of your time on roughly 8% of the questions.
The Flag-and-Return Strategy
CompTIA's exam interface allows you to flag questions and return to them. The recommended approach for PBQs is context-dependent. PBQs appear at the beginning of the exam in CompTIA's typical delivery format. Many experienced candidates advise attempting PBQs first while cognitive resources are fresh, then moving through multiple-choice, then returning to any flagged PBQs with remaining time. This approach works well for candidates who have practiced PBQ formats extensively. Candidates who find PBQs distracting or slow should flag them and build confidence with multiple-choice first-but only if they have practiced this flow and know their own timing.
Registration and Retake Facts Worth Knowing Before You Book
The exam fee is $359 USD for a single voucher or $408 for the retake bundle. If you want the financial safety net of a retake option, the bundle is the economical choice-but only purchase it before your first attempt, as it must be bought as a package. CompTIA's retake policy allows no waiting period between your first and second attempt, but requires a 14-day wait for any third attempt or beyond. The exam is available at Pearson VUE test centers and through OnVUE remote proctoring. Remote proctoring removes travel logistics but requires a controlled environment-test that environment in advance, including camera angles and network stability, before your actual sitting.
Once you have passed, the certification is valid for three years and renewable through CompTIA's Continuing Education program, which requires an annual CE fee of $50. As part of the Expansion certification series and carrying ANSI/ISO 17024 accreditation, SecAI+ is positioned for recognition in enterprise hiring-particularly in organizations deploying AI-integrated security operations centers, implementing AI governance programs, or managing AI model supply chain risk.
Frequently Asked Questions
CompTIA does not publish the exact number of PBQs per exam version. Based on the format of other CompTIA practitioner-level exams, candidates typically encounter between 3 and 10 PBQs within the 60-question pool. Because they are weighted more heavily than standard multiple-choice items, thorough PBQ preparation has an outsized effect on your final scaled score.
Start with Domain 2: Securing AI Systems. At 40% of the exam weight, it is the single highest-leverage area. Its five control categories-model controls, gateway controls, access controls, data security controls, and monitoring and auditing-appear across multiple question types including the most complex PBQ scenarios. Foundational understanding here will also help you contextualize Domain 1 concepts and Domain 3 workflows.
Yes, the exam is available through OnVUE remote proctoring via Pearson VUE. The PBQ interface is identical to the in-person test center experience. However, remote candidates should verify that their monitor resolution and browser settings display simulated environments correctly during the system check. A technical issue mid-PBQ is far more disruptive than mid-multiple-choice.
The $408 retake bundle from CompTIA covers a second exam attempt only-it does not include study materials or PBQ-specific practice. If you do not pass on your first attempt, use the gap between attempts to identify which domains you underperformed in, then focus additional scenario practice specifically on those domain's PBQ formats before your second sitting.
Organizations integrating AI into security operations are the primary employers-this includes enterprises deploying AI-assisted SOC tools, financial institutions implementing AI fraud detection systems, government agencies managing AI governance and compliance programs, and managed security service providers adding AI capabilities to their portfolios. The certification signals both defensive AI security competence and the ability to use AI tools critically within a security workflow.
Ready to Start Practicing?
The SecAI+ exam rewards candidates who have worked through real PBQ scenarios under timed conditions-not just those who have read about the domains. Start building that applied fluency now with practice tests designed to match the CY0-001 exam format, including performance-based question simulations across all four domains.
Start Free Practice Test