5. Security Operations (28%)

This domain covers exam objectives 4.1 through 4.9 and accounts for roughly 25 of the 90 questions — the heaviest domain by far. Security Operations is where theory meets daily practice: hardening systems, managing assets, scanning for vulnerabilities, monitoring alerts, controlling access, automating responses, and handling incidents. If Phase 4 was about designing the fortress, Phase 5 is about running it — keeping the walls maintained, the guards posted, and the response team ready. The exam heavily favors scenario-based questions here, testing whether you can select the right operational action for a given situation.