SC-200 Study App for iOS — Microsoft Security Operations Analyst
Get exam-ready for SC-200 (Microsoft Security Operations Analyst) on iPhone or iPad. Azure Mastery uses on-device AI to predict your readiness score across all three SC-200 domains, build a personalised study plan from your weak spots, and surface topics you're forgetting — all without sending a single byte off your device.
The exam
What is the SC-200 exam?
SC-200 is the Microsoft Certified: Security Operations Analyst Associate exam — the credential hiring managers expect when posting "SOC Analyst", "Security Operations Engineer", "Threat Hunter", or "Incident Responder" roles on the Microsoft stack. SC-200 covers the SOC analyst's day-to-day in Microsoft Sentinel and Microsoft Defender XDR, plus the broader Defender product family. It pairs with SC-900 on the way in, and is one of the prereqs for SC-100 (Cybersecurity Architect Expert).
SC-200 is hands-on and KQL-aware. It validates that you can configure and manage Microsoft Sentinel (workspaces, data connectors, analytics rules, watchlists, automation, hunting), investigate incidents end-to-end across Microsoft Defender XDR (Defender for Endpoint, Identity, Office 365, Cloud Apps), use Microsoft Defender for Cloud for posture and workload protection, and write KQL queries to hunt threats and build custom detections. Expect scenario questions that show a KQL snippet, an alert payload, or an incident graph and ask what you'd do next.
Microsoft updated the SC-200 skills outline on 16 April 2026. Every question in Azure Mastery's SC-200 bank is mapped to the current outline — no leftover questions on retired services. Read the official outline at learn.microsoft.com.
Questions40–60 multiple choice
Duration100 minutes (120 min seat)
Pass score700 / 1000
CostUSD $165 (≈ £128 UK)
ValidityRenew annually (Associate)
FormatOnline or test centre
Skills measured · April 2026
SC-200 exam objectives
Three domains, with weights set by Microsoft's April 2026 update. Every domain summary below is paraphrased from the official skills outline; bullet-level objectives in Azure Mastery are tagged so you always know which domain you're being tested on and where your weak spots cluster.
Manage a security operations environment40–45%
The largest domain by far. Configure Microsoft Sentinel end-to-end — workspaces, data connectors (Azure activity, Microsoft 365, Defender XDR, third-party CEF/Syslog), log retention and table tiers, RBAC for Sentinel and Defender XDR. Build analytics rules (scheduled, NRT, Microsoft incident creation, anomaly), watchlists, threat-intelligence integration, and automation rules with Logic App playbooks. Configure Microsoft Defender for Cloud — Secure Score, regulatory compliance, workload protection plans (Servers, App Service, Storage, SQL, Containers), JIT VM access, recommendations and exemptions. Around 16–27 questions per sitting.
Respond to security incidents35–40%
The Defender XDR investigation surface. Triage and investigate incidents using Microsoft Defender for Endpoint (live response, automated investigation, response actions, device groups), Microsoft Defender for Identity (lateral movement, golden ticket, identity scoring), Microsoft Defender for Office 365 (anti-phishing, ZAP, attack-simulation training), and Microsoft Defender for Cloud Apps (CASB, anomaly detection, governance actions). Use the Defender XDR attack-story view and evidence graph to follow the kill chain. Around 14–24 questions.
Perform threat hunting20–25%
Smallest domain by weight, but the most KQL-heavy. Hunt with Microsoft Sentinel hunting queries and bookmarks, run advanced-hunting queries across Microsoft 365 / Defender XDR tables, build custom detection rules from saved hunts, and run livestream hunting sessions. Map activity to MITRE ATT&CK tactics and techniques, write KQL with joins, parse operators, time windows, and summarise. Around 8–14 questions.
Designed for SC-200
How Azure Mastery helps you pass SC-200
Azure Mastery ships with 315 SC-200 practice questions, every one written specifically against the current (April 2026) skills outline — not generic security trivia. Each question carries a domain tag mapped to the official three domains (manage SecOps environment, respond to incidents, threat hunting), so you always know which area you're being tested on and where your weak spots are clustered. KQL snippets, alert payloads, Sentinel analytics rules, and Defender XDR incident graphs appear throughout — matching the format of the live exam.
The on-device Exam IQ engine predicts your SC-200 score before you sit the exam. After roughly 30 questions it has enough signal to give a confidence-scored prediction (e.g. "708 ±60, 68% confidence") — and tells you the specific topics that are dragging your readiness down. No vague "study more" advice; just a ranked list of objectives where improvement would move your score the furthest.
The adaptive study plan rebuilds itself from your answer history. Miss a Sentinel analytics-rule scenario? You'll see another rule-type question in the next session. Master "Defender for Endpoint vs Defender for Identity" three sessions running and the engine backs off, surfacing fresh KQL hunting or automation-playbook scenarios. The plan optimises for the gap between where you are and the 700 pass score, not for blind volume.
Knowledge decay tracking matters more for SC-200 than for foundational exams — three SOC-analyst domains pack a lot of Microsoft Defender / Sentinel / KQL surface into a small bank, and the rule template you mastered three weeks ago is the rule you'll forget by exam day if you stop revising. Azure Mastery tracks every topic's decay curve and flags topics approaching expiry. The padlock icon on the Today screen is your "revisit before you forget" cue, and weak-spot drills automatically pull from decayed topics first.
Real exam simulation mode runs at SC-200's actual length and time pressure: a randomised 40–60-question set drawn from the full 315-question bank, weighted by domain percentages from the April 2026 outline, with the 100-minute timer running and no jumping back to flag-and-review. It's the closest you can get to the live Pearson VUE / online-proctored experience without sitting the exam.
Everything runs on-device. Your answer history, your readiness gauge, your decay alerts — none of it leaves your iPhone or iPad. No account required to start, no tracking, no sync server. Privacy-first by design.
6-week study plan
Suggested SC-200 study plan
Most candidates pass SC-200 after four to eight weeks of focused study, depending on prior SOC and KQL experience. The six-week plan below maps onto the three SC-200 domains, Azure Mastery's adaptive sessions, and the in-app exam simulator. Adjust pace to taste — the readiness gauge tells you when you're done, not the calendar.
Manage the SecOps environment
Days 1–3: Microsoft Sentinel workspaces, data connectors (Azure activity, Microsoft 365, Defender XDR, third-party CEF/Syslog), log retention and table tiers, RBAC for Sentinel and Defender XDR.
Days 4–6: Analytics rules — scheduled, NRT, Microsoft incident creation, anomaly. Watchlists, threat-intelligence integration, custom UEBA where supported.
Days 7–10: Automation rules and Logic App playbooks — incident triage, alert enrichment, response actions. Workbooks and dashboards.
Days 11–14: Microsoft Defender for Cloud — Secure Score, regulatory compliance, workload protection plans (Servers, App Service, Storage, SQL, Containers), JIT VM access, recommendations and exemptions.
Respond to security incidents
Days 15–17: Microsoft Defender for Endpoint — live response, automated investigation, response actions, device groups, attack-surface reduction.
Days 18–20: Microsoft Defender for Identity — lateral movement, golden ticket detection, identity scoring, sensors and connectors.
Days 21–23: Microsoft Defender for Office 365 — anti-phishing, ZAP, Safe Links / Safe Attachments, attack-simulation training.
Days 24–28: Microsoft Defender for Cloud Apps — CASB, anomaly detection, governance actions. Defender XDR attack-story view, evidence graph, kill-chain analysis.
Threat hunting, sharpen, simulate
Days 29–32: KQL fundamentals — joins, parse operators, time windows, summarise, project, extend. Practise reading KQL snippets in scenario questions.
Days 33–36: Sentinel hunting — hunting queries, bookmarks, livestream sessions, custom detection rules from saved hunts. Advanced hunting in Defender XDR. MITRE ATT&CK mapping.
Days 37–40: Run Focus Weak Spots every morning. Manage-SecOps domain is 40–45% — weight your time accordingly.
Days 41–42: Two end-to-end Exam Simulator runs at full 100-minute length. Review carefully. If readiness gauge is 750+ with reasonable confidence, schedule the exam.
Inside the app
Every Microsoft question type, on iPhone
SC-200's question bank uses the same formats Microsoft puts on the live exam — not just multiple choice. Each visualisation below is a faithful mock of how the type renders inside Azure Mastery on iPhone and iPad. Exam-simulator mode runs all of them at full 100-minute length with no flag-and-review jumps, mirroring Pearson VUE.
Which Azure compute service is best for event-driven container workloads?
Azure Functions
Azure Container Apps
Azure Service Bus
Azure App Service
Multiple choice
One correct answer from four to six options. The most common type on every Azure exam — practical recall of services, settings, and limits.
~50% of questions
Select two services that support point-in-time restore.
Azure SQL Database
Azure Service Bus
Azure Cosmos DB
Azure Functions
Multi-select
Pick two or more correct answers from a list. Microsoft tells you exactly how many to choose. Partial credit not awarded — you need every selection right.
All-or-nothing
Order the steps to deploy a Bicep template.
⋮⋮1Create resource group
⋮⋮2az bicep build
⋮⋮3az deployment group create
⋮⋮4Verify outputs
Drag-and-drop
Arrange items into the correct sequence — deployment steps, the order operations occur in a pipeline, troubleshooting flows. Long-press to drag on touch.
Order matters
Tap the setting that enables soft delete on this storage account.
Hotspot
Tap the correct area of an image — the right setting in a portal screenshot, the right resource in a topology diagram. Practical visual recall under time pressure.
Tap target
Contoso Ltd needs to migrate 40 VMs from on-premises to Azure with an RTO of four hours and zero data loss…
1Which migration tool meets the RTO?
2What backup tier is required?
3Which network design supports failover?
4How should they configure RBAC?
Case studies
A multi-paragraph scenario followed by 4–6 linked questions. Common on SC-200 in the storage and identity domains; dominant on AZ-305 and AZ-400.
Multi-question
✕Your answer: Azure Service Bus
✨ Why wrong:Service Bus is for enterprise messaging with FIFO & transactions. The scenario specifies massive event ingestion at high throughput — Event Hubs is the right primitive…
— generated on-device by Apple Foundation Model
Why Wrong AI
An Azure Mastery exclusive. When you answer incorrectly, an on-device Apple Foundation Model writes a targeted explanation grounded in the correct rationale. Never leaves your device.
App exclusive
Frequently asked
SC-200 FAQs
How much does the SC-200 exam cost?
The SC-200 voucher is USD $165 in the United States. Pricing varies by region — in the UK it's typically around £128. Microsoft sometimes runs free-voucher promotions during events such as Microsoft Build or Microsoft Ignite, so check your Microsoft Learn profile for any active offers before booking. SC-200 also requires annual renewal (free, online), so factor that into long-term cost planning.
Does the SC-200 certification expire?
Yes. Microsoft Associate certifications including SC-200 expire annually. Renewal is free — a 25–30 question online assessment on Microsoft Learn within the six-month window before your expiration date. The renewal targets recent skills outline updates, so staying current is straightforward if you remain broadly active in the role. (Fundamentals certifications such as AZ-900 are different — those don't expire.)
What is the SC-200 retake policy if I fail?
The first retake is allowed after 24 hours. Second and third retakes each require a 14-day wait. Microsoft caps retakes at five attempts per 12-month rolling period. Each attempt requires a new voucher purchase.
How long should I study for SC-200?
Most candidates pass SC-200 after four to eight weeks of focused study, assuming some prior IT or cloud experience. If Azure is genuinely new to you, plan for two to three months — the exam expects you to know specific PowerShell and Azure CLI commands, not just describe concepts. Azure Mastery's readiness gauge tells you when you're at exam-ready; don't book until it shows roughly 720 or higher with reasonable confidence.
SC-200 vs SC-900 — which should I take first?
SC-900 first if security concepts are new to you. SC-900 (Microsoft Security, Compliance, and Identity Fundamentals) builds the cross-cutting Microsoft security vocabulary — Defender family, Microsoft Sentinel, Microsoft Entra, Microsoft Purview — without expecting hands-on triage. SC-200 is the role-based Associate exam: it expects you to investigate incidents in Defender XDR and write KQL hunting queries. Most candidates pass SC-900 in a few weeks then spend two to three months on SC-200.
SC-200 vs AZ-500 — different security roles?
Different angles on Microsoft security. AZ-500 is the Azure Security Engineer Associate cert — it focuses on hardening Azure resources end-to-end (identity, networking, compute/storage/databases, Defender for Cloud and Sentinel). SC-200 is the Security Operations Analyst Associate cert — it focuses on running Microsoft Defender XDR and Sentinel as a SOC analyst, with much heavier focus on incident triage, KQL hunting, and the broader Microsoft 365 security surface. Many Cybersecurity Architect Expert candidates hold both.
Where SC-200 fits
Certification paths that include SC-200
SC-200 is the Microsoft Security Operations Analyst Associate cert. It pairs with SC-900 as recommended fundamentals and is one of the prereqs for SC-100 (Cybersecurity Architect Expert). Tap any linked exam below to see its dedicated study app page.
SC-200 sits at the SOC-analyst Associate tier. SC-900 builds the cross-cutting Microsoft security vocabulary; SC-100 is the Expert next step. AZ-500 is the natural sibling for Azure-security-focused candidates.
Ready to pass SC-200?
Download Azure Mastery free. 315 SC-200 practice questions across all three domains, AI score prediction, full-length exam simulator, adaptive study plan. iPhone & iPad.
