AssociateVendor-specificMicrosoft· issued from US

SC-200

Microsoft Certified: Security Operations Analyst Associate

The SC-200 is Microsoft's role-based certification for Security Operations – with clear focus on its own product ecosystem (Microsoft Sentinel, Defender XDR, Security Copilot). It is not a vendor-neutral SOC certificate, but specifically validates the ability to detect and respond to threats in Azure and M365 environments. For teams already heavily invested in Microsoft technologies, it is very practical and relevant to the job market. Outside this stack, it loses significant weight. The exam will be updated on April 16, 2026 – candidates should review the current Study Guide.

Official page at Microsoft ↔ Compare with another cert

Exam fee

$165

Ongoing

—

Study time

60–120 hrs

Delivery

Hybrid

Validity

1 yr (renewal cycle)

› Quality score

31.0 / 40

Four-axis SecProve rubric, each 0–10. SecProve editorial assessment — each axis carries a written justification so you can push back on any single call without dismissing the whole score.

Blueprint rigor

How well-defined and rigorous the exam blueprint is.

Microsoft skills outline focused on Defender XDR + Sentinel; tightly scoped.

8.0/10

Practical evidence

Hands-on labs / written reports vs pure MCQ.

PBQ-style items with KQL and incident-investigation scenarios.

6.5/10

Currency & upkeep

How aggressively content is kept current with the field.

Refreshed within months of Defender / Sentinel feature changes — among the most current SOC certs.

9.0/10

Market recognition

How often this signal actually moves a hiring decision.

Common on SOC-analyst postings inside Microsoft-stack shops.

7.5/10

› Exam format

40–60 questions (multiple-choice + case studies), 120 minutes. Proctored via Pearson VUE. Passing score: 700/1000.

Retake policy

Fee: $165 per attempt

Wait: 1d between attempts

24-hour wait after first fail; 14 days between attempts 2-4. Max 5 attempts per 12-month window.

› Recertification

Valid for 1 year. Free online renewal exam on Microsoft Learn.

› NICE Framework work roles

The NIST NICE work-role IDs this cert maps to. NICCS lookup.

PD-WRL-001PD-WRL-003

Recognition

Global

Exam languages

› Core domains covered

The 2 domains this cert is centrally about. Passing the exam demonstrates working knowledge of each.

A10Security Operations

SOC operations, SIEM tuning, SOAR playbooks, alert triage, log analysis, runbook development.

A11Detection Engineering & Threat Hunting

SIGMA/YARA/Suricata rule writing, hypothesis-driven hunting, log deep-dives, detection gap analysis.

› Prerequisites

Experience

No formal prerequisites. Recommended: Experience with Microsoft Sentinel, Defender, and KQL.

› Progression

requiredrecommended

Where this cert fits in the typical learning path. Required edges are vendor-gated; recommended edges reflect de facto industry progression.

Required prereqs (0)

No vendor-gated prereqs.

Recommended priors (1)

SC-900Microsoft

SC-200

Microsoft

Required by (0)

No certs require this one.

Recommended next (1)

SC-100Microsoft

› Careers that commonly pursue this cert

SOC Analyst

Monitor, detect, and respond to security threats in a Security Operations Center. The front line of cyber defense.

Detection Engineer

Build detection rules, tune SIEM systems, and hunt for threats that evade automated defenses.

Cloud Detection / SecOps Engineer

A hybrid role growing out of the realisation that SOCs need engineers who understand cloud-native telemetry, IAM-first threat models, and how to instrument AWS/Azure/GCP for detection.

See this cert’s domains highlighted on the interactive map, or compare it against the rest of the catalog.

Highlight on the domain map Browse all certifications