← Concepts
Security OperationsSY0-701 · Task 4.4

Security monitoring — SY0-701

Master the Security+ SY0-701 concept of security monitoring: what it is, how it supports risk decisions, and the misconception candidates fall for on exam day.

WHAT IT IS

Security monitoring is the practice of maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.

This definition comes directly from the NIST glossary entry for information security continuous monitoring (ISCM), sourced from NIST SP 800-137 and CNSSI 4009-2015. The operative phrase is support organizational risk management decisions — monitoring is not an end in itself, it is a decision-support activity.

A log, per the NIST glossary (NIST SP 800-92), is "a record of the events occurring within an organization's systems and networks." An alert, per CNSSI 4009-2015, is "notification that a specific attack has been directed at an organization's information systems." Security monitoring is the process that produces and acts on these artifacts, not the artifacts themselves.

Mental model

Think of security monitoring as the organization's ongoing pulse check. A doctor does not simply collect vitals and file them — the point is to detect change and inform treatment decisions. Likewise, security monitoring continually checks system and network events, compares them against expected behavior, and surfaces changes that require a risk response.

The NIST glossary defines monitoring (NIST SP 800-160v1r1, citing ISO Guide 73) as "continual checking, supervising, critically observing or determining the status in order to identify change from the performance level required or expected." Security monitoring applies this continual-change-detection idea specifically to information security posture.

When to use it

A common exam confusion is between security monitoring and auditing. Both involve reviewing records, but they differ in timing and purpose.

DimensionSecurity monitoringAuditing
TimingOngoing / continualPeriodic / point-in-time
PurposeSupport real-time risk decisionsVerify compliance, accountability
Primary artifact usedLogs, alerts (live data streams)Audit logs (chronological records per NIST SP 800-37 Rev. 2)
TriggerChange from expected stateScheduled review or incident

An audit log, per NIST SP 800-171r3 and NIST SP 800-37 Rev. 2, is "a chronological record of system activities, including records of system accesses and operations performed in a given period." Auditing reads those records after the fact. Security monitoring generates and acts on event data as the organization operates.

COMMON MISCONCEPTION

The trap: treating "continuous" as meaning "every millisecond without exception."

Candidates often read "continuous monitoring" and assume it means uninterrupted, real-time surveillance of every single event with no tolerance for gaps. The NIST glossary entry for ISCM (NIST SP 800-137, CNSSI 4009-2015) clarifies that "continuous" and "ongoing" mean controls and risks are assessed at a frequency sufficient to support risk-based security decisions for adequate information protection — not necessarily at a constant, unbroken rate.

The implication for exam reasoning: a monitoring program assessed weekly may legitimately qualify as "continuous" if that frequency is sufficient for the organization's risk decisions. The exam may present a scenario where a candidate must judge whether a monitoring approach supports risk decisions — the key question is not "is it real-time?" but "does it maintain ongoing awareness sufficient for organizational risk management?"

How it shows up on the exam

The cognitive target for this concept is applying understanding, not simple recall. Candidates are expected to evaluate a described monitoring scenario and determine whether it supports risk-based decisions, or identify why a described approach falls short.

Signal phrases to recognize in stem and options:

  • "maintain ongoing awareness" — points to ISCM / security monitoring
  • "support risk decisions" — the stated purpose of monitoring per NIST SP 800-137
  • "identify change from the performance level required" — points to the monitoring definition from NIST SP 800-160v1r1
  • "notification that a specific attack has been directed" — this is an alert (CNSSI 4009-2015), which is an output of monitoring, not monitoring itself

Candidates often confuse a monitoring tool or artifact (a log, an alert, an audit trail) with the monitoring process. When an option describes a record or a notification, it is describing an artifact that monitoring produces — not the act of monitoring. The process is the ongoing awareness activity that collects, analyzes, and acts on those artifacts to inform risk decisions.

Related concepts

  • Log aggregation — the practice of collecting and centralizing logs that security monitoring depends on for event visibility
  • SIEM — a technology platform that supports security monitoring by correlating events and surfacing alerts across systems
  • Alert tuning — the process of refining alert thresholds to ensure monitoring outputs support actionable risk decisions rather than generating noise

Sources

Every claim on this page traces to the public exam blueprint and official documentation:

CutScore is an independent study tool and is not affiliated with, authorized by, endorsed by, or sponsored by Amazon Web Services. “AWS” and “AWS Certified AI Practitioner” are trademarks of Amazon.com, Inc. or its affiliates. All content is independently authored from the public exam blueprint and official documentation — no real exam content is used.

The exam-readiness instrument. Know if you’re ready before you book.

Product
PricingConceptsBlog
Legal
PrivacyTermsRefund policy
Company
Contact
© 2026 The Plain Works Co.AWS and AWS Certified AI Practitioner are trademarks of Amazon.com, Inc. or its affiliates. CutScore is independent and not affiliated with, endorsed by, or sponsored by Amazon Web Services.