AzureCalc.uk uses Google AdSense for ads. No tracking cookies are used by AzureCalc.uk itself. Your saved estimates are stored anonymously.

Privacy Policy

Prices from Azure Retail Prices API · UK South · GBP · Not affiliated with Microsoft

arrow_backBack to calculators

SC-200 Study Guide UK 2026 — Microsoft Security Operations Analyst

Complete SC-200 study guide for UK engineers. Exam structure, topic breakdown, free resources, and the best paid courses. Updated March 2026.

Prices last verified: March 2026

workspace_premium

Exam Details

SC-200

Exam nameMicrosoft Security Operations Analyst
Passing score700 / 1000
Exam cost£165

Skills measured

  • Mitigate threats using Microsoft Defender XDR (20–25%)
  • Mitigate threats using Microsoft Defender for Cloud (25–30%)
  • Mitigate threats using Microsoft Sentinel (50–55%)
school

Recommended study resources

ADPluralsightMost Comprehensive

SC-200 Learning Path

From £29/month

View courseopen_in_new

AD: We earn a commission on qualifying purchases at no extra cost to you.

What is SC-200?

The SC-200 — Microsoft Security Operations Analyst — is Microsoft's certification for security professionals who work in a Security Operations Centre (SOC) environment. It validates your ability to detect, investigate, and respond to threats using the Microsoft security stack: Microsoft Sentinel, Microsoft Defender XDR, and Microsoft Defender for Cloud. It is a role-based certification aimed at practising SOC analysts, security engineers, and threat hunters who work day-to-day with Microsoft security tooling.

In the UK, SC-200 has become an increasingly sought-after credential in financial services, government, and NHS organisations that have adopted Microsoft Sentinel as their SIEM platform. FCA-regulated firms in particular are driving demand: as Sentinel deployments mature, organisations need analysts who can configure detection rules, write KQL queries, and manage incident workflows — all core SC-200 exam objectives. If you are already working with the Microsoft security stack, this certification directly validates those skills in a way that AZ-500 (more architecture-focused) does not.

The exam consists of 40–60 questions covering multiple formats: multiple choice, drag-and-drop scenario tasks, and case studies. There is no mandatory prerequisite, but Microsoft recommends familiarity with Azure fundamentals — AZ-900 is a useful foundation if you are new to the Azure platform. The passing score is 700 out of 1000, and the exam costs £165 when booked through Pearson VUE in the UK.

Exam Topic Breakdown

The SC-200 exam is divided into three domains. The weighting below is taken from Microsoft's official study guide and is approximate — individual exams may vary within these ranges.

Domain 1: Mitigate threats using Microsoft Defender XDR

20–25%
  • Defender for Endpoint — device onboarding, threat detection, and response
  • Defender for Office 365 — email threat protection, Safe Links, Safe Attachments
  • Defender for Identity — Active Directory threat detection and lateral movement
  • Defender for Cloud Apps — shadow IT discovery, session policies, app governance
  • Microsoft Defender portal — unified incident queue and cross-product investigation

Domain 2: Mitigate threats using Microsoft Defender for Cloud

25–30%
  • Security posture management — Secure Score, recommendations, cloud security graph
  • Workload protection — Microsoft Defender plans for VMs, containers, databases
  • Regulatory compliance — built-in frameworks, custom policy assignments
  • Defender for DevOps — code security posture, IaC scanning, GitHub/ADO integration

Domain 3: Mitigate threats using Microsoft Sentinel

50–55%
  • Workspace architecture — Log Analytics workspace design, cost management, RBAC
  • Data connectors and ingestion — Microsoft, partner, and custom connectors
  • KQL query writing — hunting queries, workbooks, detection rule logic
  • Analytics rules — scheduled rules, NRT rules, ML-based UEBA anomaly detection
  • Incident management — investigation, entity pages, investigation graph
  • SOAR — playbooks (Logic Apps), automation rules, Microsoft Sentinel orchestration
  • Threat intelligence — TAXII feeds, upload indicators, MITRE ATT&CK framework mapping
  • Content hub — solutions, standalone items, community contributions
info

Domain 3 carries more than half the exam. Engineers who work with Microsoft Sentinel daily — writing KQL, managing analytics rules, investigating incidents — have a significant structural advantage. If you are new to Sentinel, allocate at least half your study time here.

UK Context

In the UK job market, SC-200 is increasingly valued alongside the broader Sentinel ecosystem. Typical salary ranges for UK SOC analysts and security engineers holding SC-200 are £45,000–£75,000, with senior threat hunters and detection engineers in London-based financial services firms reaching £80,000+. The certification is particularly relevant to roles in banking, insurance, and asset management firms that have chosen Microsoft Sentinel as their primary SIEM — a pattern that has accelerated since FCA guidance on operational resilience encouraged firms to consolidate their security tooling.

NHS England and NHS Scotland have significant Sentinel deployments under the NHS Cyber Security programme. Public sector roles requiring SC-200 or equivalent Sentinel experience are increasingly common in central government and NCSC-aligned organisations. UK defence contractors also commonly list Sentinel experience as a requirement for SOC roles.

Practical exam information for UK candidates

  • Book via Pearson VUE at pearsonvue.com/microsoft — online proctored or test centre
  • Test centres available in London, Manchester, Birmingham, Edinburgh, and Bristol
  • Exam is English-only — no Welsh language option is currently available
  • Online proctored: requires a quiet room, working webcam, and a cleared desk
  • Many UK employers will fund SC-200 as continuing professional development (CPD) — check your L&D budget before paying personally
  • Microsoft exam vouchers occasionally available through Microsoft Learn Challenges and ESI agreements

Before deploying Sentinel, estimate your Log Analytics costs:

monitor_heart

Log Analytics & Sentinel Calculator

Ingestion, retention, search job and restore costs for UK South.

arrow_forward

Free Study Resources

There is a solid set of free resources for SC-200, anchored by Microsoft's own learning platform. The main limitation is the absence of exam-quality practice questions — free resources will build your knowledge but won't benchmark your exam readiness.

Official SC-200 learning path on Microsoft Learnopen_in_new

The authoritative free resource. Covers all three exam domains with structured modules, knowledge checks, and sandbox exercises.

SC-200 study guide (official PDF from Microsoft)open_in_new

Lists every exam objective with links to the relevant Microsoft Learn modules. Use this as your exam checklist.

Microsoft Sentinel GitHub repositoryopen_in_new

Community detection rules, workbooks, and playbooks. Reviewing real detection logic is an excellent way to prepare for the KQL and analytics rules questions.

John Savill's SC-200 YouTube seriesopen_in_new

John Savill is widely regarded as the best free Azure certification resource. His SC-200 coverage is thorough and explains the why behind each feature, not just the what.

Microsoft Security Community blogopen_in_new

Real-world Sentinel deployment posts from Microsoft engineers and MVPs. Useful for understanding current product features and exam-relevant architecture patterns.

warning

Limitations of free resources

Free resources do not include realistic practice exam questions — the most effective way to identify weak areas before the real exam. Without a practice test, you may pass knowledge checks on Microsoft Learn while still being underprepared for the scenario-based questions. If you are serious about passing first time, combine free resources with at least one paid practice test (see section below).

Recommended Study Plan

The following 6-week plan assumes part-time study of 1–2 hours per day. If you are already working with Microsoft Sentinel daily, compress Weeks 4–5 and use that time for additional practice exam runs.

Weeks 1–2

Microsoft Defender XDR (Domain 1)

  • Complete the Defender XDR modules on Microsoft Learn
  • Focus on Defender for Endpoint — the most heavily tested sub-topic in Domain 1
  • Practice navigating the Microsoft Defender portal in a trial tenant
  • Understand the difference between Defender for Identity and Entra ID Protection
Week 3

Microsoft Defender for Cloud (Domain 2)

  • Work through the Defender for Cloud modules on Microsoft Learn
  • Understand Secure Score — how recommendations are weighted and remediated
  • Review regulatory compliance dashboard — NIST, CIS, PCI-DSS framework mappings
  • Defender for DevOps is new — do not skip it, it appears in current exams
Weeks 4–5

Microsoft Sentinel (Domain 3) — the heaviest domain

  • This domain carries 50–55% of the exam — give it the most time
  • Set up a free Sentinel trial workspace and practice hands-on
  • Write KQL queries daily: summarize, join, extend, project, where, parse
  • Build at least one scheduled analytics rule and one NRT rule from scratch
  • Configure a Logic Apps playbook and attach it to an automation rule
  • Review the MITRE ATT&CK framework mapping in the threat intelligence blade
Week 6

Practice exams and revision

  • Take a full MeasureUp practice test under exam conditions (timed, no notes)
  • Review every incorrect answer — read the explanation and the linked Microsoft Learn module
  • Re-read the Microsoft Learn modules for your two weakest sub-topics
  • Take a second MeasureUp practice test to confirm readiness
  • Book your exam if consistently scoring 75%+ on practice tests

Booking the Exam in the UK

SC-200 is delivered exclusively through Pearson VUE. You can choose between an online proctored exam (from home) or an in-person test centre sitting.

laptop

Online Proctored

  • Sit the exam from any quiet room with a working webcam
  • Desk must be cleared — no notes, second monitors, or phones
  • Requires reliable internet connection (minimum 1 Mbps up/down)
  • Available 24/7 — no need to travel to a test centre
location_on

UK Test Centres

  • London (multiple locations — City and West End)
  • Manchester, Birmingham, Edinburgh, Bristol
  • Book specific centres at pearsonvue.com/microsoft
  • Arrives 15 minutes early required — bring two forms of ID

Reschedule and retake policy

Reschedule or cancel for free up to 6 business days before your exam date
Cancellation within 6 business days forfeits the full exam fee (£165)
If you do not pass: wait 24 hours before rebooking for your second attempt
Microsoft Exam Replay — purchase a retake voucher at a discount at the time of booking
A second retake requires a 14-day wait; a third or subsequent attempt requires 14 days and can only be taken twice per 12-month period
ADMeasureUpOfficial Microsoft Partner

SC-200 Official Practice Test

From £99

View courseopen_in_new

AD: We earn a commission on qualifying purchases at no extra cost to you.

Related calculators

calculateLog Analytics & Sentinel Calculator