CySA+ Exam Flashcards

Q: What is the passing score for the CompTIA CySA+ CS0-003 exam?

CySA+ CS0-003 reports a Pass/Fail result. You must earn 750 on a scaled score that runs from 100 to 900. There is no per-domain minimum, so a weak domain can be offset by stronger domains. The exam has up to 85 multiple-choice and performance-based questions in 165 minutes, and CompTIA does not publish exam-level pass-rate percentages.

Q: What domains are on the CySA+ CS0-003 exam and how are they weighted?

CS0-003 has four domains: Security Operations (33%), Vulnerability Management (30%), Incident Response and Management (20%), and Reporting and Communication (17%). The first two domains make up 63% of the exam, so SIEM/log analysis and vulnerability prioritization should get the most study time. CompTIA tests applied analyst judgment, not just definitions.

Q: Do I need experience or prerequisites to take CySA+?

There is no required prerequisite certification. CompTIA recommends Network+ and Security+ knowledge plus about 4 years of hands-on security operations or incident response experience, but it is a recommendation, not a gate. Many candidates pass with 2-3 years of SOC or IR experience and focused study on SIEM, vulnerability scanning, and the incident response lifecycle.

Q: What is the CySA+ retake policy if I fail?

There is no waiting period before your second attempt - you may retake immediately after a first failure. From the third attempt onward, you must wait at least 14 calendar days between attempts. You cannot retake an exam version you have already passed, and each attempt requires a new $425 USD voucher.

Q: How is CySA+ different from Security+?

Security+ is a baseline credential covering broad security concepts. CySA+ is an intermediate analyst credential focused on the SOC workflow: detecting malicious activity in logs and telemetry, prioritizing vulnerabilities with CVSS, executing the incident response lifecycle, and reporting findings to stakeholders. CySA+ is DoD 8570/8140 approved for CSSP Analyst and CSSP Incident Responder roles.

Q: What jobs does the CySA+ certification support?

CySA+ maps to roles such as SOC Analyst (Tier 1-3), Security Analyst, Threat Intelligence Analyst, Incident Response Analyst, Vulnerability Analyst, and Junior Security Engineer. Because it validates hands-on detection and response skills, it is commonly used to satisfy DoD 8570/8140 baseline requirements for defense and government security operations positions.

Question 1

SIEM (Security Information and Event Management)

Accepted Answer

A platform that aggregates, normalizes, and correlates log and event data from many sources for detection, alerting, and investigation. Combines SIM (log retention/reporting) and SEM (real-time monitoring/correlation). It surfaces patterns no single log shows alone.

Question 2

Log collector vs correlation engine (SIEM components)

Accepted Answer

The log collector/forwarder ingests raw logs and normalizes them into a common schema. The correlation engine then applies rules across normalized events to detect multi-step activity. Bad parsing at the collector means the correlation engine never sees the attack.

Question 3

Syslog

Accepted Answer

A standardized logging protocol for network devices and Unix/Linux hosts using priority, timestamp, hostname, and message fields. It is the most common cross-vendor log format, which is why SIEMs ingest it natively. Compare with Windows Event Log for hosts.

Question 4

True positive vs false positive vs false negative

Accepted Answer

True positive: an alert that reflects real malicious activity. False positive: an alert on benign activity (causes alert fatigue). False negative: real malicious activity that produced no alert - the most dangerous because it goes uninvestigated.

Question 5

Tuning a detection rule

Accepted Answer

Adjusting rule thresholds, exclusions, and logic to reduce false positives without creating false negatives. Done by analyzing alert history and baselining normal behavior. Over-tuning silences alerts and creates blind spots; under-tuning buries analysts in noise.

Question 6

Behavioral analytics / UEBA

Accepted Answer

User and Entity Behavior Analytics builds a baseline of normal behavior, then flags deviations (anomalies) instead of matching known signatures. Strong against insider threats and novel attacks; weak when the baseline itself includes malicious activity.

Question 7

SOAR (Security Orchestration, Automation, and Response)

Accepted Answer

Automates repetitive SOC work through playbooks that orchestrate tools (enrich an IOC, isolate a host, open a ticket) without manual steps. Reduces mean time to respond. Compare with XDR, which unifies detection telemetry rather than automating workflow.

Question 8

XDR (Extended Detection and Response)

Accepted Answer

Correlates and analyzes telemetry across endpoint, network, cloud, and identity in one platform for unified detection and response. Broader than EDR (endpoint only). XDR focuses on cross-domain detection; SOAR focuses on automating the response workflow.

Question 9

EDR (Endpoint Detection and Response)

Accepted Answer

Continuously monitors endpoints, records process/file/registry activity, and enables response actions like host isolation and rollback. Goes beyond signature antivirus by capturing behavior for hunting and forensics. Endpoint-scoped; broaden with XDR.

Question 10

Threat hunting

Accepted Answer

Proactively searching for adversaries that evaded existing controls, driven by a hypothesis (e.g., 'an attacker is using scheduled tasks for persistence'). It is hypothesis-led, not alert-led. Hunting finds the false negatives monitoring missed.

Question 11

Indicator of Compromise (IOC)

Accepted Answer

A forensic artifact suggesting a host or network is compromised: file hash, malicious IP/domain, registry key, mutex, or unusual outbound traffic. IOCs are reactive evidence of a known threat. Contrast with IOAs, which describe attacker behavior.

Question 12

Indicator of Attack (IOA) vs Indicator of Compromise (IOC)

Accepted Answer

An IOA describes attacker behavior/intent in progress (e.g., credential dumping then lateral movement) and can catch unknown malware. An IOC is a static artifact of a known compromise. IOAs detect earlier; IOCs confirm and scope after the fact.

Question 13

Strategic vs operational vs tactical vs technical threat intelligence

Accepted Answer

Strategic: high-level trends and adversary motivations for leadership. Operational: details of specific campaigns/actors. Tactical: TTPs analysts use to build detections. Technical: short-lived IOCs (hashes, IPs). Audience and shelf life differ by level.

Question 14

Threat actor types

Accepted Answer

Nation-state/APT (well-resourced, stealthy, long dwell), organized crime (financially motivated, ransomware), hacktivist (ideological, often disruptive/defacement), insider (legitimate access), and script kiddie (low skill, opportunistic). Motivation drives expected TTPs.

Question 15

STIX and TAXII

Accepted Answer

STIX is the standardized language/format for describing cyber threat intelligence; TAXII is the transport protocol used to share STIX data between systems and feeds. STIX = what the intel says; TAXII = how it travels. Used together for automated sharing.

Question 16

Confidence level and threat feed reliability

Accepted Answer

Intel should carry a confidence rating and a source reliability assessment before you act on it. Acting on low-confidence indicators causes false positives and wasted response; ignoring high-confidence intel causes missed compromise. Always weigh source quality.

Question 17

Pyramid of Pain

Accepted Answer

Ranks indicators by how much it hurts an adversary to change them: hash values (trivial) < IP < domain < network/host artifacts < tools < TTPs (hardest). Detecting at the TTP level forces attackers to change their playbook, not just an indicator.

Question 18

MITRE ATT&CK framework

Accepted Answer

A knowledge base of real-world adversary tactics (the 'why', e.g., Persistence, Lateral Movement) and techniques (the 'how'). Used to map detections, find coverage gaps, and describe an intrusion. ATT&CK is post-compromise behavior; contrast with the kill chain.

Question 19

Cyber Kill Chain

Accepted Answer

Lockheed Martin's 7 sequential stages: reconnaissance, weaponization, delivery, exploitation, installation, command and control, actions on objectives. Linear and defender-focused on breaking the chain early. ATT&CK is non-linear and behavior-focused.

Question 20

Diamond Model of Intrusion Analysis

Accepted Answer

Models an intrusion event with four linked vertices: adversary, capability, infrastructure, and victim. Pivoting from one vertex (e.g., a known C2 domain) reveals others. Best for analyzing relationships and attribution, not for a step-by-step timeline.

Question 21

MITRE D3FEND

Accepted Answer

A counterpart to ATT&CK that catalogs defensive countermeasures and maps them to the offensive techniques they mitigate. Use it to answer 'what defense addresses this technique?' rather than 'what did the attacker do?'

Question 22

NIST Cybersecurity Framework (CSF) core functions

Accepted Answer

Identify, Protect, Detect, Respond, Recover (CSF 2.0 adds Govern). A risk-based structure for organizing a security program and communicating posture to leadership. It is a program framework, not an incident-response playbook like SP 800-61.

Question 23

Vulnerability vs threat vs risk vs exploit

Accepted Answer

Vulnerability: a weakness. Threat: something that could exploit it. Exploit: the actual code/method that uses the weakness. Risk: the likelihood and impact of a threat exploiting a vulnerability. Risk = the prioritized concern; the others are inputs to it.

Question 24

Authenticated (credentialed) vs unauthenticated scan

Accepted Answer

An authenticated scan logs into the host and sees patch levels, configs, and local issues - far more accurate, fewer false positives. An unauthenticated scan only sees what's exposed to the network (an attacker's external view). Use credentialed scans for patch posture.

Question 25

Active vs passive vulnerability scanning

Accepted Answer

Active scanning sends probes/packets to systems - thorough but can disrupt fragile hosts (OT/ICS, legacy). Passive scanning observes network traffic with no probing - safe for sensitive environments but only finds what communicates. Choose by environment risk tolerance.

Question 26

Scan false positive vs false negative (validation)

Accepted Answer

Scanners flag issues that may not be exploitable (false positive) or miss real ones (false negative). Always validate findings before remediation - confirm the vulnerability exists and is reachable. Acting on unvalidated output wastes effort and erodes trust in the program.

Question 27

CVSS (Common Vulnerability Scoring System)

Accepted Answer

A 0.0-10.0 standardized severity score. Bands: None 0.0, Low 0.1-3.9, Medium 4.0-6.9, High 7.0-8.9, Critical 9.0-10.0. It rates technical severity, not business risk - a Critical CVSS on an isolated test box may be low priority in context.

Question 28

CVSS Base, Temporal, and Environmental metric groups

Accepted Answer

Base: intrinsic, unchanging severity (attack vector, complexity, impact). Temporal: changes over time (exploit maturity, remediation availability). Environmental: tailors the score to your organization's asset value and controls. Always contextualize Base with Environmental.

Question 29

CVSS Attack Vector (AV): Network vs Adjacent vs Local vs Physical

Accepted Answer

Network (remote, internet-reachable) is the most severe and highest priority; Adjacent requires same subnet/segment; Local requires existing access; Physical requires hands-on the device. Prioritize network-exploitable findings on exposed assets first.

Question 30

CVE vs CWE vs CPE

Accepted Answer

CVE: a unique ID for a specific known vulnerability instance. CWE: a category of weakness type (e.g., CWE-79 cross-site scripting). CPE: a standardized naming scheme for platforms/products. CVE = the bug, CWE = the bug class, CPE = the affected product.

Question 31

Risk-based vulnerability prioritization

Accepted Answer

Rank remediation by CVSS plus asset criticality, data sensitivity, exposure, and active exploitation (e.g., CISA KEV / EPSS likelihood) - not by raw score alone. An exploited Medium on an internet-facing crown-jewel outranks a Critical on an air-gapped lab box.

Question 32

Zero-day vulnerability

Accepted Answer

A flaw unknown to the vendor with no patch available, so signature defenses fail. Mitigate with compensating controls: virtual patching/WAF, segmentation, least privilege, and behavioral detection until a fix ships. Patch management alone cannot address it.

Question 33

Remediation vs mitigation vs compensating control vs risk acceptance

Accepted Answer

Remediation fully fixes the issue (patch/upgrade). Mitigation reduces likelihood/impact without fixing it. A compensating control is an alternate safeguard when the fix isn't feasible. Risk acceptance is a documented, approved decision to live with residual risk.

Question 34

SLA and maintenance window in remediation

Accepted Answer

A remediation SLA defines the required fix timeframe by severity (e.g., Critical in days, Low in months). A maintenance window is the approved change window to apply fixes safely. Patching outside change control can cause outages; missing the SLA leaves exposure.

Question 35

Attack surface management

Accepted Answer

Continuously discovering, inventorying, and reducing all points an attacker could target - external services, shadow IT, exposed APIs, and cloud assets. You cannot protect or scan assets you don't know exist; unknown internet-facing assets are a top breach cause.

Question 36

Container and image scanning

Accepted Answer

Scan container images for vulnerable libraries and misconfigurations before deployment, and keep scanning in the registry/runtime. A vulnerable base image multiplies risk across every container built from it. Image scanning differs from host scanning - shift it left.

Question 37

NIST SP 800-61 incident response lifecycle

Accepted Answer

Four phases: (1) Preparation, (2) Detection and Analysis, (3) Containment, Eradication, and Recovery, (4) Post-Incident Activity. It is a cycle - lessons learned feed back into preparation. Most exam errors come from doing steps out of order.

Question 38

Containment: short-term vs long-term (and isolation vs segmentation)

Accepted Answer

Short-term containment stops the bleeding fast (isolate/disconnect a host). Long-term containment applies durable changes (rebuild, patch, segment) while you prepare eradication. Contain before eradicating - eradicating first can destroy evidence and tip off the attacker.

Question 39

Eradication vs recovery

Accepted Answer

Eradication removes the threat: delete malware, disable breached accounts, close the entry vector. Recovery restores systems to normal and validated operation with monitoring. Recovering before full eradication reinfects the environment.

Question 40

Order of volatility (evidence collection)

Accepted Answer

Collect evidence from most to least volatile: CPU registers/cache, RAM and running state, network connections, disk, then logs/backups/archival media. Powering off or imaging disk first destroys memory-resident artifacts like injected code and encryption keys.

Question 41

Chain of custody

Accepted Answer

A documented record of who collected, accessed, transferred, and stored each piece of evidence, with timestamps and hashes. Breaks in the chain make evidence inadmissible and undermine attribution. Required even if prosecution seems unlikely.

Question 42

Forensic imaging and hashing (write blocker)

Accepted Answer

Work from a bit-for-bit forensic image, never the original. A write blocker prevents accidental modification of the source media. Hash (e.g., SHA-256) the source and image and confirm they match to prove the copy is unaltered. Investigating the live original spoils evidence.

Question 43

Memory (volatile) analysis

Accepted Answer

Capturing and analyzing RAM reveals running processes, injected code, network sockets, decrypted data, and credentials that never touch disk. Essential for fileless and in-memory malware. Must be captured before shutdown - it is the most volatile evidence.

Question 44

Root cause analysis (RCA)

Accepted Answer

Determining the underlying reason an incident occurred (e.g., an unpatched VPN gateway), not just the symptom. Without RCA, the same incident recurs. RCA output drives lessons learned and concrete preventive actions in post-incident activity.

Question 45

Lessons learned / post-incident review

Accepted Answer

A structured review after recovery to capture what worked, what failed, and improvements - feeding back into the Preparation phase. Hold it promptly while details are fresh; focus on process improvement, not blame. Skipping it guarantees repeat incidents.

Question 46

Incident severity classification and escalation

Accepted Answer

Classify incidents by impact and scope (e.g., functional/informational impact, data sensitivity, recoverability) to drive escalation, resourcing, and notification. Misclassifying low keeps a major breach under-resourced; over-classifying drains the team and credibility.

Question 47

Stakeholder-tailored reporting (technical vs executive)

Accepted Answer

Technical teams need IOCs, affected assets, and remediation steps. Executives/board need business impact, risk, cost, and decisions required - not packet captures. Same incident, different abstraction. The wrong altitude of detail loses the audience and delays action.

Question 48

Security metrics and KPIs (MTTD / MTTR)

Accepted Answer

Mean Time To Detect measures how long a threat goes unnoticed; Mean Time To Respond/Recover measures how fast it is contained and resolved. Trending them shows SOC effectiveness over time. A single number without a trend or baseline is not actionable.

Question 49

Regulatory breach notification (GDPR, HIPAA, PCI DSS)

Accepted Answer

Breaches involving regulated data trigger mandatory notifications with strict timelines (e.g., GDPR generally 72 hours to the supervisory authority). Reporting must satisfy legal/compliance requirements, not just internal needs. Missing a deadline adds regulatory penalties to the incident.

Question 50

Evidence-based vulnerability/incident reporting

Accepted Answer

Reports must tie every finding and recommendation to evidence (logs, scan output, scoring rationale) and a clear action owner. Vague, unsupported claims erode trust and stall remediation; an auditable, prioritized report drives funded, accountable fixes.

Free CySA+ Exam Flashcards

Filter by Topic

Jump to Card

About These CySA+ Flashcards

Topics Covered

Frequently Asked Questions

CompTIA CySA+

Explore More CompTIA Certifications

CompTIA A+

CompTIA Security+

CompTIA Network+

CompTIA Cloud+

CompTIA PenTest+

CompTIA Linux+

More From This Family