6.2 Last-Week Review Map

6.2 Last-Week Review Map

The final week is for consolidation. Use the official CS0-003 exam objectives, your error log, and your timed-practice scores to decide what gets reviewed. Resist the urge to start a new book — at this stage, retrieval practice beats fresh intake.

A day-by-day plan weighted to the blueprint

The four CySA+ domains are not equal, so neither is your review time:

• Day 7-5: Drill your weakest of the top-two domains. Read the relevant objective bullet, answer a 20-item set, write one rule per miss.
• Day 4-3: Mixed timed sets. The real exam does not label questions by domain, so practice switching between a tcpdump capture question and a CVSS prioritization question without losing rhythm.
• Day 2: Drill the exact reference values below from memory.
• Day 1: Confirm logistics (voucher, ID, appointment), do a light 10-item warm set, and sleep.

Reference values the exam loves to test

Memorize these cold — they appear repeatedly as MCQ distractor traps:

• CVSS 3.1 severity bands: None 0.0, Low 0.1-3.9, Medium 4.0-6.9, High 7.0-8.9, Critical 9.0-10.0.
• NIST SP 800-61 incident lifecycle order: Preparation → Detection and Analysis → Containment, Eradication, and Recovery → Post-Incident Activity. Containment always precedes eradication.
• Lockheed Martin Cyber Kill Chain (7 stages): Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control (C2), Actions on Objectives.
• MITRE ATT&CK describes adversary tactics, techniques, and procedures (TTPs) by what they do, not a linear kill chain.
• False positive = scanner reports a vulnerability that is not really present; false negative = a real vulnerability the scanner missed (the dangerous one).
• Mean Time To Detect (MTTD) vs. Mean Time To Respond (MTTR): detection precedes response.

Stop-loss rule

If, on Day 2, you are opening a brand-new tool tutorial or a fresh framework, stop. That is a sign of anxiety, not a gap. The exam rewards a calm analyst who can prioritize, not one who has memorized one more obscure registry key. Trust the error log and rest.

Tools and acronyms to have at instant recall

Security Operations and Vulnerability Management together are 63% of the exam, and both lean on tool literacy. By the last week these distinctions should be automatic, because the exam uses them as MCQ distractors:

• Wireshark = full packet capture and deep inspection; tcpdump = command-line packet capture; Zeek (formerly Bro) = network metadata and connection logs, not raw payloads.
• Nmap = host discovery and port/service scanning; Nessus / OpenVAS / Qualys = vulnerability scanners that produce CVSS-scored findings.
• SIEM (e.g., Splunk, ELK) = log aggregation, correlation, and alerting; SOAR = automated playbook orchestration on top of those alerts; EDR/XDR = endpoint and cross-layer detection and response.
• IOC (Indicator of Compromise) vs. IOA (Indicator of Attack): an IOC is evidence a breach already happened (a known-bad hash or IP); an IOA describes attacker behavior in progress.
• STIX/TAXII = the standard format and transport for sharing threat intelligence feeds.

Threat models you must be able to compare

CySA+ frequently asks you to choose the right framework for a task. Keep these straight: the Cyber Kill Chain is a linear seven-stage sequence useful for describing where in an intrusion you intervene; MITRE ATT&CK is a behavioral matrix of tactics and techniques used for detection engineering and threat hunting; the Diamond Model maps a single intrusion across adversary, capability, infrastructure, and victim. If a stem asks how to map observed attacker behaviors to detection rules, the answer is ATT&CK, not the kill chain.

Light, confident close

The final 48 hours are for confidence, not cramming. A 20-minute mixed warm-up the morning before keeps your pacing instincts sharp without exhausting you. Re-read your top ten error-log rules, glance at the CVSS bands and the NIST lifecycle one last time, and then close the books. An analyst who walks in rested and calm out-scores one who pulled an all-nighter on a niche topic that may not even appear on the 85-item form.

Incident-response order is non-negotiable knowledge

If only one sequence is worth over-learning in the final week, it is the NIST SP 800-61 incident-response lifecycle, because CySA+ tests it relentlessly in both MCQs and ordering PBQs. The phases are Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Incident Activity (lessons learned). Two rules trap candidates every time: containment always comes before eradication (you stop the bleeding before you remove the threat), and evidence preservation and chain of custody happen before you wipe or reimage a compromised host.

A stem that tempts you to "immediately reimage" an actively exfiltrating machine is testing whether you contain and preserve first.

Vulnerability prioritization beyond the raw score

Vulnerability Management is 30% of the exam, and the last-week reviewer should be fluent in the idea that CVSS base score is only the starting point. The exam expects you to adjust priority using temporal and environmental context: an internet-facing asset with a known exploit in the wild outranks a higher-base-score finding on an isolated internal host with compensating controls.

Know the difference between patching, mitigating with a compensating control, and accepting residual risk, and recognize that a critical finding on a non-reachable, soon-to-be-decommissioned system may legitimately rank below a high finding on a crown-jewel server.