1.3 Blueprint Domains and Weighting

1.3 Blueprint Domains and Weighting

The CS0-003 exam objectives define four domains. CompTIA streamlined the prior CS0-002 from five domains to these four and refreshed roughly 20% of the content toward automation, cloud/hybrid security, and threat intelligence. Download the free objectives PDF from CompTIA and treat it as the exam map: it lists the exact tasks ("given a scenario, analyze indicators of potentially malicious activity") that item writers are allowed to test. Anything outside that document is, by definition, out of scope.

The four domains and weights

How to allocate study time

Domains 1 and 2 together are 63% of the exam, so they should get the majority of your hours. But weight is not the whole story. Two specific levers move scores fastest:

• CVSS and prioritization (Domain 2) appear constantly and are learnable rules, not judgment calls - master vector strings and remediation order first for quick, reliable points.
• Log/telemetry reading (Domain 1) drives most PBQs - if you cannot interpret a firewall, DNS, or web-server log, you lose the highest-value items regardless of how much theory you know.

Domains 3 and 4 are smaller but cheap to secure: the IR lifecycle order and the named attack frameworks are pure recall. Do not let a 17% domain like Reporting cost you a pass at the margin - knowing who gets which report (executive summary vs. technical detail) is a handful of easy points.

What lives inside each domain (high-yield subtopics)

Domain 1 (Security Operations) is the broadest. Expect questions on the difference between an IOC (Indicator of Compromise - an artifact: hash, IP, domain) and a TTP (Tactics, Techniques, and Procedures - adversary behavior mapped to MITRE ATT&CK), the three tiers of threat intelligence (strategic/operational/tactical), SIEM correlation rules and log normalization, network telemetry (NetFlow, full packet capture, DNS), endpoint and email analysis, and the role of automation/SOAR (Security Orchestration, Automation, and Response) in reducing alert fatigue. The CS0-004 version layers AI-assisted detection on top of this.

Domain 2 (Vulnerability Management) is the most formula-like. Know scan types cold - credentialed vs. non-credentialed, agent vs. agentless, active vs. passive, internal vs. external - and when each is appropriate. Know how to read a CVSS v3.1 vector, interpret base/temporal/environmental groups, and prioritize by combining severity with asset criticality and exposure. Recognize common weaknesses (SQL injection, cross-site scripting, insecure deserialization, broken access control) and the validation step that confirms a fix actually closed the finding.

Domain 3 (Incident Response and Management) is mostly ordered process and named models. Memorize the IR lifecycle - preparation, detection and analysis, containment, eradication, recovery, post-incident/lessons learned - and never choose eradication before containment. Know the Cyber Kill Chain stages, the Diamond Model four vertices (adversary, capability, infrastructure, victim), and how MITRE ATT&CK tactics/techniques describe attacker behavior.

Domain 4 (Reporting and Communication) is small but easy. The recurring theme is audience: an executive gets a concise risk/business-impact summary; a system owner gets technical remediation detail; compliance reporting ties to SLAs and frameworks. Knowing who receives which artifact wins quick points.

Build a readiness tracker

Keep a one-page grid with the four domains down the side and four columns across: understand the concept, can apply it in a scenario, can decide/calculate under time, and can explain why each distractor is wrong. You are exam-ready in a domain only when every cell is checked - especially the last one. Being able to eliminate the trap answer (distinguishing a brute-force from a credential-stuffing pattern, or containment from eradication) is what separates a 740 from a 760. Update the grid after every practice set so your study target is always the weakest cell, not the topic you most enjoy.

A common failure mode is over-studying Domain 1 because it is interesting while leaving the formulaic but high-yield CVSS work in Domain 2 half-learned.

Cross-domain workflows the blueprint expects

The objectives are written as connected analyst workflows, not isolated facts, so expect items that span domains. A single scenario can begin in Domain 1 (a SIEM correlation rule fires on anomalous outbound DNS), move into Domain 2 (a credentialed scan reveals the host runs an unpatched service with a CVSS 9.1 finding), proceed through Domain 3 (you contain the host, then eradicate and validate per the IR lifecycle), and end in Domain 4 (you write the executive summary and the technical remediation report). Studying domains in isolation leaves you unable to follow that chain under time pressure.

Two high-yield distinctions recur across the whole blueprint and are worth memorizing precisely:

• IOC vs. TTP. An Indicator of Compromise is a static artifact (file hash, malicious IP, suspicious domain) that is easy to block but easy for an attacker to change. A Tactic, Technique, and Procedure describes durable adversary behavior mapped to MITRE ATT&CK and is harder to evade. The exam rewards recognizing that hunting on TTPs is more resilient than chasing IOCs.
• Severity vs. priority. CVSS gives raw severity, but remediation priority combines severity with asset criticality and exposure - an internet-facing critical outranks an internal-only critical. Confusing the two is a frequent trap in Domain 2 prioritization items.

Use the objectives PDF as a checklist

Print the acronym list and task statements from the objectives PDF and tick each one only when you can perform it in a scenario, not merely define it. Item writers draw every question from those exact task verbs, so a task you cannot apply is a guaranteed point you are gifting to the form. This turns the blueprint from a description into an audited gap list that drives your final two weeks.