2.1 Security Operations Overview

2.1 Security Operations Overview

Security Operations is Domain 1.0 of the CompTIA Cybersecurity Analyst (CySA+) CS0-003 exam and the single largest scored area at 33% of the test. CS0-003 delivers up to 85 questions in 165 minutes, mixing multiple-choice with performance-based questions (PBQs) where you interpret real logs, packet captures, or SIEM output. The passing score is 750 on a 100-900 scale (there is no fixed percentage; CompTIA scales each form). The exam is vendor-neutral and intermediate-level, assuming roughly CompTIA Network+ and Security+ knowledge plus about four years of hands-on security analyst experience.

What the domain actually covers

Domain 1.0 is built from four official objective groups. Memorize these as the spine of the chapter:

Why this domain is decision-heavy

CS0-003 questions rarely ask for a bare definition. A typical stem gives you a log line, a netflow record, a process listing, or a packet detail and asks what it indicates or what you do next. For example, repeated Windows Event ID 4625 failures followed by a single 4624 success is a brute-force or password-spray indicator, not normal activity. A spike in outbound TCP 443 to a freshly registered domain at fixed intervals is command-and-control (C2) beaconing, not a backup job. Your job is to map evidence to the most defensible conclusion, then choose the action that the evidence's confidence actually supports.

This is why architecture concepts in 1.1 matter even though they feel like background knowledge. You cannot judge whether east-west traffic between two workstations is abnormal unless you understand network segmentation, the difference between north-south and east-west traffic, and where sensors sit. You cannot reason about a logon anomaly without knowing identity and access management concepts such as single sign-on (SSO), federation, and privileged access. The exam folds these foundations into indicator questions rather than testing them in isolation, so study them as the lens you read evidence through.

Exam-ready mental model

Use a five-step read on every Security Operations item: (1) telemetry (what data source is shown?), (2) baseline (what is normal here?), (3) deviation (what stands out?), (4) hypothesis (which tactic, technique, or indicator explains it?), and (5) action (collect more evidence, contain, or escalate?). If you can name the data source and the deviation but not the action, you will fall for the answer that sounds technically clever but skips proper triage. The strongest distractors are real terms used in the wrong context, so always test a candidate answer against the exact artifact in the stem before committing.

A worked example: the stem shows 4688 process-creation events where winword.exe is the parent of cmd.exe, which spawns powershell.exe. The telemetry is host process auditing; the baseline is that Word does not normally launch a command shell; the deviation is the suspicious parent-child chain; the hypothesis is malicious macro execution (phishing-delivered code); and the action is to isolate the endpoint and pull the full process tree and the originating document. Notice the answer flows from the evidence, not from a memorized definition.

How to budget study time

Because this domain is 33%, weakness here costs more than any other area, and a single point here can be worth more than several elsewhere. Track your practice misses by objective (1.1 through 1.4). If you lose points on indicator analysis (1.2), drill log and packet reading until you can classify an artifact in under 30 seconds. If you miss threat-intel items (1.4), build recall flashcards for ATT&CK tactics, IoC types, and STIX/TAXII. Re-weight your final week toward whichever objective still produces misses, and re-test with mixed, unlabeled scenarios to confirm the gain holds.

Architecture concepts that anchor 1.1

Objective 1.1 expects fluency with several foundational ideas that recur as the backdrop of indicator questions. Logging types: agent-based agents push rich host telemetry but add load; agentless collection (such as syslog forwarding) is lighter but shallower. Operating system concepts: the Windows Registry, processes and services, and the /etc/passwd, cron, and systemd mechanisms on Linux are where persistence hides. Infrastructure concepts: serverless functions, virtualization, and containerization change where logs live and what "host" even means.

Network architecture: on-premises, cloud, hybrid, software-defined networking (SDN), and zero trust all shift the trust boundary. Identity and access management (IAM): multifactor authentication (MFA), SSO, federation, and privileged access management (PAM) determine which logon anomalies are plausible. Encryption and sensitive data protection: data classification, data loss prevention (DLP), and the difference between data at rest and in transit shape what counts as exfiltration. You will not be asked to define these in a vacuum, but you must recognize them when they frame a scenario.