CertGrid
Security Certification

CompTIA CySA+ (CS0-003) Practice Exam

Validates security analyst skills — threat detection, vulnerability management, incident response, and security operations.

Practice 300 exam-style CompTIA CySA+ (CS0-003) questions with full answer explanations, then take timed mock exams that score like the real thing.

Start practicing free Sign in
300
Practice questions
85
On the real exam
830
Passing score
165 min
Exam length

What the CompTIA CySA+ (CS0-003) exam covers

Free CompTIA CySA+ (CS0-003) sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 300.

  1. Question 1Security Operations

    What is the primary purpose of a SIEM?

    • ATo aggregate and correlate logs/events from many sources for detection, alerting, and analysisCorrect
    • BTo assign IP addresses
    • CTo build container images
    • DTo encrypt all network traffic
    ✓ Correct answer: A

    This is the correct answer. The explanation addresses the core security principles and practices required in the CySA+ domain.

    Why the other options are wrong
    • BTo assign IP addresses is incorrect because it does not align with the primary security objective.
    • CTo build container images is incorrect because it does not align with the primary security objective.
    • DTo encrypt all network traffic is incorrect because it does not align with the primary security objective.
  2. Question 2Vulnerability ManagementSelect all that apply

    Which TWO reduce the risk of newly disclosed vulnerabilities reaching production? (Choose TWO)

    • Aregular patch/update cycles and emergency patching for critical issuesCorrect
    • BNever updating to avoid breaking things
    • CContinuous scanning of assets and imagesCorrect
    • DDisabling scanning to reduce noise
    ✓ Correct answer: A, C

    The explanation addresses the core security principles and practices required in the CySA+ domain.

    Why the other options are wrong
    • BNever updating to avoid breaking things is incorrect because it does not align with the primary security objective.
    • DDisabling scanning to reduce noise is incorrect because it does not align with the primary security objective.
  3. Question 3Security Operations

    A SOC ingests 2 TB/day into a SIEM but most cost comes from verbose debug logs that are never queried. Which change best controls cost without losing detection value?

    • AIncrease the SIEM license tier to absorb the volume
    • BDisable all firewall and authentication logs
    • Cfilter/parse at the collector to drop low-value debug events before ingestionCorrect
    • DStore everything in the hottest, most expensive index
    ✓ Correct answer: C

    This is the correct answer. The explanation addresses the core security principles and practices required in the CySA+ domain.

    Why the other options are wrong
    • AIncrease the SIEM license tier to absorb the volume is incorrect because it does not align with the primary security objective.
    • BDisable all firewall and authentication logs is incorrect because it does not align with the primary security objective.
    • DStore everything in the hottest, most expensive index is incorrect because it does not align with the primary security objective.
  4. Question 4Security Operations

    Which tcpdump command captures only DNS traffic on interface eth0 and writes it to a file for later analysis?

    • Atcpdump --dns eth0 -o dns.pcap
    • Btcpdump -i eth0 port 53 -w dns.pcapCorrect
    • Ctcpdump -i eth0 host 53 > dns.pcap
    • Dtcpdump -i eth0 -r dns.pcap port 53
    ✓ Correct answer: B

    This is the correct answer. The explanation addresses the core security principles and practices required in the CySA+ domain.

    Why the other options are wrong
    • Atcpdump --dns eth0 -o dns.pcap is incorrect because it does not align with the primary security objective.
    • Ctcpdump -i eth0 host 53 > dns.pcap is incorrect because it does not align with the primary security objective.
    • Dtcpdump -i eth0 -r dns.pcap port 53 is incorrect because it does not align with the primary security objective.
  5. Question 5Security Operations

    When designing log collection for a high-volume environment, which approach best balances detection fidelity with storage/cost?

    • ADisable logging on noisy systems to save space
    • BKeep every log in the hot SIEM index forever
    • CCollect only firewall deny logs and discard the rest
    • Dtiered retention: hot index for recent, high-value logs and cheaper cold/archival storage for older dataCorrect
    ✓ Correct answer: D

    This is the correct answer. The explanation addresses the core security principles and practices required in the CySA+ domain.

    Why the other options are wrong
    • ADisable logging on noisy systems to save space is incorrect because it does not align with the primary security objective.
    • BKeep every log in the hot SIEM index forever is incorrect because it does not align with the primary security objective.
    • CCollect only firewall deny logs and discard the rest is incorrect because it does not align with the primary security objective.
  6. Question 6Security Operations

    An analyst correlates Windows logs but sees no Event ID 4688 process-creation events despite auditing being enabled. What is the most likely gotcha?

    • AProcess creation is never logged by Windows
    • BEvent ID 4688 only logs on domain controllers
    • CCommand-line process auditing requires a separate policy (Include command line in process creation events) that is off by defaultCorrect
    • D4688 events only appear in the Security log after a reboot loop
    ✓ Correct answer: C

    This is the correct answer. The explanation addresses the core security principles and practices required in the CySA+ domain.

    Why the other options are wrong
    • AProcess creation is never logged by Windows is incorrect because it does not align with the primary security objective.
    • BEvent ID 4688 only logs on domain controllers is incorrect because it does not align with the primary security objective.
    • D4688 events only appear in the Security log after a reboot loop is incorrect because it does not align with the primary security objective.
  7. Question 7Reporting and Communication

    Why should an after-action report distinguish between detection gaps and response gaps rather than lumping them together?

    • ADetection and response gaps are always caused by the same tool
    • BSeparating them is forbidden by NIST
    • CThey drive different corrective actions, detection gaps need better telemetry/rules, response gaps need process/playbook fixesCorrect
    • DOnly response gaps ever need remediation
    ✓ Correct answer: C

    This is the correct answer. The explanation addresses the core security principles and practices required in the CySA+ domain.

    Why the other options are wrong
    • ADetection and response gaps are always caused by the same tool is incorrect because it does not align with the primary security objective.
    • BSeparating them is forbidden by NIST is incorrect because it does not align with the primary security objective.
    • DOnly response gaps ever need remediation is incorrect because it does not align with the primary security objective.
  8. Question 8Reporting and Communication

    Why should monitoring and detection coverage be measured against a framework like MITRE ATT&CK and reported over time?

    • AIt replaces the need for any log collection
    • BIt identifies detection gaps across adversary techniques so leadership can prioritize improvementsCorrect
    • CIt automatically remediates every vulnerability found
    • DIt guarantees that no incident will ever occur
    ✓ Correct answer: B

    This is the correct answer. The explanation addresses the core security principles and practices required in the CySA+ domain.

    Why the other options are wrong
    • AIt replaces the need for any log collection is incorrect because it does not align with the primary security objective.
    • CIt automatically remediates every vulnerability found is incorrect because it does not align with the primary security objective.
    • DIt guarantees that no incident will ever occur is incorrect because it does not align with the primary security objective.
  9. Question 9Reporting and Communication

    After migrating reporting pipelines, which step confirms executives still receive the metrics they rely on?

    • AAssuming no one reads them
    • BRemoving all KPIs to simplify
    • CReviewing the new reports with stakeholders to validate content and accuracy against expectationsCorrect
    • DSwitching to verbal-only updates
    ✓ Correct answer: C

    This is the correct answer. The explanation addresses the core security principles and practices required in the CySA+ domain.

    Why the other options are wrong
    • AAssuming no one reads them is incorrect because it does not align with the primary security objective.
    • BRemoving all KPIs to simplify is incorrect because it does not align with the primary security objective.
    • DSwitching to verbal-only updates is incorrect because it does not align with the primary security objective.
  10. Question 10Reporting and Communication

    During an active high-severity incident, different teams give conflicting status updates to customers, causing confusion. What part of the IR plan would BEST prevent this?

    • ALetting every employee post updates independently
    • BA defined communication plan with a single designated spokesperson and approved messagingCorrect
    • CEncrypting the status page so no one can read it
    • DRemoving all customer communication
    ✓ Correct answer: B

    This is the correct answer. The explanation addresses the core security principles and practices required in the CySA+ domain.

    Why the other options are wrong
    • ALetting every employee post updates independently is incorrect because it does not align with the primary security objective.
    • CEncrypting the status page so no one can read it is incorrect because it does not align with the primary security objective.
    • DRemoving all customer communication is incorrect because it does not align with the primary security objective.
Unlock all 300 CompTIA CySA+ (CS0-003) questions

CompTIA CySA+ (CS0-003) practice exam FAQ

How many questions are in the CompTIA CySA+ (CS0-003) practice exam on CertGrid?

CertGrid has 300 practice questions for CompTIA CySA+ (CS0-003), covering 4 exam domains. The real CompTIA CySA+ (CS0-003) exam has about 85 questions.

What is the passing score for CompTIA CySA+ (CS0-003)?

The CompTIA CySA+ (CS0-003) exam passing score is 830, and you have about 165 minutes to complete it. CertGrid scores your practice attempts the same way so you know when you are ready.

Are these official CompTIA CySA+ (CS0-003) exam questions?

No. CertGrid is an independent practice platform. Questions are written to mirror the style and concepts of CompTIA CySA+ (CS0-003), with full explanations, but they are not official or copied vendor exam items. They are original practice questions designed to help you genuinely learn the material.

Can I practice CompTIA CySA+ (CS0-003) for free?

Yes. You can start practicing CompTIA CySA+ (CS0-003) for free with daily practice and sample questions. Paid plans unlock full timed exams, complete explanations, and domain analytics.