CompTIA CySA+ (CS0-003) Study Guide
CompTIA CySA+ (CS0-003) validates the hands-on skills of a security analyst working in a SOC: detecting threats with logs and behavioral analytics, managing vulnerabilities, leading incident response, and communicating findings to stakeholders. It is an intermediate-level, performance-based exam aimed at SOC analysts, threat hunters, vulnerability analysts, and incident responders with a few years of IT security experience. The single CS0-003 exam covers four domains weighted toward Security Operations and Vulnerability Management.
Domain 1: Security Operations
- MITRE ATT&CK is a knowledge base of real-world adversary tactics (the goal, e.g. Initial Access, Exfiltration) and techniques (the method); analysts map observed behavior to TTPs to find detection gaps and build threat-informed defense.
- An Indicator of Compromise (IOC) is a forensic artifact (malicious hash, IP, domain, file name) showing a host may already be breached; an Indicator of Attack (IOA) describes attacker behavior/intent in progress.
- On the Pyramid of Pain, hash values and IP addresses are trivial for attackers to change (low pain), while TTPs are the hardest to alter (high pain) and most valuable to detect on.
- A SIEM aggregates and correlates logs/events from many sources for centralized detection, alerting, and analysis; correlation across systems plus tamper-resistant log storage defeats local log deletion by attackers.
- SOAR platforms use playbooks to orchestrate and automate repetitive response actions (enrich alert, block IP, disable account), reducing analyst toil and standardizing handling.
- EDR provides endpoint telemetry (process creation, file, registry, and network events) for detection and response; XDR extends correlation across endpoint, network, email, and cloud.
- Beaconing is regular fixed-interval outbound connections to the same external host, a strong indicator of command-and-control (C2) callbacks.
- DNS tunneling shows up as abnormally long or frequent DNS queries and a high volume of TXT records, used to exfiltrate data or carry C2 over port 53.
- Living off the Land (LOTL) abuse uses trusted built-in binaries (LOLBins) such as PowerShell, certutil, wmic, mshta, and rundll32 so malicious activity blends with legitimate admin use.
- Multiple failed logins followed by a success suggests password spraying or brute force; new admin logons, lateral movement, or pass-the-hash patterns indicate credential compromise.
- Threat hunting is proactively searching for adversaries that existing alerts missed, starting from a hypothesis and using telemetry rather than waiting for signatures to fire.
- Order of volatility dictates collecting the most ephemeral evidence first: CPU registers/cache, then RAM and running state, then disk, then archival media and backups.
- Sandbox (dynamic) malware analysis detonates a sample in an isolated environment to observe behavior, while static analysis inspects code/strings without execution.
- Tune detections by adding thresholds, context, and allowlists to raise fidelity and cut false-positive noise; filter or parse low-value debug events at the collector and tier logs (hot/searchable vs. cold/archive) to control cost.
Domain 2: Vulnerability Management
- Credentialed (authenticated) scans log into the host for deeper visibility into installed patches and configurations and produce far fewer false positives than uncredentialed scans.
- CVSS is a standardized 0-10 severity score (Base, Temporal, Environmental metrics); use it as a starting point, not the sole driver of remediation order.
- A CVE is a single disclosed vulnerability instance with a unique ID; a CWE is the category or class of weakness (e.g., CWE-79 cross-site scripting) that the CVE is an instance of.
- Risk-based prioritization combines CVSS with threat context: EPSS estimates exploitation probability and the CISA KEV catalog flags vulnerabilities known to be actively exploited in the wild.
- A zero-day is a flaw unknown to the vendor or lacking a patch, leaving no fix available while attackers may already be exploiting it.
- When a patch is not yet available, apply compensating controls (network segmentation, WAF rules, disabling the vulnerable feature) to reduce risk until remediation.
- Asset inventory underpins everything: you cannot scan or protect what you do not know exists, so discovery defines scan scope and prioritization coverage.
- Validate findings against asset and configuration context to weed out false positives, and always run a rescan/verification scan after patching to confirm the fix.
- SAST analyzes source code without running it (shift-left, early in the SDLC); DAST tests the running application from the outside; IAST instruments the app during testing.
- Reduce scan impact on production: stagger scan windows by asset group during off-peak hours, throttle concurrency, and use non-intrusive passive or low-impact scans for fragile systems.
- Scan base/container images once in the CI/CD pipeline (shift-left) and reuse results, and use agentless or snapshot-based scanning for ephemeral and immutable cloud assets.
- Apply a risk-based scan cadence: frequent scans for dynamic, internet-facing, high-risk assets and less frequent scans for stable, low-risk internal systems.
- Track accepted-risk and exception records plus documented false positives so the same findings are not re-triaged every cycle.
- Standardized golden/hardened images shrink the number of unique configurations to patch and shorten remediation time across the fleet.
Domain 3: Incident Response and Management
- The NIST SP 800-61 incident response lifecycle is: Preparation, then Detection and Analysis, then Containment/Eradication/Recovery, then Post-Incident Activity (lessons learned).
- Containment limits the spread and impact of an incident before eradication and recovery; it can be short-term (isolate now) or long-term (apply temporary fixes while keeping operations running).
- Common containment actions include disabling compromised accounts (usermod -L user), blocking malicious IPs/domains (iptables -A OUTPUT -d 203.0.113.7 -j DROP), and isolating cloud instances by swapping to a quarantine security group.
- Eradication removes the threat (malware, attacker accounts, persistence mechanisms) from the environment, while recovery restores systems to normal operation and monitors for recurrence.
- Chain of custody documents who handled evidence, when, and how, preserving integrity and admissibility; gaps can render evidence unusable in court.
- Hash acquired forensic images (sha256sum sdb.img > sdb.img.sha256) to prove integrity, and use write-blockers when imaging to prevent altering the source.
- Bit-for-bit forensic imaging (e.g., dd if=/dev/sdb of=/mnt/evidence/sdb.img bs=4M) captures disks; collect volatile memory before powering off, following order of volatility.
- Define severity tiers so low-risk, well-understood alerts get automated cleanup/quarantine via playbooks while high-risk incidents trigger full investigation and reimaging.
- A communication plan covers internal teams, leadership, legal, and any external/regulatory parties, with predefined contacts and escalation paths.
- Mean Time to Respond/Recover (MTTR) is a key IR metric; trend it across incidents to measure whether process and automation improvements are working.
- Tested IR playbooks plus regular tabletop exercises ensure responders act quickly and consistently under pressure rather than improvising during a live incident.
- Move forensic images to low-cost immutable archive storage under a defined retention policy with verified hashes and a documented chain of custody.
- SOAR playbooks can automate evidence capture and hash recording so artifact integrity is preserved without manual error during triage and containment.
- Post-incident (lessons learned) activity analyzes what happened, what worked, and what failed, then feeds updates back into detection rules, controls, and playbooks.
Domain 4: Reporting and Communication
- Root cause analysis identifies the underlying cause so corrective actions prevent recurrence, rather than just fixing the immediate symptom.
- Tailor reporting to the audience: executives need business impact, risk, and cost-to-remediate, while the SOC needs IOCs, TTPs, and concrete remediation steps.
- Mean Time to Detect (MTTD) measures how long threats dwell before discovery; a fast MTTR with a long MTTD still means attackers operated undetected for hours.
- MTTD and MTTR drive different fixes: detection gaps need better telemetry and rules, while response gaps need improved process and playbook automation.
- Express vulnerability risk in business terms and trends (risk reduction over time, exposure of internet-facing critical assets) tied to decisions, not raw technical vulnerability counts.
- Present prioritized remediation options with estimated impact, likelihood, and cost-to-remediate so leadership can make risk-based decisions.
- Stakeholder identification and escalation criteria ensure legal, leadership, and regulators are engaged consistently and within required notification timeframes once severity thresholds are met.
- For breach notification, the regulatory clock typically starts at discovery/awareness of the incident, not when full scope is confirmed (e.g., GDPR's 72-hour requirement).
- Automate dashboards and reports from authoritative data sources on a schedule to reduce manual effort and keep metrics consistent and timely.
- Track security KPIs/KRIs over time: open critical vulnerabilities, MTTD/MTTR, incident counts, and risk reduction trends rather than point-in-time snapshots.
- Demonstrate automation value by comparing before/after analyst hours per incident and improved MTTR following playbook implementation.
- CLI and API tooling supports reporting, e.g. jq '.[].severity' scan.json to parse findings and curl -X POST -H "Content-Type: application/json" -d @summary.json to push incident summaries to a webhook.
- Retain reports and supporting evidence according to defined retention and regulatory requirements rather than deleting or keeping data indefinitely.
- Effective incident reports include timeline, scope, impact, root cause, actions taken, and recommendations so stakeholders understand both what happened and what changes next.
CompTIA CySA+ (CS0-003) exam tips
- Expect performance-based questions (PBQs) early in the exam; if one is consuming too much time, flag it and return after answering the multiple-choice items so you do not run out of time across the 165-minute window.
- When a question asks what to do 'first' or 'next,' anchor to the NIST IR lifecycle and the order of volatility: containment precedes eradication, and volatile memory is collected before disk imaging.
- Differentiate the look-alike terms cold: CVE vs CWE, IOC vs IOA/TTP, SAST vs DAST, EDR vs SIEM vs SOAR, MTTD vs MTTR, and eradication vs recovery.
- For prioritization questions, pick the answer that layers threat context (CISA KEV active exploitation, then EPSS probability) and asset criticality on top of the raw CVSS score, not CVSS alone.
- Read scenario stems for the role/audience cue: 'report to executives' means business-impact and cost framing, while 'report to the SOC' means technical IOCs, TTPs, and remediation steps.
Study guide FAQ
How is the CySA+ CS0-003 exam scored and structured?
It has a maximum of 85 questions (multiple-choice plus performance-based simulations), a 165-minute time limit, and a passing score of 750 on a scale of 100-900. The four domains are weighted Security Operations 33%, Vulnerability Management 30%, Incident Response and Management 20%, and Reporting and Communication 17%.
What experience does CompTIA recommend before taking CySA+?
CompTIA recommends Security+ and Network+ knowledge plus roughly 4 years of hands-on information security or related experience. It is a DoD 8570/8140 approved baseline certification for several cybersecurity roles, so it is geared toward working analysts, not absolute beginners.
How is CySA+ different from Security+ and PenTest+?
Security+ is the foundational, entry-level certification covering broad security concepts. CySA+ is intermediate and defensive/blue-team focused on detection, analytics, vulnerability management, and incident response. PenTest+ covers the offensive/red-team side (penetration testing and ethical hacking) at a comparable level.
Does the CS0-003 certification expire, and how do I renew it?
Yes. CySA+ is valid for 3 years from the date you pass. You renew it through CompTIA's Continuing Education (CE) program by earning 60 CEUs, completing higher-level certifications, or other approved activities, which also extends other CompTIA certs on the same CE cycle.