All certsCompTIA CySA+ CompTIA PenTest+ › Study guide

CompTIA CySA+ (CS0-003) Study Guide

Everything on the analyst exam, in one place: the four domains and their weights, a four-week study plan, a readiness checklist you can tick off, and CVSS / framework / incident-response cheat sheets — with explained, sourced sample questions throughout.

~15 min read Current CS0-003 exam code Sourced to official objectives
Start a practice test Jump to cheat sheet

Exam at a glance

The CompTIA CySA+ (CS0-003) validates the hands-on analyst skills to monitor and defend systems, manage vulnerabilities, respond to incidents, and report findings to stakeholders. Here are the numbers that shape how you should study.

Questions
85 max
Time limit
165 minutes
Passing score
750 / 100–900
Question types
MCQ + PBQs

With up to 85 questions in 165 minutes, pacing is gentler than the entry-level exams — but the performance-based questions are heavier: you may have to read packet captures, triage scanner output, or sequence an incident-response workflow. The exam is weighted across four domains, and Security Operations (33%) and Vulnerability Management (30%) together make up almost two-thirds of the exam, so they deserve the most study time.

Domains & weighting

Security Operations Domain 133% Vulnerability Management Domain 230% Incident Response & Management Domain 320% Reporting & Communication Domain 417%
Where to spend your hours: a sensible split mirrors the weights — most time on Security Operations and Vulnerability Management, then Incident Response, and least on Reporting & Communication (the smallest slice, though it ties the other three together).

The four domains

What each domain covers, plus one explained, sourced sample question pulled straight from our question bank so you can see the depth the exam expects. Expand a domain to dig in.

1Security OperationsThe watch floor — architecture, indicators, detection tooling, threat intel33%

The largest domain is the day-to-day work of a SOC analyst: knowing how systems and networks are built (logging, operating-system internals, network architecture, identity and access management, encryption, and protecting sensitive data) so you recognize when something deviates from normal. You analyze indicators of potentially malicious activity across the network (beaconing, irregular peer-to-peer traffic, rogue devices), the host (unauthorized changes, processes, privilege escalation, memory artifacts), and the application (anomalous behavior, new accounts, unexpected output). You apply the right tools and techniques — packet and protocol analysis, log correlation in a SIEM, endpoint and email telemetry, DNS and IP reputation, file analysis and sandboxing — to confirm or dismiss a lead. Finally you fold in threat intelligence and threat hunting: the intelligence cycle, threat-actor TTPs and confidence levels, indicators of compromise, and forming a hypothesis to hunt proactively rather than waiting for an alert. Closing the loop, process improvement standardizes and streamlines operations through automation and orchestration (SOAR) and tool integration toward a single pane of glass.

System & network architectureLogging & identity/accessNetwork/host/application indicatorsPacket & log analysis (SIEM)Sandboxing & reputationThreat intelligence cycleThreat hunting & TTPsAutomation & SOAR
SAMPLE · DOMAIN 1 → 1.2 INDICATORS OF MALICIOUS ACTIVITY Verified · 2 sources

Reviewing a firewall log, an analyst sees one internal host opening an outbound HTTPS session to the same external IP at near-identical 60-second intervals, every hour of the day, each carrying a small uniform payload. Which activity does this pattern most strongly indicate?

ACommand-and-control beaconing from a compromised hostRegular, low-and-slow callbacks to one external address at a fixed interval with uniform payloads is the textbook signature of malware checking in with its C2 server.Correct
BA volumetric DDoS attack against the external IPA flood would generate massive bursts of traffic from many sources, not a single host sending a tiny packet once a minute on a steady schedule.Wrong volume
CNormal NTP time synchronization with a public serverNTP uses UDP/123 and is far less frequent; the steady encrypted HTTPS callbacks here do not match the lightweight, occasional pattern of clock sync.Wrong service
DA misconfigured backup job pushing data to the cloudA backup would transfer large, variable volumes during a window, not identical small payloads at a metronomic interval around the clock.Wrong profile
MITRE ATT&CK T1071 — Application Layer Protocol (C2 over web protocols) · CISA guidance on detecting beaconing via regular interval analysis.
Drill Security Operations
2Vulnerability ManagementThe backlog — scanning, reading output, prioritizing, mitigating30%

The second-largest domain is the full lifecycle of finding and fixing weaknesses. You choose the right scanning method for the situation: asset discovery first, then internal vs external, credentialed vs non-credentialed, agent vs agentless, passive vs active, and static vs dynamic analysis (SAST, DAST, IAST), plus software composition analysis and an SBOM for third-party code. You analyze tool output from network mappers, web-application scanners (Burp Suite, OWASP ZAP), and vulnerability scanners (Nessus, OpenVAS), validating findings to separate true positives from false positives. The hardest skill is prioritization: a CVSS base score alone is not a priority — you weigh exploitability and weaponization, asset value and context, zero-day status, the EPSS probability of exploitation, and whether a CVE sits in the CISA Known Exploited Vulnerabilities (KEV) catalog. Then you recommend controls for classes like injection, cross-site scripting, broken access control, and cryptographic failures, and manage the response with patching, configuration and change management, compensating controls, maintenance windows, exceptions, and an explicit risk decision to mitigate, transfer, avoid, or accept.

Asset discovery & scan scopingCredentialed/agent/active scansSAST · DAST · SCA · SBOMReading scanner outputCVSS base/temporal/environmentalEPSS & CISA KEVMitigation by vuln classPatching, exceptions, risk decisions
SAMPLE · DOMAIN 2 → 2.3 PRIORITIZING VULNERABILITIES Verified · 2 sources

An analyst must sequence two findings on internet-facing servers. CVE-A has a CVSS base of 9.1 with no known exploitation; CVE-B has a CVSS base of 7.5 but is listed in CISA's KEV catalog and has a high EPSS score. With equal asset value, which should be remediated first and why?

ACVE-A, because its higher CVSS base score signals greater severityCVSS base measures intrinsic severity, not likelihood of attack; a higher base score does not outrank evidence that the other flaw is being exploited right now.Base ≠ priority
BCVE-B, because confirmed active exploitation and high EPSS raise real-world riskA KEV listing means attackers are actively exploiting it in the wild, and a high EPSS reinforces near-term likelihood — real risk, which is what prioritization should optimize for.Correct
CNeither — wait for the vendor to raise CVE-B's CVSS base above 9.0 firstDelaying a known-exploited, internet-facing flaw to chase a higher CVSS number ignores the active-threat signal that should drive urgent action.Dangerous delay
DCVE-A, because EPSS and KEV are vendor marketing and not authoritativeEPSS is a peer-reviewed FIRST model and KEV is a U.S. government catalog of exploited CVEs; both are authoritative inputs, not marketing.False claim
CISA BOD 22-01 & the Known Exploited Vulnerabilities catalog (remediate KEV entries on priority) · FIRST EPSS (probability a CVE is exploited in the next 30 days).
Drill Vulnerability Management
3Incident Response and ManagementThe response — frameworks and the full IR lifecycle20%

This domain is how you act once activity is confirmed malicious. You use attack methodology frameworks to structure your thinking: the Cyber Kill Chain's staged progression, the Diamond Model of Intrusion Analysis (adversary, capability, infrastructure, victim), the MITRE ATT&CK matrix of real-world tactics and techniques, and the OWASP testing guidance for application attacks. You then carry out the incident-response activities that mirror the NIST SP 800-61 lifecycle — detection and analysis (correlating indicators, acquiring and preserving evidence, determining scope and impact), then containment, eradication, and recovery (isolating affected systems, removing the foothold, re-imaging, and restoring to known-good). Wrapping the lifecycle are preparation (an IR plan, playbooks, tooling, training, and business-continuity / disaster-recovery readiness) and post-incident activity (forensic and root-cause analysis plus a blameless lessons-learned review that feeds improvements back into preparation).

Cyber Kill ChainDiamond ModelMITRE ATT&CKDetection & analysisEvidence acquisitionContainment / eradication / recoveryPreparation & playbooksRoot cause & lessons learned
SAMPLE · DOMAIN 3 → 3.2 IR LIFECYCLE PHASES Verified · 2 sources

After isolating an infected workstation from the network, the team wipes the disk, rebuilds it from a trusted image, and reinstalls patched software to ensure no attacker persistence remains. Which phase of the NIST incident-response lifecycle does this work belong to?

AContainment, because disconnecting the host stops the spreadContainment is the prior step that limited the damage by isolating the host; wiping and rebuilding goes beyond simply stopping spread.Prior phase
BEradication, because rebuilding removes the malware and any persistenceEradication eliminates the components of the incident — re-imaging and reinstalling clean, patched software removes the malware and any footholds the attacker left behind.Correct
CRecovery, because the workstation will return to serviceRecovery is the subsequent step of validating and returning systems to production; the act of removing the threat itself is eradication, not recovery.Next phase
DPost-incident activity, because the response is essentially finishedPost-incident activity is the lessons-learned review after the incident closes, not the hands-on removal of malware while response is still under way.Wrong stage
NIST SP 800-61 — Computer Security Incident Handling Guide (Containment, Eradication & Recovery phase) · MITRE ATT&CK (persistence techniques the rebuild removes).
Drill Incident Response
4Reporting and CommunicationThe hand-off — vuln & IR reporting, stakeholders, metrics17%

The smallest domain is also the one that makes the other three matter to the business: turning analysis into clear, actionable communication. For vulnerability management reporting you translate raw scores into context-aware risk, recommend action (patch, compensating control, or accept), and tailor the message to each stakeholder — while naming the real inhibitors to remediation such as SLAs and MOUs, organizational governance, legacy or proprietary systems, business-process interruption, and degrading functionality. For incident-response reporting you identify stakeholders, handle declaration and escalation, and write a report that covers the who / what / when / where / why, the timeline, scope, impact, evidence, and recommendations — coordinating with legal, public relations, and regulatory or law-enforcement bodies as required. Underpinning both are root-cause analysis, lessons learned, and metrics/KPIs like mean time to detect (MTTD) and mean time to respond (MTTR) that quantify program performance and prove improvement over time.

Vulnerability reporting & contextAction recommendationsInhibitors to remediationStakeholder identificationIncident declaration & escalationIR report structureLegal / PR / regulatory commsMetrics & KPIs (MTTD, MTTR)
SAMPLE · DOMAIN 4 → 4.2 METRICS & KPIs Verified · 2 sources

A SOC manager wants a single KPI that captures how quickly the team moves from first detecting an incident to fully responding to and resolving it, so leadership can track response efficiency over the quarter. Which metric best fits?

AMean time to detect (MTTD)MTTD measures only how long it takes to notice an incident, not the speed of the response that follows, so it misses the resolution side the manager cares about.Detection only
BMean time to respond (MTTR)MTTR captures the average time from detection to a contained or resolved incident, directly quantifying response efficiency — exactly the KPI leadership wants to trend.Correct
CNumber of tickets opened per analystTicket volume reflects workload, not how fast incidents are handled, and a high or low count says nothing about response speed or quality.Not timing
DTotal count of CVEs in the vulnerability backlogBacklog size is a vulnerability-management measure unrelated to incident response timing, so it cannot track how quickly the team responds.Wrong domain
NIST SP 800-61 — incident-handling metrics (time to respond/recover) · CompTIA CS0-003 Obj 4.2 lists MTTD and MTTR as core incident-response KPIs.
Drill Reporting & Communication

A 4-week study plan

A realistic schedule at roughly 10–12 hours per week. Adjust to your experience — but keep the heaviest weeks on Security Operations and Vulnerability Management, since they're the two biggest slices of the exam.

Week 1
Security Operations (Domain 1)

System and network architecture, logging and IAM, then the indicators of malicious activity on network, host, and application — and the tools (SIEM, packet/log analysis, sandboxing, reputation) that confirm them. Add the threat-intel cycle and threat hunting. This is a third of the exam.

Week 2
Vulnerability Management (Domain 2)

Scan types (credentialed/agent/active, SAST/DAST/SCA/SBOM), reading Nessus/Burp/ZAP output, and the prioritization stack: CVSS base/temporal/environmental, EPSS, and the CISA KEV catalog. Practice recommending the right control per vulnerability class.

Week 3
Incident Response & Reporting (Domains 3–4)

Attack frameworks (Kill Chain, Diamond Model, MITRE ATT&CK) and the NIST 800-61 lifecycle — detection, containment, eradication, recovery, and post-incident. Then reporting: stakeholders, IR report structure, inhibitors to remediation, and KPIs (MTTD, MTTR).

Week 4
Full tests & weak-spot drilling

Take full practice tests under timed conditions, use the per-domain breakdown to find weak areas, and re-drill them — especially the performance-based skills of reading logs and triaging scanner output. Keep the last days light.

Read the output, not just the theory. CySA+ is an analyst exam — the questions hinge on interpreting real logs, captures, and scanner reports. When you miss one, read why each wrong option is wrong; that's where the real learning is.

Readiness checklist

Tick off each topic as it clicks. Your progress is saved in this browser, so you can come back to it.

Your readiness0 / 0

Domain 1 · Security Operations

Domain 2 · Vulnerability Management

Domain 3 · Incident Response and Management

Domain 4 · Reporting and Communication

Saved only in your browser — nothing leaves this device.

Cheat sheet

The reference tables worth memorizing cold — CVSS severity, the prioritization stack, attack frameworks, scan types, and the incident-response lifecycle. Bookmark this.

CVSS v3.1 severity ratings

RatingBase score rangeWhat it tells you
None0.0No measurable impact
Low0.1 – 3.9Limited impact or hard to exploit
Medium4.0 – 6.9Moderate impact; remediate on schedule
High7.0 – 8.9Serious; expedite remediation
Critical9.0 – 10.0Severe; treat as urgent
The CVSS base metric is intrinsic severity; temporal adjusts for exploit maturity and fixes; environmental tailors it to your asset. A base score is a starting point — not a priority.

The prioritization stack

InputQuestion it answersSource
CVSSHow severe is the flaw if exploited?FIRST.org
EPSSHow likely is it to be exploited soon?FIRST EPSS model
CISA KEVIs it being exploited in the wild right now?CISA catalog (BOD 22-01)
Asset value / contextHow much does this system matter to us?Your business context
Exploitability / weaponizationDoes a working, weaponized exploit exist?Threat intel

Attack methodology frameworks

FrameworkCore ideaBest for
Cyber Kill ChainSeven linear stages from recon to actions on objectivesDescribing an attack's progression
Diamond ModelAdversary · Capability · Infrastructure · VictimCorrelating intrusions & attribution
MITRE ATT&CKMatrix of real-world tactics & techniques (TTPs)Mapping behavior to detections
OWASP Testing GuideMethodology for testing web-application securityApplication-layer assessment

Scan types at a glance

ChoiceTrade-off
Credentialed vs non-credentialedLogged-in scans see deeper config detail; non-credentialed mimics an outside attacker's view
Agent vs agentlessAgents cover roaming/offline hosts; agentless avoids installing software
Active vs passiveActive probes targets (can disrupt); passive only observes traffic (no impact)
Internal vs externalInside view finds lateral-movement risk; outside view shows the attack surface
SAST vs DASTStatic reads source code at rest; dynamic tests the running application

NIST SP 800-61 incident-response lifecycle

PhaseWhat happens
PreparationIR plan, playbooks, tooling, training, and BC/DR readiness before anything happens
Detection & AnalysisCorrelate indicators, validate the incident, acquire evidence, scope the impact
Containment, Eradication & RecoveryIsolate affected systems, remove the foothold, re-image, and restore to known-good
Post-Incident ActivityRoot-cause and forensic analysis, blameless lessons learned, feed back into preparation

Frequently asked questions

How many questions is the exam, and how long?
Up to 85 questions in 165 minutes. Expect multiple-choice (single and multiple response) plus performance-based questions — analyzing log output, triaging scanner results, and sequencing incident-response steps — which take longer, so manage your pace.
What's the passing score?
750 on a scale of 100–900. It's a scaled score, not a simple percentage, so treat ~85% on practice tests as a confident range rather than an exact cut line.
How long should I study?
CompTIA recommends Network+ and Security+ plus roughly 4 years of hands-on security experience before CySA+. With that background, most candidates need 5–8 weeks of focused study; the 4-week plan above assumes about 10–12 hours per week.
How hard is the CySA+?
It's an intermediate, analyst-focused exam. The parts most people find hardest — reading real tool output (logs, packet captures, scanner reports), prioritizing vulnerabilities with CVSS/EPSS/KEV, and mapping activity to frameworks like MITRE ATT&CK — reward hands-on practice over memorization, which is exactly what these practice tests are built for.
Are these practice questions real exam questions?
No — and that's deliberate. Every question is original, written against the public CS0-003 objectives and checked against primary sources. Real exam content is under CompTIA's NDA; using leaked "dumps" can get your certification revoked.
How this guide is sourced. Domain names and weights, the question count, time limit, passing score, and question formats are taken from CompTIA's publicly published CS0-003 exam objectives and official exam details. Every sample question is drawn from our question bank and checked against primary references (NIST, CISA, MITRE, and FIRST), with the source shown on each. This is an independent study resource — certpracticelab is not affiliated with or endorsed by CompTIA.
  • CompTIA — CySA+ (CS0-003) certification & exam details · comptia.org
  • NIST — Computer Security Resource Center glossary & publications · csrc.nist.gov
  • CISA — Known Exploited Vulnerabilities catalog · cisa.gov

You've reviewed the map — now find your weak spots.

Take a free, explained practice test and see exactly which domains need more work.

Start a practice test