Career Employer

FREE CompTIA CySA+ Study Guide 2026 (CS0-003)

The most important things the CompTIA CySA+ CS0-003 exam tests — an interactive study guide with built-in quizzes and flashcards, organized by all 4 official domains.

Check sections to boost your score

Don't know where to start?

To find us again, just search “Career Employer CySA+

By

This free CompTIA CySA+ study guide covers every domain the current CS0-003 exam tests, organized to CompTIA’s official exam objectives.[2] CySA+ is the analyst-level cybersecurity certification — it validates the hands-on skills of a Security Operations Center: using behavioral analytics to detect threats, managing vulnerabilities, hunting adversaries, and responding to and reporting on incidents.

It’s interactive, not a wall of text: every module has built-in checkpoint quizzes, crawlable diagrams, flashcards, and practice questions, so you learn by doing — not just reading.

The CySA+ CS0-003 exam has four domains, and we teach each one as its own module, leading with the heaviest-weighted content. Read a module, test yourself at each checkpoint, then drill gaps with our free practice test and flashcards. This guide is a high-yield overview mapped to the official objectives — not a full security-analyst textbook.

CompTIA CySA+ is one of the 14 CompTIA certifications — explore our CompTIA study guides to compare and prep across the whole family.

CySA+ (CS0-003) Exam Snapshot

CompTIA CySA+ CS0-003 exam at a glance
DetailCySA+ (CS0-003)
QuestionsMaximum of 85
FormatMultiple-choice + performance-based (PBQs)
Time165 minutes
Passing score750 (on a scale of 100–900; scaled scoring)
Exam codeCS0-003 (current version)
Delivered byPearson VUE (test center or online proctored)
Certifying bodyCompTIA
Recommended prepSecurity+/Network+ and ~4 years of hands-on security experience (not required)
Cost≈ $404 USD (single voucher, U.S., 2026)
Valid for3 years — renew with 60 CEUs (CompTIA CE program)

Two domains dominate. Security Operations (33%) and Vulnerability Management (30%) together are 63% of the exam, so invest there first.[2] Study by weight:

CySA+ CS0-003 weighting by domain (CompTIA exam objectives)
1.0 Security Operations33% · biggest domain
2.0 Vulnerability Management30%
3.0 Incident Response & Management20%
4.0 Reporting & Communication17%

Module 1 · Security Operations

Domain 1.0 — 33% of the exam, the single largest domain. This is the heart of the analyst role: understanding the environment you defend, recognizing malicious activity in it, wielding the tools that surface that activity, and using threat intelligence to hunt for what slipped past your detections. Spend the most time here.

1.1 Architecture, Logging & IAM

You can’t analyze what you don’t understand. Know the building blocks: on-premises vs. cloud vs. hybrid architectures, network segmentation (and microsegmentation), (“never trust, always verify”), , and software-defined networking. On the identity side, IAM, encryption, and protecting sensitive data set the context for every alert you triage.[6]

Logging is the analyst’s raw material. You ingest logs from firewalls, endpoints, DNS, web servers, and the OS — then correlate them. Operating-system concepts (processes, the registry, file systems, the Windows event log vs. Linux syslog) tell you what “normal” looks like so you can spot the abnormal.

Common log sources and what they reveal
Log sourceWhat it tells an analyst
Firewall / NetFlowAllowed/blocked connections, beaconing, data exfiltration volume
DNS logsLookups to malicious or newly-registered domains; DNS tunneling
Endpoint / EDRProcess execution, persistence, lateral movement on a host
Authentication logsBrute force, impossible-travel logins, privilege misuse
Web server logsInjection attempts, scanning, suspicious user agents
Email gatewayPhishing, spoofing, malicious attachments (with SPF/DKIM/DMARC results)

1.2 Analyzing Malicious Activity

The core skill: given indicators, identify the attack. Know the network-related attacks (scanning, on-path/man-in-the-middle, DoS/DDoS, DNS and ARP poisoning), host-related signs (unexpected processes, persistence, privilege escalation, malware), and application-related attacks (SQL injection, cross-site scripting, directory traversal). Layer in social engineering (phishing and its variants) and obfuscated or malicious code.

Detection comes in flavors. Signature-based detection matches known patterns (precise, but blind to new threats); flags deviations from a baseline (catches the unknown, but generates noise). An is the forensic breadcrumb — a malicious hash, IP, domain, or beaconing pattern — you collect to detect and scope an intrusion.

Detection methods compared
MethodHow it worksTrade-off
Signature-basedMatches known patterns (hashes, rules, byte sequences)Precise on known threats; blind to novel ones
Anomaly-basedFlags deviation from a defined baselineCatches unknowns; needs a good baseline
Behavioral analyticsModels normal user/host/network behaviorFinds insider/novel threats; can be noisy
Heuristic / sandboxingDetonates/inspects suspicious codeCatches obfuscated malware; slower

1.3 Tools, SIEM & Scripting

Visibility is everything. A aggregates and correlates logs from across the enterprise to detect threats, generate alerts, and support investigations — but it must be tuned to avoid alert fatigue.

Add (tcpdump/Wireshark) for deep network inspection, endpoint/email/file analysis, and email-header analysis with , , and . Automate the repetitive work with playbooks.

CySA+ expects basic scripting literacy: you should recognize what a snippet of Python, PowerShell, shell, or JavaScript does, and read a regular expression used to hunt through logs. You won’t write production code, but you must interpret it on a PBQ.

Email authentication — the anti-spoofing trio
MechanismWhat it does
SPFDNS record listing which servers may send mail for the domain
DKIMCryptographic signature so tampering and forgery are detectable
DMARCTies SPF + DKIM together; tells receivers to none/quarantine/reject failures

1.4 Threat Intelligence & Threat Hunting

is evidence-based knowledge about adversaries — who they are, their , and their indicators — used to drive defense. It’s produced through the and shared via communities () and standards like /.[5] Analysts assign confidence levels so consumers know how much to trust each report.

is the proactive, hypothesis-driven search for adversaries who slipped past your detections — before an alert fires. Hunts are focused through attack frameworks: the for the sequence, the for relationships, and for specific techniques.[8] A successful hunt produces new detections and reduces dwell time.

Checkpoint · Security Operations

Question 1 of 10

In the context of cybersecurity, which technique is used in an IDS to detect threats based on known attack patterns?

Module 2 · Vulnerability Management

Domain 2.0 — 30% of the exam. This domain is the analyst’s second core job: finding weaknesses before attackers do, then deciding which ones actually matter. It runs as a continuous cycle — scan, analyze, prioritize, remediate, validate, report — and CVSS scoring sits at its center.

2.1 Vulnerability Scanning

starts with knowing your assets — asset discovery and mapping the . Then you scan, and the way you scan changes what you see: vs. , vs. , and . For code, use (static), (dynamic), for open-source components, and scan infrastructure-as-code templates.[4]

Scan types and what they trade off
ChoiceOption AOption B
ActivityActive — sends probes (thorough, can disrupt)Passive — observes traffic (safe, incomplete)
CredentialsCredentialed — logs in (deep, fewer false positives)Non-credentialed — outside view (attacker's-eye)
DeploymentAgent — on the host (roaming/offline assets)Agentless — from the network (no install)
CodeSAST — static, reads source/binaryDAST — dynamic, tests the running app

2.2 Analyzing Scan Output

Scanners produce noise. Your job is to turn raw findings into reliable, prioritized work. The first filter is validation: distinguish a (reported but not real/exploitable) from a (a real flaw the tool missed — the more dangerous error). Validate by manual verification, correlating multiple tools, and confirming the affected configuration is actually present.

You’ll read output from network scanners, web-application scanners, and infrastructure scanners, each keyed to identifiers. The recurring mistake is treating the raw scan report as a to-do list — without context, you’ll waste effort on findings that don’t matter and miss the one that does.

Validating scan findings
TermMeaningWhy it matters
False positiveReported but not actually present/exploitableWastes analyst time; erodes trust in the tool
False negativeA real vulnerability the scanner missedThe dangerous one — leaves you exposed unknowingly
True positiveCorrectly reported, confirmed vulnerabilityGoes to prioritization and remediation
CVEPublic ID for one specific known vulnerabilityLook up affected products, patches, and exploits

2.3 Prioritizing with CVSS

You can’t fix everything at once, so you prioritize. is the standard severity score (0.0–10.0) built from three metric groups: Base (intrinsic and constant), Temporal (changes as exploits/patches appear), and Environmental (tailored to your organization).[7] But the score is only a starting point.

True prioritization is context-aware: combine the CVSS score with asset value, exposure (internet-facing vs. internal), criticality, and whether the vulnerability is being actively exploited or has a public exploit (a under active exploitation jumps the queue regardless of its base score).

CVSS severity bands (CVSS v3.1)
BandScore range
None0.0
Low0.1 – 3.9
Medium4.0 – 6.9
High7.0 – 8.9
Critical9.0 – 10.0

2.4 Mitigating Controls & Response

Once prioritized, you recommend a fix. The cleanest is patching or reconfiguration; when that isn’t possible, apply a (e.g., segment a legacy system that can’t be patched).

Know the high-yield flaw classes and their fixes: injection (parameterized queries), cross-site scripting (output encoding + CSP), broken access control, cryptographic failures, and overflow. Vulnerability response is governed by policies, SLOs, and prioritization/escalation rules.

High-yield vulnerability classes and their fix
VulnerabilityWhat it isPrimary mitigation
SQL / command injectionUntrusted input runs as codeParameterized queries + input validation
Cross-site scripting (XSS)Injected script runs in another user's browserOutput encoding + Content Security Policy
Broken access controlMissing/flawed authorization checksEnforce least privilege; deny by default
Cryptographic failuresWeak/missing encryption of sensitive dataStrong algorithms, proper key management, TLS
Buffer overflowWriting past a buffer's boundsBounds checking, ASLR/DEP, secure coding
Unpatchable legacy systemNo vendor fix availableCompensating control: segment, monitor, restrict

Checkpoint · Vulnerability Management

Question 1 of 10

What is the primary purpose of a vulnerability scanner in cybersecurity?

Module 3 · Incident Response & Management

Domain 3.0 — 20% of the exam. When prevention and detection give way to a real incident, you respond — methodically. This domain covers the attack frameworks that structure your thinking, the formal response lifecycle, and the hands-on activities (scoping, evidence, forensics) that happen during a response.

3.1 Attack Frameworks

Three frameworks give you a shared language for describing an attack. The models the linear sequence of an intrusion; the maps the relationships between adversary, capability, infrastructure, and victim; and catalogs the specific techniques attackers use.[8] OWASP rounds out the application side. They’re complementary, not competing.

3.2 The IR Lifecycle

CompTIA follows the NIST (SP 800-61): preparation; detection & analysis; containment, eradication & recovery; and post-incident activity (lessons learned and root cause analysis).[3] In a live incident, usually comes first — stop the spread before you fully and recover.

3.3 IR Activities & Forensics

During a response you perform concrete activities: detection and validation, scope determination, evidence acquisition and preservation, data and log analysis, , and recovery — coordinated through a communication plan and escalation path. Get the order of operations wrong and you destroy evidence.

Digital forensics preserves that evidence so it stays admissible: place a , maintain a (who handled what, and when), collect by (memory and network state before disk), and analyze a (a verified bit-for-bit copy) rather than the original.

Digital-forensics fundamentals
ConceptWhat it means
Chain of custodyDocumented record of every person who handled evidence and when
Order of volatilityCollect most-volatile data first (RAM, network state) before disk
Forensic imageBit-for-bit copy, hash-verified; you analyze the copy, never the original
Legal holdDirective to preserve relevant data once litigation/investigation is anticipated
Root cause analysisFinding the underlying reason an incident happened, to prevent recurrence

Checkpoint · Incident Response & Management

Question 1 of 10

In cybersecurity, what does the term 'chain of custody' refer to?

Module 4 · Reporting & Communication

Domain 4.0 — 17% of the exam. Analysis is worthless if it isn’t communicated. This domain is about turning findings — from both vulnerability management and incident response — into reports, metrics, and the right message for the right audience. It’s the smallest domain, but it ties the whole role together.

4.1 Vulnerability Reporting & Metrics

Vulnerability reports drive action: compliance reports, action plans with owners and timelines, and a risk score per finding. They must acknowledge real-world — MOUs/SLAs and organizational governance, business-process interruption, degrading functionality, and legacy or proprietary systems. Track progress with like , recurrence rate, and the top vulnerabilities, and report to the right .

The recurring exam idea: when a system genuinely can’t be patched, the answer isn’t to ignore it — it’s a documented compensating control plus accepted residual risk, reported honestly to stakeholders.

Common inhibitors to remediation
InhibitorWhy it blocks/delays a fix
MOU / SLA / governanceContracts or policy restrict when/how changes can be made
Business process interruptionPatching requires downtime the business can't yet absorb
Degrading functionalityThe fix breaks a needed feature or integration
Legacy / proprietary systemsNo vendor patch exists; the system can't be modified

4.2 Incident Reporting & Communication

Incident reporting follows the same logic. Define incident declaration and escalation criteria so the right people are notified at the right time, build a communication plan covering technical teams, executives, legal, HR, PR, customers, and regulators, and close every incident with a , lessons learned, and generation. The headline metrics are and .

Checkpoint · Reporting & Communication

Question 1 of 10

What is a primary consideration when choosing a communication method during a cyber incident response?

How to Use This CySA+ Study Guide

This guide is built to be worked, not just read. The most efficient path to a pass:

  • Study by weight. Security Operations (33%) and Vulnerability Management (30%) are nearly two-thirds of the exam — start there, then Incident Response and Reporting.
  • Check off as you go. Use the Study Guide Contents to mark each section done; it raises your exam-readiness score.
  • Take every checkpoint. The end-of-module quizzes show you exactly which domains need another pass.
  • Practice the PBQs. Performance-based questions reward hands-on skill — read logs and packet captures, interpret CVSS vectors, and scope incidents, not just definitions.
  • Drill the weak domain. Send your weak area into the flashcards and a practice test until your score climbs comfortably above 750.

CySA+ Concept Questions

Core CySA+ concepts candidates search while studying — each answered briefly and backed by an official source. Test yourself, then drill them as flashcards.

CySA+ Glossary

The high-yield CySA+ terms in one place — hover any dotted term in the guide, or flip the whole deck here as a self-grading flashcard set.

Active scanning
Scanning that sends probes/packets directly to targets — thorough but can disrupt fragile systems.
Agent-based scan
A scan run by software installed on the host; works offline and for roaming assets. Agentless scans run from the network instead.
Attack surface
The total set of points where an attacker could attempt to enter or extract data; reducing it is a core mitigation goal.
Behavioral analytics
Detecting threats by flagging deviations from a baseline of normal user, host, or network behavior — catches unknown attacks signatures miss.
Chain of custody
The documented, unbroken record of who handled evidence and when — to keep it admissible.
Compensating control
An alternative safeguard used when the primary control (e.g., a patch) cannot be applied, to reduce the residual risk.
Containment
Limiting the spread and impact of an incident (e.g., isolating a host) — usually the first action in a live incident.
Credentialed scan
A vulnerability scan that logs into the target with valid credentials, seeing patch levels and configuration from the inside — deeper, fewer false positives.
CVE
Common Vulnerabilities and Exposures — a unique public identifier for one specific known vulnerability.
CVSS
Common Vulnerability Scoring System — a 0.0–10.0 score (Base, Temporal, Environmental groups) rating a vulnerability's severity.
Cyber Kill Chain
Lockheed Martin's linear 7-stage intrusion model: reconnaissance, weaponization, delivery, exploitation, installation, command & control, and actions on objectives.
DAST
Dynamic Application Security Testing — testing a running application from the outside for exploitable flaws.
Diamond Model
An intrusion-analysis model linking four features of every event: adversary, capability, infrastructure, and victim.
DKIM
DomainKeys Identified Mail — a cryptographic signature on outbound email so receivers can detect tampering and forged senders.
DMARC
Domain-based Message Authentication, Reporting & Conformance — ties SPF and DKIM together and tells receivers how to handle failures.
Eradication
Removing the threat — malware, attacker footholds, compromised accounts — from the environment.
False negative
A real vulnerability or threat the tool failed to report — the more dangerous error.
False positive
A reported vulnerability or alert that is not actually present or exploitable — must be validated before acting.
Forensic image
A bit-for-bit copy of storage made for analysis so the original evidence is never altered; verified with a hash.
Incident response lifecycle
NIST's four phases: preparation; detection & analysis; containment, eradication & recovery; post-incident activity.
Indicator of compromise
A forensic artifact (malicious IP/domain, file hash, registry key, beaconing) that signals a system may have been breached.
Inhibitor to remediation
A real-world constraint (MOU/SLA, business interruption, legacy system, downtime cost) that delays or prevents a fix.
ISAC / ISAO
Information Sharing and Analysis Center/Organization — communities that share threat intelligence among members.
KPI
Key Performance Indicator — a measurable value (e.g., MTTD, MTTR, recurrence rate) showing how a security program is performing.
Legal hold
A directive to preserve relevant data when litigation or an investigation is anticipated.
Log analysis
Reviewing and correlating system, network, and application logs to detect, scope, and investigate suspicious activity.
MITRE ATT&CK
A knowledge base of real-world adversary tactics (goals) and techniques (methods) used to map detections and drive threat hunting.
MTTC
Mean Time to Contain — the average time to stop an incident from spreading once detected.
MTTD
Mean Time to Detect — the average time from when an incident begins to when it is detected.
MTTR
Mean Time to Respond/Remediate — the average time to contain and resolve an incident (or remediate a vulnerability).
Non-credentialed scan
A scan that probes only from the outside, like an unauthenticated attacker — a shallower, attacker's-eye view.
Order of volatility
Collecting evidence most-volatile-first (memory, network state) before less-volatile data (disk) so nothing is lost.
Packet capture
Recording raw network traffic (e.g., with tcpdump/Wireshark) so analysts can inspect the contents and flow of communications.
Passive scanning
Identifying assets and issues by observing existing traffic without sending probes — non-disruptive but less complete.
Root cause analysis
Determining the underlying reason an incident occurred so the same issue can be prevented from recurring.
SASE
Secure Access Service Edge — converges networking (SD-WAN) and security (SWG, CASB, ZTNA, FWaaS) into a single cloud-delivered service.
SAST
Static Application Security Testing — analyzing source code or binaries for flaws without running the application.
SIEM
Security Information and Event Management — a platform that collects and correlates logs across the enterprise to detect, investigate, and report on threats.
SOAR
Security Orchestration, Automation, and Response — automates and coordinates incident response via playbooks and tool integrations.
Software composition analysis
Scanning an application's third-party and open-source components for known vulnerabilities and license risk.
SPF
Sender Policy Framework — a DNS record listing the mail servers authorized to send email for a domain.
Stakeholder
Anyone who needs incident or vulnerability information — technical teams, executives, legal, HR, PR, customers, or regulators.
STIX
Structured Threat Information Expression — a standardized language for representing and sharing cyber threat intelligence.
TAXII
Trusted Automated Exchange of Intelligence Information — the protocol for transporting STIX threat-intelligence data.
Threat hunting
The proactive, hypothesis-driven search for adversaries that have evaded existing detections, before any alert fires.
Threat intelligence
Evidence-based knowledge about threats — actors, their tactics, techniques, and procedures (TTPs), and indicators — used to inform defense.
Threat-intelligence cycle
The repeating process of producing intelligence: planning & direction, collection, processing, analysis, dissemination, and feedback.
TTP
Tactics, Techniques, and Procedures — how an adversary operates; the most durable, hardest-to-change indicator of an attacker.
Vulnerability management
The continuous cycle of identifying, scanning, analyzing, prioritizing, remediating, validating, and reporting on vulnerabilities.
Zero trust
A model that removes implicit trust and verifies every request based on identity, device, and context — 'never trust, always verify.'
Zero-day
A vulnerability unknown to the vendor with no patch available, leaving 'zero days' to fix it before exploitation.

CySA+ Study Guide FAQ

The CySA+ CS0-003 exam has a maximum of 85 questions — a mix of multiple-choice and performance-based questions (PBQs) — and you get 165 minutes to complete it. Because PBQs are hands-on simulations (log analysis, packet capture, CVSS scoring), many candidates save them for last and manage their time carefully.

References

  1. 1.CompTIA. “CompTIA CySA+ (CS0-003) Certification.” comptia.org.
  2. 2.CompTIA. “CySA+ (CS0-003) Exam Objectives.” comptia.org.
  3. 3.National Institute of Standards and Technology. “SP 800-61, Computer Security Incident Handling Guide.” csrc.nist.gov.
  4. 4.National Institute of Standards and Technology. “SP 800-40 Rev. 4, Enterprise Patch Management Planning.” csrc.nist.gov.
  5. 5.National Institute of Standards and Technology. “SP 800-150, Guide to Cyber Threat Information Sharing.” csrc.nist.gov.
  6. 6.National Institute of Standards and Technology. “SP 800-207, Zero Trust Architecture.” csrc.nist.gov.
  7. 7.Forum of Incident Response and Security Teams. “Common Vulnerability Scoring System (CVSS).” first.org.
  8. 8.The MITRE Corporation. “MITRE ATT&CK.” attack.mitre.org.
  9. 9.Cybersecurity and Infrastructure Security Agency. “Stop Ransomware: Ransomware 101.” cisa.gov.
  10. 101.National Institute of Standards and Technology (NIST). “Security Information and Event Management (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026.
  11. 102.National Institute of Standards and Technology (NIST). “Indicator of Compromise (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026.
  12. 103.National Institute of Standards and Technology (NIST). “Threat Intelligence (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026.
  13. 104.National Institute of Standards and Technology (NIST). “Threat Hunting (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026.
  14. 105.National Institute of Standards and Technology (NIST). “Common Vulnerabilities and Exposures (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026.
  15. 106.National Institute of Standards and Technology (NIST). “False Positive (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026.
  16. 107.National Institute of Standards and Technology (NIST). “Zero-Day Attack (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026.
  17. 108.National Institute of Standards and Technology (NIST). “Chain of Custody (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026.
Career Employer

Career Employer is the ultimate resource to help you get started working the job of your dreams. We cover topics from general career information, career searching, exam preparation with free study materials, career interviewing, and becoming successful in your career of choice.

Follow Us:

All Posts

Career Employer’s Editorial Process

Here at Career Employer, we focus a lot on providing factually accurate information that is always up to date. We strive to provide correct information using strict editorial processes, article editing, and fact-checking for all of the information found on our website. We only utilize trustworthy and relevant resources. To find out more, make sure to read our full editorial process page here.