This free CompTIA CySA+ study guide covers every domain the current CS0-003 exam tests, organized to CompTIA’s official exam objectives.[2] CySA+ is the analyst-level cybersecurity certification — it validates the hands-on skills of a Security Operations Center: using behavioral analytics to detect threats, managing vulnerabilities, hunting adversaries, and responding to and reporting on incidents.
It’s interactive, not a wall of text: every module has built-in checkpoint quizzes, crawlable diagrams, flashcards, and practice questions, so you learn by doing — not just reading.
The CySA+ CS0-003 exam has four domains, and we teach each one as its own module, leading with the heaviest-weighted content. Read a module, test yourself at each checkpoint, then drill gaps with our free practice test and flashcards. This guide is a high-yield overview mapped to the official objectives — not a full security-analyst textbook.
CompTIA CySA+ is one of the 14 CompTIA certifications — explore our CompTIA study guides to compare and prep across the whole family.
CySA+ (CS0-003) Exam Snapshot
| Detail | CySA+ (CS0-003) |
|---|---|
| Questions | Maximum of 85 |
| Format | Multiple-choice + performance-based (PBQs) |
| Time | 165 minutes |
| Passing score | 750 (on a scale of 100–900; scaled scoring) |
| Exam code | CS0-003 (current version) |
| Delivered by | Pearson VUE (test center or online proctored) |
| Certifying body | CompTIA |
| Recommended prep | Security+/Network+ and ~4 years of hands-on security experience (not required) |
| Cost | ≈ $404 USD (single voucher, U.S., 2026) |
| Valid for | 3 years — renew with 60 CEUs (CompTIA CE program) |
Two domains dominate. Security Operations (33%) and Vulnerability Management (30%) together are 63% of the exam, so invest there first.[2] Study by weight:
Module 1 · Security Operations
Domain 1.0 — 33% of the exam, the single largest domain. This is the heart of the analyst role: understanding the environment you defend, recognizing malicious activity in it, wielding the tools that surface that activity, and using threat intelligence to hunt for what slipped past your detections. Spend the most time here.
1.1 Architecture, Logging & IAM
You can’t analyze what you don’t understand. Know the building blocks: on-premises vs. cloud vs. hybrid architectures, network segmentation (and microsegmentation), (“never trust, always verify”), , and software-defined networking. On the identity side, IAM, encryption, and protecting sensitive data set the context for every alert you triage.[6]
Logging is the analyst’s raw material. You ingest logs from firewalls, endpoints, DNS, web servers, and the OS — then correlate them. Operating-system concepts (processes, the registry, file systems, the Windows event log vs. Linux syslog) tell you what “normal” looks like so you can spot the abnormal.
| Log source | What it tells an analyst |
|---|---|
| Firewall / NetFlow | Allowed/blocked connections, beaconing, data exfiltration volume |
| DNS logs | Lookups to malicious or newly-registered domains; DNS tunneling |
| Endpoint / EDR | Process execution, persistence, lateral movement on a host |
| Authentication logs | Brute force, impossible-travel logins, privilege misuse |
| Web server logs | Injection attempts, scanning, suspicious user agents |
| Email gateway | Phishing, spoofing, malicious attachments (with SPF/DKIM/DMARC results) |
1.2 Analyzing Malicious Activity
The core skill: given indicators, identify the attack. Know the network-related attacks (scanning, on-path/man-in-the-middle, DoS/DDoS, DNS and ARP poisoning), host-related signs (unexpected processes, persistence, privilege escalation, malware), and application-related attacks (SQL injection, cross-site scripting, directory traversal). Layer in social engineering (phishing and its variants) and obfuscated or malicious code.
Detection comes in flavors. Signature-based detection matches known patterns (precise, but blind to new threats); flags deviations from a baseline (catches the unknown, but generates noise). An is the forensic breadcrumb — a malicious hash, IP, domain, or beaconing pattern — you collect to detect and scope an intrusion.
| Method | How it works | Trade-off |
|---|---|---|
| Signature-based | Matches known patterns (hashes, rules, byte sequences) | Precise on known threats; blind to novel ones |
| Anomaly-based | Flags deviation from a defined baseline | Catches unknowns; needs a good baseline |
| Behavioral analytics | Models normal user/host/network behavior | Finds insider/novel threats; can be noisy |
| Heuristic / sandboxing | Detonates/inspects suspicious code | Catches obfuscated malware; slower |
1.3 Tools, SIEM & Scripting
Visibility is everything. A aggregates and correlates logs from across the enterprise to detect threats, generate alerts, and support investigations — but it must be tuned to avoid alert fatigue.
Add (tcpdump/Wireshark) for deep network inspection, endpoint/email/file analysis, and email-header analysis with , , and . Automate the repetitive work with playbooks.
CySA+ expects basic scripting literacy: you should recognize what a snippet of Python, PowerShell, shell, or JavaScript does, and read a regular expression used to hunt through logs. You won’t write production code, but you must interpret it on a PBQ.
| Mechanism | What it does |
|---|---|
| SPF | DNS record listing which servers may send mail for the domain |
| DKIM | Cryptographic signature so tampering and forgery are detectable |
| DMARC | Ties SPF + DKIM together; tells receivers to none/quarantine/reject failures |
1.4 Threat Intelligence & Threat Hunting
is evidence-based knowledge about adversaries — who they are, their , and their indicators — used to drive defense. It’s produced through the and shared via communities () and standards like /.[5] Analysts assign confidence levels so consumers know how much to trust each report.
- 1
Planning & Direction
Define intelligence requirements — what the organization needs to know and which decisions the intel will support.
- 2
Collection
Gather raw data from sources: OSINT, ISACs/ISAOs, vendor feeds, internal logs, the dark web, and trusted sharing communities.
- 3
Processing
Normalize, translate, decrypt, and structure the raw data so it can be analyzed (e.g., into STIX/TAXII).
- 4
Analysis
Turn processed data into actionable intelligence — assess relevance, assign a confidence level, and map to threat actors and TTPs.
- 5
Dissemination
Deliver finished intelligence to the right stakeholders in a usable form (strategic, operational, or tactical).
- 6
Feedback
Stakeholders evaluate the intelligence; lessons refine the requirements and the cycle starts again.
is the proactive, hypothesis-driven search for adversaries who slipped past your detections — before an alert fires. Hunts are focused through attack frameworks: the for the sequence, the for relationships, and for specific techniques.[8] A successful hunt produces new detections and reduces dwell time.
Checkpoint · Security Operations
Question 1 of 10
In the context of cybersecurity, which technique is used in an IDS to detect threats based on known attack patterns?
Module 2 · Vulnerability Management
Domain 2.0 — 30% of the exam. This domain is the analyst’s second core job: finding weaknesses before attackers do, then deciding which ones actually matter. It runs as a continuous cycle — scan, analyze, prioritize, remediate, validate, report — and CVSS scoring sits at its center.
2.1 Vulnerability Scanning
starts with knowing your assets — asset discovery and mapping the . Then you scan, and the way you scan changes what you see: vs. , vs. , and . For code, use (static), (dynamic), for open-source components, and scan infrastructure-as-code templates.[4]
| Choice | Option A | Option B |
|---|---|---|
| Activity | Active — sends probes (thorough, can disrupt) | Passive — observes traffic (safe, incomplete) |
| Credentials | Credentialed — logs in (deep, fewer false positives) | Non-credentialed — outside view (attacker's-eye) |
| Deployment | Agent — on the host (roaming/offline assets) | Agentless — from the network (no install) |
| Code | SAST — static, reads source/binary | DAST — dynamic, tests the running app |
2.2 Analyzing Scan Output
Scanners produce noise. Your job is to turn raw findings into reliable, prioritized work. The first filter is validation: distinguish a (reported but not real/exploitable) from a (a real flaw the tool missed — the more dangerous error). Validate by manual verification, correlating multiple tools, and confirming the affected configuration is actually present.
You’ll read output from network scanners, web-application scanners, and infrastructure scanners, each keyed to identifiers. The recurring mistake is treating the raw scan report as a to-do list — without context, you’ll waste effort on findings that don’t matter and miss the one that does.
| Term | Meaning | Why it matters |
|---|---|---|
| False positive | Reported but not actually present/exploitable | Wastes analyst time; erodes trust in the tool |
| False negative | A real vulnerability the scanner missed | The dangerous one — leaves you exposed unknowingly |
| True positive | Correctly reported, confirmed vulnerability | Goes to prioritization and remediation |
| CVE | Public ID for one specific known vulnerability | Look up affected products, patches, and exploits |
2.3 Prioritizing with CVSS
You can’t fix everything at once, so you prioritize. is the standard severity score (0.0–10.0) built from three metric groups: Base (intrinsic and constant), Temporal (changes as exploits/patches appear), and Environmental (tailored to your organization).[7] But the score is only a starting point.
Base
Constant — the intrinsic severity
- Attack Vector (AV)
- Attack Complexity (AC)
- Privileges Required (PR)
- User Interaction (UI)
- Scope (S)
- Confidentiality / Integrity / Availability impact
Temporal
Changes over time
- Exploit Code Maturity
- Remediation Level
- Report Confidence
Environmental
Specific to your organization
- Modified base metrics
- Confidentiality / Integrity / Availability Requirements (asset value)
True prioritization is context-aware: combine the CVSS score with asset value, exposure (internet-facing vs. internal), criticality, and whether the vulnerability is being actively exploited or has a public exploit (a under active exploitation jumps the queue regardless of its base score).
| Band | Score range |
|---|---|
| None | 0.0 |
| Low | 0.1 – 3.9 |
| Medium | 4.0 – 6.9 |
| High | 7.0 – 8.9 |
| Critical | 9.0 – 10.0 |
2.4 Mitigating Controls & Response
Once prioritized, you recommend a fix. The cleanest is patching or reconfiguration; when that isn’t possible, apply a (e.g., segment a legacy system that can’t be patched).
Know the high-yield flaw classes and their fixes: injection (parameterized queries), cross-site scripting (output encoding + CSP), broken access control, cryptographic failures, and overflow. Vulnerability response is governed by policies, SLOs, and prioritization/escalation rules.
- 1
Identify & discover
Inventory assets and map the attack surface — you cannot protect what you do not know you have.
- 2
Scan
Run vulnerability scans (active/passive, credentialed/non-credentialed, agent/agentless) across discovered assets.
- 3
Analyze & prioritize
Score findings with CVSS, map to CVE, weed out false positives, and rank by context — asset value, exposure, and exploitability.
- 4
Remediate
Patch, reconfigure, or apply a compensating control — guided by SLOs and organizational governance.
- 5
Validate
Rescan to confirm the fix actually closed the vulnerability and introduced no regressions.
- 6
Report
Communicate metrics (MTTR, recurrence, top vulnerabilities) to stakeholders for compliance and decision-making.
| Vulnerability | What it is | Primary mitigation |
|---|---|---|
| SQL / command injection | Untrusted input runs as code | Parameterized queries + input validation |
| Cross-site scripting (XSS) | Injected script runs in another user's browser | Output encoding + Content Security Policy |
| Broken access control | Missing/flawed authorization checks | Enforce least privilege; deny by default |
| Cryptographic failures | Weak/missing encryption of sensitive data | Strong algorithms, proper key management, TLS |
| Buffer overflow | Writing past a buffer's bounds | Bounds checking, ASLR/DEP, secure coding |
| Unpatchable legacy system | No vendor fix available | Compensating control: segment, monitor, restrict |
Checkpoint · Vulnerability Management
Question 1 of 10
What is the primary purpose of a vulnerability scanner in cybersecurity?
Module 3 · Incident Response & Management
Domain 3.0 — 20% of the exam. When prevention and detection give way to a real incident, you respond — methodically. This domain covers the attack frameworks that structure your thinking, the formal response lifecycle, and the hands-on activities (scoping, evidence, forensics) that happen during a response.
3.1 Attack Frameworks
Three frameworks give you a shared language for describing an attack. The models the linear sequence of an intrusion; the maps the relationships between adversary, capability, infrastructure, and victim; and catalogs the specific techniques attackers use.[8] OWASP rounds out the application side. They’re complementary, not competing.
Cyber Kill Chain
Lockheed Martin
A linear 7-stage model of an intrusion: reconnaissance → weaponization → delivery → exploitation → installation → command & control → actions on objectives.
Diamond Model
Intrusion analysis
Maps every intrusion event across four vertices: adversary, capability, infrastructure, and victim — useful for pivoting and clustering campaigns.
MITRE ATT&CK
MITRE
A detailed knowledge base of real-world adversary tactics (the goals) and techniques (the how), used to map detections and threat-hunt.
3.2 The IR Lifecycle
CompTIA follows the NIST (SP 800-61): preparation; detection & analysis; containment, eradication & recovery; and post-incident activity (lessons learned and root cause analysis).[3] In a live incident, usually comes first — stop the spread before you fully and recover.
Phase 1
Preparation
Build the team, tools, playbooks, and training before an incident — plus hardening, logging, and the communication plan.
Phase 2
Detection & Analysis
Identify and validate the incident from IoCs, SIEM alerts, and logs; determine the scope and impact.
Phase 3
Containment, Eradication & Recovery
Limit the spread first, then remove the threat (malware, footholds, accounts), and restore systems to normal operation.
Phase 4
Post-Incident Activity
Lessons learned, root cause analysis, IoC generation, and reporting — feed improvements back into Preparation.
3.3 IR Activities & Forensics
During a response you perform concrete activities: detection and validation, scope determination, evidence acquisition and preservation, data and log analysis, , and recovery — coordinated through a communication plan and escalation path. Get the order of operations wrong and you destroy evidence.
Digital forensics preserves that evidence so it stays admissible: place a , maintain a (who handled what, and when), collect by (memory and network state before disk), and analyze a (a verified bit-for-bit copy) rather than the original.
| Concept | What it means |
|---|---|
| Chain of custody | Documented record of every person who handled evidence and when |
| Order of volatility | Collect most-volatile data first (RAM, network state) before disk |
| Forensic image | Bit-for-bit copy, hash-verified; you analyze the copy, never the original |
| Legal hold | Directive to preserve relevant data once litigation/investigation is anticipated |
| Root cause analysis | Finding the underlying reason an incident happened, to prevent recurrence |
Checkpoint · Incident Response & Management
Question 1 of 10
In cybersecurity, what does the term 'chain of custody' refer to?
Module 4 · Reporting & Communication
Domain 4.0 — 17% of the exam. Analysis is worthless if it isn’t communicated. This domain is about turning findings — from both vulnerability management and incident response — into reports, metrics, and the right message for the right audience. It’s the smallest domain, but it ties the whole role together.
4.1 Vulnerability Reporting & Metrics
Vulnerability reports drive action: compliance reports, action plans with owners and timelines, and a risk score per finding. They must acknowledge real-world — MOUs/SLAs and organizational governance, business-process interruption, degrading functionality, and legacy or proprietary systems. Track progress with like , recurrence rate, and the top vulnerabilities, and report to the right .
The recurring exam idea: when a system genuinely can’t be patched, the answer isn’t to ignore it — it’s a documented compensating control plus accepted residual risk, reported honestly to stakeholders.
| Inhibitor | Why it blocks/delays a fix |
|---|---|
| MOU / SLA / governance | Contracts or policy restrict when/how changes can be made |
| Business process interruption | Patching requires downtime the business can't yet absorb |
| Degrading functionality | The fix breaks a needed feature or integration |
| Legacy / proprietary systems | No vendor patch exists; the system can't be modified |
4.2 Incident Reporting & Communication
Incident reporting follows the same logic. Define incident declaration and escalation criteria so the right people are notified at the right time, build a communication plan covering technical teams, executives, legal, HR, PR, customers, and regulators, and close every incident with a , lessons learned, and generation. The headline metrics are and .
MTTD
Mean Time to Detect
Average time from when an incident begins to when it is detected.
MTTA
Mean Time to Acknowledge
Average time from detection/alert to a responder acknowledging it.
MTTR
Mean Time to Respond / Remediate
Average time to contain and resolve an incident — or to remediate a vulnerability.
MTTC
Mean Time to Contain
Average time to stop an incident from spreading once it is detected.
Checkpoint · Reporting & Communication
Question 1 of 10
What is a primary consideration when choosing a communication method during a cyber incident response?
How to Use This CySA+ Study Guide
This guide is built to be worked, not just read. The most efficient path to a pass:
- Study by weight. Security Operations (33%) and Vulnerability Management (30%) are nearly two-thirds of the exam — start there, then Incident Response and Reporting.
- Check off as you go. Use the Study Guide Contents to mark each section done; it raises your exam-readiness score.
- Take every checkpoint. The end-of-module quizzes show you exactly which domains need another pass.
- Practice the PBQs. Performance-based questions reward hands-on skill — read logs and packet captures, interpret CVSS vectors, and scope incidents, not just definitions.
- Drill the weak domain. Send your weak area into the flashcards and a practice test until your score climbs comfortably above 750.
CySA+ Concept Questions
Core CySA+ concepts candidates search while studying — each answered briefly and backed by an official source. Test yourself, then drill them as flashcards.
CySA+ Glossary
The high-yield CySA+ terms in one place — hover any dotted term in the guide, or flip the whole deck here as a self-grading flashcard set.
- Active scanning
- Scanning that sends probes/packets directly to targets — thorough but can disrupt fragile systems.
- Agent-based scan
- A scan run by software installed on the host; works offline and for roaming assets. Agentless scans run from the network instead.
- Attack surface
- The total set of points where an attacker could attempt to enter or extract data; reducing it is a core mitigation goal.
- Behavioral analytics
- Detecting threats by flagging deviations from a baseline of normal user, host, or network behavior — catches unknown attacks signatures miss.
- Chain of custody
- The documented, unbroken record of who handled evidence and when — to keep it admissible.
- Compensating control
- An alternative safeguard used when the primary control (e.g., a patch) cannot be applied, to reduce the residual risk.
- Containment
- Limiting the spread and impact of an incident (e.g., isolating a host) — usually the first action in a live incident.
- Credentialed scan
- A vulnerability scan that logs into the target with valid credentials, seeing patch levels and configuration from the inside — deeper, fewer false positives.
- CVE
- Common Vulnerabilities and Exposures — a unique public identifier for one specific known vulnerability.
- CVSS
- Common Vulnerability Scoring System — a 0.0–10.0 score (Base, Temporal, Environmental groups) rating a vulnerability's severity.
- Cyber Kill Chain
- Lockheed Martin's linear 7-stage intrusion model: reconnaissance, weaponization, delivery, exploitation, installation, command & control, and actions on objectives.
- DAST
- Dynamic Application Security Testing — testing a running application from the outside for exploitable flaws.
- Diamond Model
- An intrusion-analysis model linking four features of every event: adversary, capability, infrastructure, and victim.
- DKIM
- DomainKeys Identified Mail — a cryptographic signature on outbound email so receivers can detect tampering and forged senders.
- DMARC
- Domain-based Message Authentication, Reporting & Conformance — ties SPF and DKIM together and tells receivers how to handle failures.
- Eradication
- Removing the threat — malware, attacker footholds, compromised accounts — from the environment.
- False negative
- A real vulnerability or threat the tool failed to report — the more dangerous error.
- False positive
- A reported vulnerability or alert that is not actually present or exploitable — must be validated before acting.
- Forensic image
- A bit-for-bit copy of storage made for analysis so the original evidence is never altered; verified with a hash.
- Incident response lifecycle
- NIST's four phases: preparation; detection & analysis; containment, eradication & recovery; post-incident activity.
- Indicator of compromise
- A forensic artifact (malicious IP/domain, file hash, registry key, beaconing) that signals a system may have been breached.
- Inhibitor to remediation
- A real-world constraint (MOU/SLA, business interruption, legacy system, downtime cost) that delays or prevents a fix.
- ISAC / ISAO
- Information Sharing and Analysis Center/Organization — communities that share threat intelligence among members.
- KPI
- Key Performance Indicator — a measurable value (e.g., MTTD, MTTR, recurrence rate) showing how a security program is performing.
- Legal hold
- A directive to preserve relevant data when litigation or an investigation is anticipated.
- Log analysis
- Reviewing and correlating system, network, and application logs to detect, scope, and investigate suspicious activity.
- MITRE ATT&CK
- A knowledge base of real-world adversary tactics (goals) and techniques (methods) used to map detections and drive threat hunting.
- MTTC
- Mean Time to Contain — the average time to stop an incident from spreading once detected.
- MTTD
- Mean Time to Detect — the average time from when an incident begins to when it is detected.
- MTTR
- Mean Time to Respond/Remediate — the average time to contain and resolve an incident (or remediate a vulnerability).
- Non-credentialed scan
- A scan that probes only from the outside, like an unauthenticated attacker — a shallower, attacker's-eye view.
- Order of volatility
- Collecting evidence most-volatile-first (memory, network state) before less-volatile data (disk) so nothing is lost.
- Packet capture
- Recording raw network traffic (e.g., with tcpdump/Wireshark) so analysts can inspect the contents and flow of communications.
- Passive scanning
- Identifying assets and issues by observing existing traffic without sending probes — non-disruptive but less complete.
- Root cause analysis
- Determining the underlying reason an incident occurred so the same issue can be prevented from recurring.
- SASE
- Secure Access Service Edge — converges networking (SD-WAN) and security (SWG, CASB, ZTNA, FWaaS) into a single cloud-delivered service.
- SAST
- Static Application Security Testing — analyzing source code or binaries for flaws without running the application.
- SIEM
- Security Information and Event Management — a platform that collects and correlates logs across the enterprise to detect, investigate, and report on threats.
- SOAR
- Security Orchestration, Automation, and Response — automates and coordinates incident response via playbooks and tool integrations.
- Software composition analysis
- Scanning an application's third-party and open-source components for known vulnerabilities and license risk.
- SPF
- Sender Policy Framework — a DNS record listing the mail servers authorized to send email for a domain.
- Stakeholder
- Anyone who needs incident or vulnerability information — technical teams, executives, legal, HR, PR, customers, or regulators.
- STIX
- Structured Threat Information Expression — a standardized language for representing and sharing cyber threat intelligence.
- TAXII
- Trusted Automated Exchange of Intelligence Information — the protocol for transporting STIX threat-intelligence data.
- Threat hunting
- The proactive, hypothesis-driven search for adversaries that have evaded existing detections, before any alert fires.
- Threat intelligence
- Evidence-based knowledge about threats — actors, their tactics, techniques, and procedures (TTPs), and indicators — used to inform defense.
- Threat-intelligence cycle
- The repeating process of producing intelligence: planning & direction, collection, processing, analysis, dissemination, and feedback.
- TTP
- Tactics, Techniques, and Procedures — how an adversary operates; the most durable, hardest-to-change indicator of an attacker.
- Vulnerability management
- The continuous cycle of identifying, scanning, analyzing, prioritizing, remediating, validating, and reporting on vulnerabilities.
- Zero trust
- A model that removes implicit trust and verifies every request based on identity, device, and context — 'never trust, always verify.'
- Zero-day
- A vulnerability unknown to the vendor with no patch available, leaving 'zero days' to fix it before exploitation.
CySA+ Study Guide FAQ
The CySA+ CS0-003 exam has a maximum of 85 questions — a mix of multiple-choice and performance-based questions (PBQs) — and you get 165 minutes to complete it. Because PBQs are hands-on simulations (log analysis, packet capture, CVSS scoring), many candidates save them for last and manage their time carefully.
You need a scaled score of 750 on a scale of 100 to 900. Because it's a scaled score, 750 does not equal a fixed percentage correct — performance-based questions can carry more weight than standard multiple-choice questions.
There are four domains: Security Operations (33%), Vulnerability Management (30%), Incident Response and Management (20%), and Reporting and Communication (17%). Security Operations and Vulnerability Management together are nearly two-thirds of the exam.
Study by weight. Security Operations (33%) and Vulnerability Management (30%) are 63% of the exam, so master SIEM/log analysis, threat intelligence, vulnerability scanning, and CVSS first, then Incident Response and Reporting. Read each module, take the checkpoint, and drill gaps with our free practice test and flashcards.
A single CySA+ exam voucher is about $404 in the United States (Pearson VUE, 2026); prices vary by region and bundle. Always confirm the current price on CompTIA's store before you buy, as promotions and voucher-plus-training bundles change.
The certification is valid for three years. You renew through CompTIA's Continuing Education (CE) program by earning 60 Continuing Education Units (CEUs) over the three years (or by passing a higher-level CompTIA exam), plus the annual CE fee.
Security+ is the broad, baseline cybersecurity certification covering core concepts. CySA+ is the next step up — an analyst-level credential focused on the hands-on work of a Security Operations Center: behavioral analytics, threat detection and hunting, vulnerability management, and incident response. CompTIA recommends Security+ (or equivalent experience) before CySA+.
CySA+ is an intermediate, analyst-level exam — the challenge is applying knowledge to scenarios and the hands-on PBQs (reading logs, interpreting CVSS, scoping incidents) rather than rote memorization. This study guide, the checkpoints, the glossary, the practice test, and the flashcards are all 100% free with no account required.
References
- 1.CompTIA. “CompTIA CySA+ (CS0-003) Certification.” comptia.org. ↑
- 2.CompTIA. “CySA+ (CS0-003) Exam Objectives.” comptia.org. ↑
- 3.National Institute of Standards and Technology. “SP 800-61, Computer Security Incident Handling Guide.” csrc.nist.gov. ↑
- 4.National Institute of Standards and Technology. “SP 800-40 Rev. 4, Enterprise Patch Management Planning.” csrc.nist.gov. ↑
- 5.National Institute of Standards and Technology. “SP 800-150, Guide to Cyber Threat Information Sharing.” csrc.nist.gov. ↑
- 6.National Institute of Standards and Technology. “SP 800-207, Zero Trust Architecture.” csrc.nist.gov. ↑
- 7.Forum of Incident Response and Security Teams. “Common Vulnerability Scoring System (CVSS).” first.org. ↑
- 8.The MITRE Corporation. “MITRE ATT&CK.” attack.mitre.org. ↑
- 9.Cybersecurity and Infrastructure Security Agency. “Stop Ransomware: Ransomware 101.” cisa.gov. ↑
- 101.National Institute of Standards and Technology (NIST). “Security Information and Event Management (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026. ↑
- 102.National Institute of Standards and Technology (NIST). “Indicator of Compromise (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026. ↑
- 103.National Institute of Standards and Technology (NIST). “Threat Intelligence (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026. ↑
- 104.National Institute of Standards and Technology (NIST). “Threat Hunting (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026. ↑
- 105.National Institute of Standards and Technology (NIST). “Common Vulnerabilities and Exposures (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026. ↑
- 106.National Institute of Standards and Technology (NIST). “False Positive (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026. ↑
- 107.National Institute of Standards and Technology (NIST). “Zero-Day Attack (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026. ↑
- 108.National Institute of Standards and Technology (NIST). “Chain of Custody (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026. ↑

Career Employer
Career Employer is the ultimate resource to help you get started working the job of your dreams. We cover topics from general career information, career searching, exam preparation with free study materials, career interviewing, and becoming successful in your career of choice.
All PostsCareer Employer’s Editorial Process
Here at Career Employer, we focus a lot on providing factually accurate information that is always up to date. We strive to provide correct information using strict editorial processes, article editing, and fact-checking for all of the information found on our website. We only utilize trustworthy and relevant resources. To find out more, make sure to read our full editorial process page here.
