Free CompTIA CySA+ Practice Test (CS0-003) 2026

0Max Questions

0Passing Score (/900)

0Minutes

0Years Valid

The CompTIA CySA+ (CS0-003) validates skills in detecting, analyzing, and responding to cybersecurity threats through continuous security monitoring and incident response. It is vendor-neutral and bridges the gap between Security+ and advanced certifications like CASP+ or CISSP. Download the official CompTIA CySA+ Exam Objectives for the full domain breakdown.

CompTIA CySA+ certification badge — CompTIA CySA+ validates threat detection, analysis, and incident response skills

CySA+ Practice Quiz

Score:0 / 0 (10 questions total)

Security Operations

1. A SOC analyst reviewing the Splunk dashboard below on a Monday morning observes 1 failed authentication per account spread across 47 distinct user IDs, all originating from 198.51.100.42 within a 90-second window. AD lockout policy is set at 5 attempts. Which attack pattern does this telemetry MOST likely represent?

🔍 Splunk Search & Reporting — index=auth

index=auth sourcetype=linux_secure action=failure earliest=-2m | stats count by src_ip, user

src_ip	user	count
198.51.100.42	jsmith	1
198.51.100.42	mwilliams	1
198.51.100.42	admin	1
198.51.100.42	rgarcia	1
198.51.100.42	svc_backup	1
198.51.100.42	helpdesk	1
198.51.100.42	guest	1
... 40 more rows (47 distinct accounts in 90s window)

A Credential stuffing
B Password spraying
C Brute force against a single account
D Session hijacking

Right answer (B): That's correct! Password spraying targets multiple accounts with a small number of commonly used passwords from the same source, which matches the pattern of one IP hitting many accounts.

Wrong answers:

A): Credential stuffing uses previously breached username-password pairs and typically originates from distributed sources rather than a single IP.
C): A brute force attack against a single account generates many attempts on one account, not across multiple accounts as described.
D): Session hijacking involves stealing an active session token and would not produce failed login attempts in the authentication logs.

2. While threat hunting in EDR, an analyst pivots on the Sysmon Event ID 1 record below showing WINWORD.EXE spawning an encoded, hidden PowerShell child process on a finance workstation. Map this finding to the MOST appropriate indicator-of-compromise category for SOC reporting.

🪟 Event Viewer — Sysmon/Operational — FIN-WS-0421

Event ID: 1 (Process Create)

UtcTime: 2026-05-04 14:22:11

User: CORP\jsmith | IntegrityLevel: Medium

ParentImage: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

ParentCmdLine: "WINWORD.EXE" /n "Q4_Invoice_Audit.docm"

Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

CommandLine: powershell.exe -nop -w hidden -enc JABjAGwAaQBlAG4AdAAgAD0A...

Hashes: SHA256=9F8B7A2C3D...A4E1

A Network-based indicator
B Signature-based detection
C Behavioral indicator
D Compliance violation

Right answer (C): That's correct! A Word document spawning PowerShell is a behavioral indicator because it represents an abnormal parent-child process relationship that deviates from expected application behavior.

Wrong answers:

A): Network-based indicators involve suspicious traffic patterns such as connections to known malicious IPs or unusual DNS queries, not local process execution chains.
B): Signature-based detection relies on matching known malware hashes or byte patterns, whereas this scenario identifies suspicious behavior without a specific signature.
D): A compliance violation relates to policy or regulatory non-adherence and is not a technical indicator of compromise.

3. The SOC manager wants to reduce MTTR on the multi-stage attack chain shown below by automating containment actions across EDR, firewall, and IAM tools without writing custom integration code for each. Which capability of a SOAR platform fulfills this requirement that a standalone SIEM cannot?

🛡 MITRE ATT&CK Navigator — IR-2026-0418 Phishing Campaign

T1566.001 Spearphishing Attachment → T1059.001 PowerShell Execution → T1003.001 LSASS Memory Dump → T1021.002 SMB/Admin Shares

MTTR (current): 4h 22m SOC Tier-1 alerts/day: 1,840 Analyst headcount: 6

A Log aggregation from multiple sources
B Real-time correlation of security events
C Dashboard visualization of alerts
D Automated playbook execution and orchestration

Right answer (D): That's correct! SOAR platforms uniquely provide automated playbook execution that can orchestrate responses across multiple security tools without human intervention.

Wrong answers:

A): Log aggregation is a core SIEM function that collects and normalizes data from firewalls, endpoints, servers, and other sources into a central repository.
B): Real-time correlation is a fundamental SIEM capability that matches events against detection rules to identify threats as they occur.
C): Dashboard visualization is a standard SIEM feature that presents alert data, trends, and metrics in graphical formats for analyst review.

Vulnerability Management

4. The Nessus export shown below lists CVE-2026-1042 (CVSS 9.8, unauthenticated RCE) on a Tier-1 production database server, and the vendor patch demands a service restart. The next approved change window is 5 days away. What should the vulnerability analyst recommend FIRST in the patch ticket?

analyst@vuln-mgmt: ~ — Tenable Nessus Export

Tenable Nessus Export - scan_id 8821 - 2026-05-05
Plugin ID  Severity   CVSS  CVE              Host                Description
198421     Critical   9.8   CVE-2026-1042    db-prod-01.corp.lcl  Unauth RCE in DB engine listener
198422     High       7.5   CVE-2026-0918    db-prod-01.corp.lcl  Privilege escalation via stored proc
198423     Medium     5.3   CVE-2025-44210   db-prod-01.corp.lcl  Information disclosure in error msg

Asset criticality: TIER-1 (Revenue impacting) | Patch requires DB restart (~25 min downtime)
Business hours window: 06:00-22:00 ET | Next maintenance window: Sat 02:00 ET (5 days out)

A Implement compensating controls until a maintenance window is available
B Immediately apply the patch regardless of downtime
C Mark the vulnerability as a false positive
D Wait for the next quarterly patch cycle

Right answer (A): That's correct! Implementing compensating controls such as network segmentation, WAF rules, or IPS signatures reduces risk immediately while scheduling the patch for a proper maintenance window.

Wrong answers:

B): Applying the patch immediately on a production database during business hours risks unplanned downtime and data loss that could impact critical operations.
C): Marking it as a false positive without validation ignores a legitimate critical vulnerability and leaves the system exposed to exploitation.
D): Waiting for the next quarterly cycle leaves the critical vulnerability unaddressed for potentially months, greatly increasing the window of exposure.

5. The pentest finding shown below shows a UNION-based SQLi in an internal HR portal that returned the full users table containing password hashes. The dev team asks which control will eliminate the root cause rather than just filter known payloads. Which remediation is MOST effective?

pentester@kali: ~ — Finding PT-2026-014

Pentest Finding PT-2026-014 (Internal App: hr-portal.corp.lcl)
Payload: ' UNION SELECT username,password_hash,NULL FROM users--
URL:     https://hr-portal.corp.lcl/search.aspx?q=
Response: HTTP 200, 1,847 rows returned (full users table dumped)
Root cause: String concatenation in T-SQL command:
  cmd.CommandText = "SELECT * FROM emp WHERE name LIKE '%" + Request["q"] + "%'"
Auth required: NO  | Risk: Critical | OWASP: A03:2021 Injection

A Deploy a web application firewall in front of the application
B Use parameterized queries and input validation in the application code
C Restrict database user permissions to read-only
D Enable TLS encryption on the database connection

Right answer (B): That's correct! Parameterized queries prevent SQL injection at the source by separating SQL logic from user-supplied data, making it impossible for input to alter query structure.

Wrong answers:

A): A WAF can detect and block some injection attempts but is a compensating control that can be bypassed with obfuscation or novel attack patterns.
C): Restricting to read-only limits the damage from exploitation but does not prevent data exfiltration through SELECT-based injection attacks.
D): TLS encrypts the connection between application and database but has no effect on SQL injection, which operates at the application logic layer.

6. A vulnerability analyst is triaging CVE-2026-2210 shown below on an air-gapped SCADA HMI. The base score is 9.8 but the asset has no routable path from the corporate or external networks. According to CVSS v3.1 methodology, how should this contextual data influence the prioritization?

      📄 cvss-triage.json — Vulnerability Scanner
      CRITICAL 9.8
    
CVE: CVE-2026-2210
Vector: AV:N / AC:L / PR:N / UI:N / S:U / C:H / I:H / A:H → Base 9.8 (Critical)
Asset: SCADA-HMI-07
Network: ICS-DMZ (air-gapped — no Internet/WAN egress)
Modified Attack Vector (MAV): ?  |  Confidentiality Req (CR): High
Existing controls: physical access restrictions + 802.1X NAC

A Treat it as critical and patch immediately regardless of context
B Ignore the vulnerability entirely since the system is air-gapped
C Adjust the environmental score to lower the effective risk rating
D Increase the priority because air-gapped systems are harder to update

Right answer (C): That's correct! The CVSS environmental score allows analysts to adjust the base score based on the specific deployment context, including network accessibility and existing mitigations.

Wrong answers:

A): Treating every vulnerability as critical without context leads to inefficient resource allocation and patch fatigue across the organization.
B): Ignoring vulnerabilities on air-gapped systems is dangerous because insider threats, removable media, and supply chain attacks can still exploit them.
D): The difficulty of updating does not increase the vulnerability's risk score, though it may affect the remediation timeline and approach.

Incident Response

7. The IR timeline shown below shows that at 04:05 ET the team confirmed the ransomware was successfully contained: hosts isolated, lateral movement halted, and encryption stopped. According to NIST SP 800-61r2, which phase begins NEXT at 04:10 ET?

⚠ Incident Timeline — IR-2026-0506 — LockBit-variant Ransomware

03:14 ETSIEM correlated mass file rename (.lockbit ext) on FS-CORP-02

03:22 ETTier-2 analyst confirmed ransomware via YARA hit + ransom note

03:41 ET14 endpoints + 2 file servers network-isolated via EDR; AD svc account disabled

04:05 ETIR Lead confirms lateral spread halted; encryption stopped

04:10 ETNEXT PHASE BEGINS → ?

A Preparation
B Detection and Analysis
C Containment
D Eradication and Recovery

Right answer (D): That's correct! After containment, the NIST framework proceeds to eradication, which removes the threat, followed by recovery to restore normal operations.

Wrong answers:

A): Preparation is the first phase that occurs before any incident and involves creating policies, assembling the team, and conducting training exercises.
B): Detection and Analysis is the second phase where the incident is initially identified and investigated, which has already occurred in this scenario.
C): Containment has already been completed as stated in the question, so repeating this phase would be redundant and delay remediation.

8. The compromised Linux server shown in the output below has been powered down per IR playbook and disconnected from the network. The legal team requires admissibility in potential litigation. Which action should the forensic analyst perform FIRST to establish chain of custody on the storage media?

analyst@soc01: ~ — IOC Report: web-edge-03.dmz.lcl

IOC Indicator Table - Compromised Host: web-edge-03.dmz.lcl (Ubuntu 22.04)
Type      Indicator                                    Source           Confidence
SHA256    c4a9d7e2b14f...8e91 (cron.sh dropper)        Local Sandbox    High
IPv4      203.0.113.77 (C2 beacon, port 8443)          PCAP - 5min ago  High
Domain    sync-update.ddns-bytes.net                   DNS query log    Medium
File      /tmp/.X11-unix/.s/agent (running as root)    EDR snapshot     High
Process   PID 28412 (parent: systemd, EST 03:50 ET)    ps + lsof        High

Status: Host powered down and physically disconnected. Disk pulled for analysis.

A Create a bit-for-bit forensic image of the disk and document the hash
B Log into the server and review the bash history
C Reboot the server to clear any running malware from memory
D Delete the suspected malicious files to prevent further damage

Right answer (A): That's correct! Creating a forensic image with a documented hash preserves the original evidence in its exact state and establishes an integrity baseline for chain of custody.

Wrong answers:

B): Logging into the server directly modifies access timestamps and could alter or overwrite volatile data that may contain critical evidence.
C): Rebooting the server destroys volatile memory contents including running processes, network connections, and encryption keys that may be essential to the investigation.
D): Deleting files destroys evidence, removes forensic artifacts, and could trigger anti-forensic mechanisms embedded in the malware.

Reporting & Communication

9. The CISO has asked the analyst to brief the Board Risk Committee using the data summarized in the table below in a 15-minute slot. The board members are non-technical and need to authorize remediation budget. Which reporting approach is MOST appropriate for this audience?

📊 VulnPosture_Q1-2026.xlsx — Quarterly Vulnerability Posture

Metric	Value
Total assets scanned	4,128
Critical findings	142
High findings	887
Medium findings	3,401
Top exposures	CVE-2026-1042 (revenue DB), CVE-2025-9912 (customer portal), CVE-2026-0188 (payroll)
Est. remediation cost	$186,000
Est. breach cost (Ponemon avg.)	$4,300,000
Audience	CEO, CFO, Board Risk Committee — 15-minute slot

A A detailed technical report with raw scan output and CVE numbers
B An executive summary with business risk impact and remediation costs
C A spreadsheet listing every discovered vulnerability sorted by IP address
D A packet capture file showing exploit traffic

Right answer (B): That's correct! Executive leadership needs business-focused reporting that translates technical findings into risk impact, financial exposure, and recommended investment in remediation.

Wrong answers:

A): Detailed technical reports with raw scan data overwhelm non-technical stakeholders and fail to communicate business relevance or strategic priorities.
C): A vulnerability spreadsheet sorted by IP provides no business context and requires technical expertise to interpret that executives typically do not possess.
D): Packet captures are raw technical evidence used by SOC analysts and forensic investigators, not a communication format suitable for leadership briefings.

10. The threat intel report shown below confirms a supply-chain compromise via a trojanized vendor update affecting 612 endpoints with possible PII exposure and active GDPR/SEC disclosure clocks running. Per incident communication best practices and regulatory obligations, which stakeholder group MUST be notified FIRST?

analyst@soc01: ~ — TI-2026-119 CONFIDENTIAL

Threat Intel Report TI-2026-119 (Supply Chain Compromise - CONFIDENTIAL)
Vendor:        NorthStar Monitoring Agent v4.8.2 (deployed on 612 endpoints)
Vector:        Trojanized auto-update package signed with stolen code-signing cert
Malware:       Backdoor.NORTH.BLISTER (HTTPS C2 to 198.51.100.221)
First seen:    2026-05-04 14:22 UTC (4 days dwell time)
Data exposure: Possible — agent runs as SYSTEM, reads PII directories
Disclosure:    72-hour GDPR notification window in effect | SEC 8-K (4 business days)

A The media and general public
B All employees via company-wide email
C Legal counsel, executive management, and the affected vendor
D Law enforcement before any internal investigation

Right answer (C): That's correct! Legal counsel, executive management, and the vendor must be notified first to coordinate response, assess legal obligations, and stop the compromised update from spreading further.

Wrong answers:

A): Notifying the media prematurely can cause reputational damage, interfere with the investigation, and may violate legal requirements around disclosure timing.
B): A company-wide email could alert the attacker if they have internal access and may cause unnecessary panic before the scope is fully understood.
D): While law enforcement notification may be required, internal stakeholders and legal counsel should be engaged first to preserve evidence and determine reporting obligations.

Quiz Complete!

0/10

Here's how you performed across CySA+ domains:

0/3Security Ops

0/3Vulnerability Mgmt

0/2Incident Response

0/2Reporting

Pass CompTIA CySA+ on Your First Attempt!!

Just $10/month

Get 85+ full-length practice questions, hands-on labs, and PBQs.

Start Practicing Now

CySA+ Domain Weights (CS0-003)

Security Operations33%

Vulnerability Management30%

Incident Response20%

Reporting & Communication17%

Pass CompTIA CySA+ on Your First Attempt!!

Get complete practice with 85+ questions, hands-on security labs, PBQs, and detailed domain breakdowns. An investment worth making!

Just $10/month

Get Full Practice Exams

Free CySA+ Flashcards

1 / 5

What is the difference between a SIEM and a SOAR platform?

Click to flip

A SIEM aggregates, correlates, and alerts on security events from multiple log sources. A SOAR automates response actions via playbooks and orchestrates workflows across security tools.

Frequently Asked Questions

The CySA+ (CS0-003) passing score is 750 on a 100-900 scale. The exam includes up to 85 questions with a 165-minute time limit.

CySA+ is highly valuable for SOC analysts and cybersecurity professionals who perform threat detection and incident response. It is DoD 8140 approved and validates hands-on defensive security skills.

Security+ covers broad security fundamentals, while CySA+ dives deeper into threat detection, SIEM analysis, vulnerability management, and incident response. CySA+ is considered an intermediate-level certification.

CompTIA recommends 3-4 years of hands-on information security or related experience. Having Security+ or equivalent knowledge is strongly recommended before attempting CySA+.

The CySA+ exam voucher costs approximately $404 USD. CompTIA offers bundles with retake vouchers and training materials at a discount.

Yes, CySA+ includes performance-based questions simulating real scenarios like analyzing SIEM log output, triaging alerts, interpreting vulnerability scan results, and identifying indicators of compromise.

CySA+ is valid for three years. Renewal requires 60 CEUs through CompTIA's Continuing Education program or passing a higher-level CompTIA certification.

CySA+ qualifies you for SOC analyst, cybersecurity analyst, threat intelligence analyst, vulnerability analyst, and incident responder roles. Salaries range from $80,000 to $120,000.

CySA+ focuses on defensive security (blue team) while PenTest+ focuses on offensive security (red team). Choose based on your career path. Many professionals eventually earn both certifications.

Key tools include Splunk or ELK for SIEM, Nessus or Qualys for vulnerability scanning, Wireshark for packet analysis, and MITRE ATT&CK for threat framework mapping.

Yes, there are no mandatory prerequisites. However, Security+ knowledge is strongly recommended as CySA+ builds upon foundational security concepts covered in the Security+ curriculum.

CertLabz offers full-length CySA+ practice exams with 85+ questions, virtual security labs, PBQ simulations, domain breakdowns with progress tracking, and flashcards. Plans start at $10/month.

Free CompTIA CySA+ Practice Test (CS0-003) 2026

CySA+ Practice Quiz

Quiz Complete!

CySA+ Domain Weights (CS0-003)

Pass CompTIA CySA+ on Your First Attempt!!

Free CySA+ Flashcards

Frequently Asked Questions

Related Articles

Free CompTIA Security+ Practice Test (SY0-701)

Free CompTIA PenTest+ Practice Test (PT0-003)

CISSP Experience Waiver: How to Qualify Without 5 Years