Security+ is the entry point. CySA+ is where you go when Security+ isn't enough depth for the role you're in — or targeting. The CS0-003 exam tests operational security analytics: reading SIEM dashboards, correlating indicators, responding to incidents, and communicating findings to stakeholders. It's designed for candidates who are doing SOC analyst or threat intelligence work, not preparing for it theoretically.
That specific operational focus is what distinguishes CySA+ from Security+ and makes it valuable rather than redundant.
What CySA+ Tests That Security+ Doesn't
Security+ covers the breadth of security concepts at an introductory level. CySA+ covers a narrower subset at significantly greater depth.
| CySA+ Domain | Weight |
|---|---|
| Security Operations | 33% |
| Vulnerability Management | 30% |
| Incident Response Management | 20% |
| Reporting and Communication | 17% |
Security Operations at 33% and Vulnerability Management at 30% together account for 63% of the exam. A candidate who masters these two domains has the foundation to pass.
The operational depth difference:
Security+ asks: "What is a SIEM?" (definition and purpose) CySA+ asks: "Given this SIEM alert showing 15 failed logins from the same IP followed by successful login and access to HR files, what is the most likely threat scenario and what should the analyst do first?" (applied judgment)
This is the distinction between knowing what tools are and knowing how to use them.
Domain 1: Security Operations (33%)
Threat Intelligence Integration
Threat intelligence on CySA+ is a working tool, not a concept to define.
STIX/TAXII: structured threat intelligence standards.
- STIX (Structured Threat Information eXpression): format for describing threat intelligence
- TAXII (Trusted Automated eXchange of Intelligence Information): transport protocol for sharing threat intelligence
- Together: machine-readable threat intelligence sharing between organizations and platforms
Threat intelligence types:
- Strategic: high-level, for executives — "ransomware targeting our industry is increasing"
- Operational: campaign-specific — "threat actor X is using this malware family in this region"
- Tactical: IOCs — specific file hashes, IP addresses, domains
- Technical: vulnerability details, exploit code
MITRE ATT&CK for detection engineering: CySA+ tests ATT&CK at a depth beyond what Security+ covers. Candidates need to map observed behaviors to ATT&CK techniques (not just know the framework exists) and understand how detection rules are built from ATT&CK technique knowledge.
Log Analysis and SIEM
Log sources and what they reveal:
- Windows Security Event Logs: authentication events (4624, 4625, 4648), privilege escalation (4672, 4673), object access (4663)
- Syslog (network devices): configuration changes, authentication, interface events
- Web server logs: HTTP methods, status codes, user agents, referrers
- DNS logs: query patterns, NXDOMAIN responses, large TXT queries
- NetFlow: communication patterns, volume anomalies, unusual port usage
SIEM query skills: CySA+ doesn't test a specific SIEM syntax (Splunk SPL, KQL) but tests the conceptual ability to construct queries — filtering by time, correlating multiple event types, identifying anomalies in baseline behavior.
"CySA+ is the first CompTIA exam that requires you to think operationally. Reading log samples on the exam isn't about knowing what format they're in — it's about recognizing that the sequence of events in those logs represents a specific attack pattern. That pattern recognition takes hands-on exposure to develop." — Pete Herzog, security training developer, ISECOM
Domain 2: Vulnerability Management (30%)
Vulnerability Scanning vs Penetration Testing
A common confusion the exam tests:
Vulnerability scanning: automated, non-exploitative identification of vulnerabilities. Tools (Nessus, OpenVAS) query systems for known CVEs, misconfigurations, and missing patches. Output: list of vulnerabilities with severity ratings.
Penetration testing: manual, exploitative attempt to compromise systems within authorized scope. Confirms whether vulnerabilities are exploitable and what an attacker could actually access.
When each is used: vulnerability scanning is ongoing (weekly/monthly). Penetration testing is periodic (annual) or triggered by major changes. They answer different questions: scanning asks "what vulnerabilities exist?" and pen testing asks "can they actually be exploited?"
CVSS Scoring
CVSS (Common Vulnerability Scoring System): standardized severity scoring for vulnerabilities. The exam tests CVSS v3.1:
| Score range | Severity |
|---|---|
| 0.0 | None |
| 0.1-3.9 | Low |
| 4.0-6.9 | Medium |
| 7.0-8.9 | High |
| 9.0-10.0 | Critical |
Base score components:
- Attack Vector: Network (remote), Adjacent, Local, Physical
- Attack Complexity: Low (no special conditions) or High
- Privileges Required: None, Low, or High
- User Interaction: None or Required
- Scope: Unchanged or Changed (does the vulnerability affect components beyond the vulnerable one?)
- Confidentiality, Integrity, Availability Impact: None, Low, or High each
The exam presents scenarios and asks whether a vulnerability should be prioritized. Critical CVSS score alone doesn't always mean "fix immediately" — context matters (is the system internet-exposed? is compensating control in place?).
Remediation Prioritization
CySA+ tests vulnerability prioritization beyond CVSS scores:
Factors that increase urgency:
- Vulnerability is being actively exploited in the wild (known exploitation — CISA KEV catalog)
- System is internet-facing
- Vulnerability enables lateral movement or privilege escalation
- Business-critical system
Factors that reduce urgency:
- Compensating control in place (firewall blocks the attack vector)
- Low-value system (test environment, non-critical workload)
- Exploit requires local access and system has no local users
CISA KEV (Known Exploited Vulnerabilities): the US Cybersecurity and Infrastructure Security Agency maintains a catalog of CVEs with confirmed exploitation in the wild. Federal agencies are required to patch KEV catalog items by specified deadlines. CySA+ tests this as a prioritization tool.
Domain 3: Incident Response Management (20%)
The Incident Response Process
CySA+ goes deeper than Security+ on incident response by testing the judgment calls within each phase, not just the phases themselves.
Triage and prioritization: when multiple alerts fire simultaneously, analysts must triage by potential impact and confidence level. High-confidence indicators of active intrusion take priority over low-confidence anomalies.
Containment decisions: the tradeoff between isolating a compromised system (limits damage, disrupts attacker) and maintaining observation (allows collection of attacker TTPs, preserves forensic evidence). CySA+ tests when to contain vs observe.
Evidence collection sequence: order matters for evidence volatility.
- CPU cache and registers (most volatile)
- Network connections and processes
- Memory (RAM)
- Temporary files and swap
- Disk (least volatile but still can change)
- Remote logs
Collecting evidence in the wrong order can destroy more volatile evidence before it's captured.
Forensic Concepts
CySA+ tests digital forensics at a conceptual level relevant to incident response:
Write blockers: hardware or software that prevents writes to evidence media during acquisition. Essential for maintaining forensic integrity.
Disk imaging: byte-for-byte copy of a storage device. Hash the source and verify the image hash matches — confirms no modification during acquisition.
Memory forensics: capturing RAM contents for analysis. Reveals running processes, network connections, encryption keys, and artifacts not present on disk (fileless malware lives exclusively in memory).
Domain 4: Reporting and Communication (17%)
This domain surprises candidates who expect a purely technical exam. CySA+ tests whether you can communicate security findings to different audiences.
Executive reports: translate technical findings into business impact. A CVSS 9.8 vulnerability means nothing to an executive — "this flaw allows an attacker to access all customer records without authentication" is what matters.
Technical reports: full detail including affected systems, CVE references, reproduction steps, remediation guidance.
Metrics and KPIs: Mean Time to Detect (MTTD), Mean Time to Respond (MTTR), patching SLA compliance rates. CySA+ tests what these metrics measure and what they indicate about security program effectiveness.
Preparing for CySA+
Prerequisite: Security+ knowledge is the practical prerequisite even if not formally required. CySA+ assumes you know the foundational security concepts — it won't re-teach CIA triad, authentication factors, or what a firewall does.
Hands-on preparation is more important than for Security+: unlike Security+, which can be passed with strong video + practice exam preparation, CySA+ benefits significantly from actual SIEM experience. Free options:
- Splunk Free: 500 MB/day data ingestion, sufficient for lab scenarios
- Elastic SIEM (OpenSearch): open-source, can run locally
- TryHackMe / BlueTeamLabs.online: curated SOC analyst scenarios with real logs
Jason Dion's CySA+ course and Mike Chapple's CompTIA CySA+ Study Guide are the two most consistently recommended resources.
Target practice score: 80%+ on Dion practice exams before booking. CySA+ passes at 750/900.
CS0-003 Domain Breakdown: What Changed in the 2023 Update
CySA+ updated from CS0-002 to CS0-003 in June 2023. The domain structure changed significantly. Candidates using CS0-002 study materials for the current exam will have coverage gaps.
CS0-002 vs CS0-003 Domain Comparison
| CS0-002 Domain | Weight | CS0-003 Domain | Weight |
|---|---|---|---|
| Threat and Vulnerability Management | 22% | Security Operations | 33% |
| Software and Systems Security | 18% | Vulnerability Management | 30% |
| Security Operations and Monitoring | 25% | Incident Response Management | 20% |
| Incident Response | 22% | Reporting and Communication | 17% |
| Compliance and Assessment | 13% | — | — |
What CS0-003 added or expanded:
- Cloud security operations content (cloud SIEM, container security monitoring)
- Threat hunting methodology as an active SOC function (not just reactive monitoring)
- Updated MITRE ATT&CK coverage reflecting ATT&CK v13+
- Expanded reporting and communication as a standalone domain (was embedded in other domains)
- Identity and access management anomaly detection
What CS0-003 reduced:
- Compliance and assessment content (moved to a lighter treatment within Security Operations)
- Software security development concepts (now lighter, CASP+ covers this depth)
Specific Tools Tested on CySA+
The CS0-003 exam references tools by category and function rather than vendor-specific syntax. Knowing what these tools do and when analysts use them is sufficient for the exam.
Splunk for Log Analysis
Splunk is the most widely referenced SIEM platform in CySA+ exam questions. The exam doesn't test SPL (Splunk Processing Language) syntax specifically, but tests the conceptual approach:
- Search and investigation workflow: submit a search, filter by time, add field filters, extract patterns
- Dashboard interpretation: recognizing what a spike in failed authentication events over time means
- Alert configuration: threshold-based (more than 10 failed logins in 5 minutes) and correlation-based alerts
Free practice environment: Splunk's free tier (splunk.com/free) allows 500 MB/day ingestion. Combined with the Boss of the SOC (BOTS) dataset — synthetic enterprise attack scenarios available for free on Splunk's website — you can practice real incident investigation using Splunk queries.
BOTS dataset scenarios include:
- APT-style attack chain investigation
- Ransomware deployment tracking
- Data exfiltration via DNS detection
- Credential stuffing attack investigation
These are exactly the scenario types that appear in CySA+ Security Operations questions.
Wireshark for Traffic Analysis
Wireshark appears in CySA+ questions about network intrusion analysis and forensic investigation.
CySA+ relevant Wireshark skills:
- Reading TCP stream to reconstruct communication (Follow TCP Stream)
- Filtering by protocol, IP address, or port:
tcp.port == 443,ip.addr == 10.0.0.1 - Identifying scan patterns in packet captures (many SYN packets to sequential ports)
- Recognizing protocol anomalies (HTTP traffic on port 443, DNS responses unusually large)
Free PCAP sources for practice:
- Wireshark sample captures (wiki.wireshark.org/SampleCaptures)
- Malware Traffic Analysis (malware-traffic-analysis.net) — real malware PCAPs with analysis guides
- PCAP exercises on TryHackMe and BlueTeamLabs.online
Threat Intelligence Domain: What It Tests vs What Candidates Expect
Many candidates study threat intelligence as a conceptual topic — types of intelligence, sharing frameworks, IOC definitions — and then fail questions that require applied intelligence work.
What candidates think the domain tests:
- Definitions of STIX, TAXII, MISP
- Types of threat intelligence (strategic, operational, tactical, technical)
- Names of threat intelligence sharing platforms
What the domain actually tests:
- Given a set of IOCs, determine which ones are high-confidence indicators of a specific threat actor
- Given an ATT&CK technique (T1059.001 — PowerShell), what detection method would identify it in logs?
- Given threat intelligence reporting that an APT group uses a specific C2 infrastructure, what immediate defensive action is warranted?
- Determining whether intelligence is actionable given your environment's visibility and tooling
"The threat intelligence section of CySA+ separates candidates who read about threat intelligence from candidates who use it. If you've built detection rules from ATT&CK techniques, correlated IOCs against your logs, or written threat intelligence reports, the exam questions feel straightforward. If you've only read definitions, the applied questions catch you." — Josh Lemon, SANS certified instructor, cybersecurity threat intelligence specialist
NIST Incident Response Phases Mapped to CySA+ Questions
CySA+ maps heavily to the NIST SP 800-61 incident response framework. Understanding how exam questions map to NIST phases eliminates confusion.
| NIST Phase | CySA+ Focus | Typical Question Type |
|---|---|---|
| Preparation | IR plan components, playbooks, tool deployment | "Which activity belongs in the preparation phase?" |
| Detection and Analysis | SIEM alert triage, IOC identification, severity determination | "A SOC analyst receives this alert. What is the next action?" |
| Containment | Isolation strategies, evidence preservation tradeoffs | "Should the analyst isolate the system or maintain observation?" |
| Eradication | Root cause analysis, malware removal, patch application | "Which action removes the root cause vs addresses symptoms?" |
| Recovery | System restoration, monitoring post-recovery | "After restoring from backup, what is the priority action?" |
| Post-Incident Activity | Lessons learned, reporting, metric updates | "Which document captures lessons learned?" |
The most commonly tested phase boundary: the tradeoff between Detection and Analysis (continue observing to gather evidence) and Containment (isolate to limit damage). CySA+ questions present this as a judgment call based on the specific scenario, not a fixed rule.
CySA+ as a Bridge: From Security+ to CASP+
CySA+ occupies the operational middle ground in the CompTIA security stack. Understanding where it sits helps candidates plan the full path.
CompTIA Security Certification Stack:
| Certification | Level | Focus | Primary Audience |
|---|---|---|---|
| Security+ | Associate | Broad security concepts | Entry-level security roles |
| CySA+ | Intermediate | Security analytics, SOC operations | SOC analyst, threat hunter |
| PenTest+ | Intermediate | Penetration testing methodology | Pentesters, red team |
| CASP+ | Expert | Security architecture, risk management | Senior security architects |
CySA+ bridges Security+ and CASP+ specifically in the operations direction. A candidate who passes Security+ → CySA+ → CASP+ builds progressively from conceptual security knowledge (Security+) through operational analytics (CySA+) to enterprise architecture and risk management (CASP+).
DoD 8570/8140 compliance value:
- CySA+ satisfies CSSP Analyst (DCWF Work Role 511) under DoD 8140
- This is the primary driver for government and DoD contractor candidates choosing CySA+ over alternative intermediate certifications
- CASP+ satisfies CSSP Infrastructure Support, IASAE Level I and II
Lab Resources: TryHackMe and Splunk BOTS
For candidates who need to build the hands-on exposure that makes CySA+ operational questions answerable:
TryHackMe SOC Analyst Level 1 Path (tryhackme.com):
- 10+ hours of structured exercises covering log analysis, SIEM use, network analysis, and threat intelligence
- Practical scenarios using realistic log data and simulated SIEM interfaces
- Free tier provides access to the core learning path; premium ($14/month) unlocks machines for practice
Splunk BOTS (Boss of the SOC) dataset:
- Create a free Splunk account at splunk.com
- Download the BOTS v1, v2, or v3 dataset
- Load into Splunk Free
- Work through the challenge questions — these replicate the analytical complexity of CySA+ Security Operations questions
BlueTeamLabs.online (free and premium):
- Investigation labs with PCAP analysis, log analysis, and memory forensics scenarios
- Difficulty ratings from easy (Security+ level) to hard (CASP+ level)
- CySA+ candidates should target the medium-difficulty investigations
Candidates who complete the TryHackMe SOC Level 1 path and work through 3-4 BOTS scenarios before the exam consistently report that the Security Operations questions feel manageable, while the Reporting and Communication domain remains the unexpected difficulty point.
See also: CompTIA Security+: the most important cert in IT security, CompTIA CASP+: the expert-level cert most people overlook]
References
- CompTIA. CS0-003 CompTIA CySA+ Exam Objectives. CompTIA, 2023. https://www.comptia.org/certifications/cybersecurity-analyst
- Chapple, Mike. CompTIA CySA+ Study Guide: Exam CS0-003. Sybex, 2023. ISBN: 978-1394156504. (Official CompTIA CySA+ study guide)
- Dion, Jason. CompTIA CySA+ CS0-003 Complete Course and Practice Exam. Udemy, 2024. (Comprehensive video course with practice exams)
- MITRE. ATT&CK for Enterprise — Detection and Analytics. MITRE, 2024. https://attack.mitre.org (Core framework for threat detection knowledge tested on CySA+)
- CISA. Known Exploited Vulnerabilities Catalog. CISA, 2024. https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- FIRST. CVSS v3.1 Specification Document. FIRST, 2019. https://www.first.org/cvss/specification-document (Official CVSS scoring specification tested on CySA+)
Frequently Asked Questions
What is the difference between Security+ and CySA+?
Security+ covers a broad range of security concepts at introductory depth. CySA+ covers security operations, vulnerability management, and incident response at applied operational depth. Security+ asks 'what is a SIEM?' — CySA+ gives you SIEM output and asks you to identify the threat scenario and appropriate response.
Do I need Security+ before CySA+?
CompTIA recommends Security+ before CySA+ but doesn't enforce it. Security+ knowledge is a practical prerequisite — CySA+ assumes foundational security concepts are understood and builds operational depth on top of them. Attempting CySA+ without Security+ knowledge significantly increases difficulty.
Is CySA+ good for SOC analyst roles?
Yes. CySA+ is the CompTIA certification most directly aligned with Tier 1-2 SOC analyst work: log analysis, SIEM triage, vulnerability prioritization, incident response procedures. It validates operational skills that hiring managers in security operations specifically look for.
What is CVSS scoring and how is it tested on CySA+?
CVSS (Common Vulnerability Scoring System) rates vulnerability severity 0-10. CySA+ tests the base score components (attack vector, complexity, privileges, scope, CIA impact) and how to use CVSS alongside contextual factors (active exploitation, compensating controls, system criticality) for prioritization decisions.
How important is hands-on experience for CySA+?
More important than for Security+. CySA+ scenarios require pattern recognition from log analysis that's difficult to develop purely from reading. Free hands-on practice via Splunk Free, TryHackMe's SOC analyst path, or BlueTeamLabs.online significantly improves performance on the applied log analysis questions.