Practice questions · Cybersecurity
CompTIA CySA+ (CS0-003): Practice Questions
Original practice questions for CompTIA CySA+ (CS0-003), with explanations of why each answer is right and the others wrong. Filter by domain or difficulty. These are concept and scenario checks - not real exam questions.
Answered 0 · Correct 0
-
A SIEM's main value to an analyst is:
Correct answer: D. A SIEM aggregates and correlates logs so analysts can detect and investigate. It is not an encryption, patching, or firewall tool. -
Threat hunting is best described as:
Correct answer: C. Threat hunting proactively looks for undetected adversary activity. Waiting for alerts, scheduled AV scans and patching are reactive or preventive, not hunting. -
Which is an indicator of compromise (IoC)?
Correct answer: C. Traffic to a known-bad IP suggests compromise such as command-and-control beaconing. A planned software update, new-hire security training and a scheduled server reboot are all routine, expected activities, not signs of an intrusion. -
Which framework maps adversary tactics and techniques used during attacks?
Correct answer: B. MITRE ATT&CK catalogues adversary tactics and techniques. OWASP Top 10 covers web-app vulnerabilities; the NIST CSF is governance-oriented; PCI DSS is a payment-security standard. -
Endpoint Detection and Response (EDR) primarily provides:
Correct answer: B. EDR monitors endpoint behaviour and enables response (isolate, kill process). It is not for addressing, name resolution, or traffic shaping. -
A vulnerability scan:
Correct answer: A. Scanning identifies known vulnerabilities; it does not exploit them (that is penetration testing). Encryption and addressing are unrelated. -
CVSS is used to:
Correct answer: D. The Common Vulnerability Scoring System rates severity (0–10). It does not catalogue malware, encrypt, or manage identities. -
The difference between a vulnerability scan and a penetration test is that:
Correct answer: C. Scanning finds and rates weaknesses; penetration testing actively exploits them to demonstrate impact. 'Scanning exploits while pen testing only documents' reverses the two; 'pen testing only assigns CVSS scores' describes scoring, not exploitation; and 'they are identical' is simply false. -
A false positive in vulnerability scanning is:
Correct answer: B. A false positive is something the scanner reports that is not genuinely exploitable. 'A real vulnerability that was missed' is a false negative; 'a confirmed exploit' is a true positive; and 'a patch that failed' is a remediation problem, not a scanning result. -
When prioritising which vulnerabilities to fix first, you should weigh:
Correct answer: C. Prioritisation combines severity (e.g., CVSS) with how critical the affected asset is to the business. Ordering by name, scan time or vendor ignores actual risk. -
In incident response, which phase immediately follows identification?
Correct answer: A. The order is preparation, identification, containment, eradication, recovery, lessons learned - so containment follows identification. -
Isolating an infected host from the network is part of which phase?
Correct answer: B. Isolating the host limits spread, which is containment. Eradication removes the threat; recovery restores service; reporting communicates afterwards. -
Removing the malware and closing the vulnerability that allowed it in is:
Correct answer: B. Eradication eliminates the threat and root cause. Containment limits spread first; recovery restores systems; detection is identifying the incident. -
Maintaining chain of custody during an incident is important to:
Correct answer: C. Chain of custody documents who handled evidence and when, keeping it admissible. It is not about recovery speed, cost, or encryption. -
A good vulnerability or incident report should:
Correct answer: D. Reports must convey risk and clear next steps to the right audiences, technical and non-technical. Hiding findings, context-free CVE lists, and engineer-only language all fail that goal. -
A metric like MTTR (mean time to respond/remediate) measures:
Correct answer: A. MTTR tracks how fast incidents or vulnerabilities are handled - a key operations metric. User counts, license cost and CPU use are unrelated. -
Analyzing network traffic (NetFlow or packet capture) helps an analyst:
Correct answer: D. Traffic analysis surfaces unusual flows for investigation. Encryption, addressing and patching are separate functions. -
The main benefit of a SOAR platform is to:
Correct answer: C. SOAR automates and orchestrates workflows so analysts focus on judgement. It does not replace analysts or do storage/encryption. -
Behavioral (heuristic) detection differs from signature-based detection because it:
Correct answer: D. Behavioral detection catches novel threats by spotting anomalies, whereas signatures only match known patterns. 'Only matches known file hashes' actually describes signature-based detection; 'needs no tuning' and 'is always slower' are both false of heuristic detection. -
Aggregating and normalizing logs from many sources before analysis matters because it:
Correct answer: C. Normalizing logs to a common format and timeline lets events from different systems be correlated. Aggregation does not delete old logs, patch hosts or encrypt the network; those are separate functions. -
An authenticated (credentialed) vulnerability scan generally:
Correct answer: B. Credentialed scans see installed software and configuration, improving accuracy. The other claims are false. -
A 'zero-day' vulnerability is one that:
Correct answer: A. A zero-day has no fix yet, raising risk. The other descriptions are incorrect. -
When a scanner reports a vulnerability that does not truly exist, you should:
Correct answer: D. False positives must be validated before remediation effort. Blind patching, ignoring scans or disabling tools are poor responses. -
Compensating controls are used when:
Correct answer: A. Compensating controls reduce risk while a permanent fix is pending. They are not used when 'the system is already fully secure' or 'there is no risk' (no control would be needed), and 'deleting logs' is the opposite of a security control. -
Which incident-response phase returns systems to normal operation?
Correct answer: A. Recovery restores normal service after eradication. The other phases occur earlier in the cycle. -
A post-incident 'lessons learned' review primarily aims to:
Correct answer: B. A lessons-learned review aims to improve future detection and response. It is not meant to assign blame to staff, reduce the budget, or close the ticket faster; those miss the point of the review. -
During digital forensics, volatile data such as memory should be collected:
Correct answer: B. Volatile data such as memory is lost on shutdown, so it is captured before powering off (order of volatility). Collecting it after reformatting the disk, only the following day, or never would destroy or miss the evidence. -
A vulnerability report written for executives should:
Correct answer: A. Executive reports translate findings into business risk. Raw packets, bare CVE lists or no report serve them poorly. -
Communication during an incident should follow:
Correct answer: A. A predefined communication plan ensures the right people are informed at the right time. Posting to social media first, sending updates only after it ends, or having no communication at all create confusion and added risk. -
A cyber threat intelligence feed helps an analyst mainly by:
Correct answer: D. A threat-intelligence feed supplies current indicators and adversary context to guide detection and hunting. Encrypting the network, patching servers and assigning IP addresses are unrelated functions handled by other tools.
Practice questions FAQ
- Are these real CS0-003 exam questions?
- No. These are original study questions written to test understanding. They are not real exam questions, exam dumps, or copied from any provider.
- How should I use these practice questions?
- Answer each one, read the explanation (including why the wrong options are wrong), and use the per-domain score below to focus your revision on weak areas. Revisit before exam day.
- How many questions should I do before the exam?
- Enough to score consistently across every domain, alongside full-length practice from official or reputable providers. Understanding why each answer is right matters more than raw volume.
- What score means I am ready?
- A good signal is consistently scoring around 80% or higher across all domains on questions you have not seen before, and being able to explain why the wrong options are wrong.
- Should I use exam dumps?
- No. Dumps (real or leaked questions) breach provider policy, can void your certification, and do not build the understanding the exam actually tests.