Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCS0-003Exam Questions

CompTIA · Free Practice Questions · Last reviewed May 2026

CS0-003 Exam Questions and Answers

24real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

85 exam questions
165 min time limit
Pass: 750/1000 / 1000
4 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Security Operations2. Vulnerability Management3. Incident Response and Management4. Reporting and Communication
1

Domain 1: Security Operations

All Security Operations questions
Q1
hardFull explanation →

A SIEM correlation rule for impossible travel is creating noise from VPN users. Which refinements should improve fidelity? (Choose two.)

A

Disable all identity alerts

B

Require a second signal such as new device, failed MFA, or mailbox rule creation

Combining identity anomalies reduces false positives.

C

Add trusted VPN egress ranges as named/known locations

Known corporate VPN egress can explain apparent travel.

D

Treat every VPN login as malicious

Why: Option B is correct because requiring a second signal—such as a new device, failed MFA, or mailbox rule creation—adds an additional layer of verification that helps confirm the user's identity and intent. This reduces false positives from VPN users whose IP addresses may change rapidly, as the SIEM can now correlate the impossible travel event with other suspicious activities that indicate a genuine compromise rather than a legitimate VPN connection.
Q2
mediumFull explanation →

A SOC is onboarding endpoint logs into a SIEM. Which fields are most important for process-chain investigations? (Choose three.)

A

Parent process name and command line

Parent context shows how execution began.

B

Monitor refresh rate

C

User and host identifiers

Identity and asset context support scoping and response.

D

Child process command line

Command line arguments reveal suspicious execution behaviour.

Why: Parent process name and command line are critical for process-chain investigations because they establish the lineage of an execution event. In a SIEM, these fields allow analysts to trace how a process was spawned, identifying whether it originated from a legitimate application (e.g., explorer.exe) or a suspicious parent (e.g., wscript.exe launching cmd.exe). Without this context, it is impossible to reconstruct the attack kill chain from initial execution to lateral movement or privilege escalation.
Q3
hardFull explanation →

A threat hunter suspects data exfiltration over HTTPS from a database server. Which data sources are most useful? (Choose two.)

A

Database audit logs showing queried objects and accounts

Database logs reveal whether sensitive data was accessed before transfer.

B

Printer toner status

C

Building temperature logs

D

NetFlow or proxy logs showing destination, volume, and timing

Flow/proxy data establishes transfer pattern and destination.

Why: Database audit logs record which objects (tables, columns) were queried and by which accounts, directly revealing unauthorized access or unusual data retrieval patterns that could indicate exfiltration. NetFlow or proxy logs capture destination IP addresses, data volumes, and timing of HTTPS sessions, allowing the hunter to spot large or anomalous outbound transfers to suspicious hosts, even though the payload is encrypted.
Q4
mediumFull explanation →

A SOC wants to reduce alert fatigue without missing confirmed malicious activity. Which actions are appropriate? (Choose two.)

A

Suppress alerts only with documented criteria and expiry

Time-bound suppression preserves governance.

B

Delete noisy detections permanently without review

C

Route every alert directly to executives

D

Add enrichment such as asset criticality and threat-intel context

Enrichment helps analysts prioritize real risk.

Why: Option A is correct because suppressing alerts based on documented criteria (e.g., known false-positive signatures, scheduled maintenance windows) with an expiry date ensures that the suppression is temporary and reviewed periodically. This reduces alert fatigue while maintaining visibility into potential threats, as expired suppressions automatically re-enable alerting. Without an expiry, a suppression could inadvertently hide malicious activity that later matches the same criteria.
Q5
hardFull explanation →

Which signals strengthen an alert for Kerberoasting activity? (Choose two.)

A

Unusual volume of TGS requests for many service principals

Kerberoasting often generates broad service-ticket requests.

B

Requests from a workstation that does not normally administer services

Abnormal source context increases suspicion.

C

A user changing their desktop wallpaper

D

Successful DHCP lease renewal

Why: Kerberoasting involves requesting Ticket-Granting Service (TGS) tickets for service principals (SPNs) to crack their passwords offline. An unusual volume of TGS requests for many SPNs is a strong indicator because attackers typically enumerate SPNs and request tickets in bulk, which deviates from normal user behavior.
Q6
mediumFull explanation →

A detection engineer is writing a Sigma rule for suspicious rundll32 usage. Which fields should be included? (Choose two.)

A

Command line containing unusual DLL path or URL pattern

Command-line arguments distinguish abuse from normal use.

B

Desk phone extension

C

Laptop battery health

D

Image or process name matching rundll32.exe

The executed binary is central to the behaviour.

Why: Sigma rules for suspicious rundll32 usage focus on detecting abnormal command-line arguments, such as DLL paths from unusual locations (e.g., temp directories, network shares) or URLs that indicate remote payload retrieval. The 'Command line' field is critical because rundll32.exe is a legitimate Windows binary often abused by attackers to execute malicious DLLs, and anomalous patterns in its arguments are a strong indicator of compromise.

Want more Security Operations practice?

Practice this domain
2

Domain 2: Vulnerability Management

All Vulnerability Management questions
Q1
mediumFull explanation →

A vulnerability manager is prioritizing remediation. Which factors should influence risk-based priority? (Choose three.)

A

Internet exposure of the affected asset

External reachability increases likelihood of attack.

B

Alphabetical order of the CVE identifier

C

Known exploitation in the wild

Active exploitation increases urgency.

D

Business criticality of the affected service

Impact depends on the service supported by the asset.

Why: Internet exposure of the affected asset is a critical factor because assets reachable from the public internet have a larger attack surface and are more likely to be targeted by automated scanners and exploit kits. Risk-based prioritization weighs the likelihood of exploitation, and an internet-facing system inherently faces a higher threat level than an internal-only asset. This aligns with the CVSS environmental metrics (Modified Attack Vector) and common vulnerability scoring frameworks that adjust severity based on network accessibility.
Q2
mediumFull explanation →

Which conditions should push a vulnerability higher in the remediation queue? (Choose three.)

A

The asset supports a critical business process

Business impact increases priority.

B

The affected asset is internet-facing

External exposure increases attack opportunity.

C

Exploitation is observed in the wild

Active exploitation increases likelihood.

D

The CVE number is easy to remember

Why: A is correct because assets supporting critical business processes have a higher impact on organizational operations if compromised. Vulnerability management prioritization frameworks, such as those aligned with the CVSS environmental score, assign greater weight to business criticality. Remediating vulnerabilities on these assets first reduces the risk of significant downtime, data loss, or regulatory non-compliance.
Q3
hardFull explanation →

A scanner reports a critical issue on a network device. Which steps help validate the finding before closure? (Choose two.)

A

Suppress all network-device findings permanently

B

Close it because the device is expensive

C

Confirm the firmware or software version on the device

Version evidence verifies whether the vulnerable build is present.

D

Check vendor advisory applicability and configuration requirements

Some findings depend on enabled features or specific configurations.

Why: Option C is correct because confirming the firmware or software version on the device is a critical validation step. The scanner may report a vulnerability based on version detection, but the actual installed version could differ due to patching or backporting. Verifying the exact version ensures the finding is not a false positive before closure.
Q4
mediumFull explanation →

Which items belong in a vulnerability exception request? (Choose three.)

A

Business justification for delayed remediation

Justification explains why normal remediation cannot occur.

B

A request to remove the asset from inventory

C

Expiration or review date

Time limits prevent exceptions becoming permanent by default.

D

Compensating controls

Controls reduce risk while the vulnerability remains.

Why: A vulnerability exception request is a formal process to accept the risk of not remediating a vulnerability within the standard timeframe. A business justification for delayed remediation is a core component because it documents the operational, financial, or technical reasons why the fix cannot be applied immediately, which is required for risk acceptance by management. Without this justification, the exception lacks the necessary context for approval and audit compliance.
Q5
hardFull explanation →

A web application DAST scan reports stored XSS. Which evidence helps confirm exploitability? (Choose two.)

A

Payload persists and executes when another user views the affected page

Stored execution against another user validates impact.

B

The vulnerable parameter and output encoding context are identified

Context shows why the payload executes.

C

The server has a large disk

D

The application uses HTTPS

Why: Option A is correct because stored XSS is confirmed exploitable only when the injected payload (e.g., <script>alert(1)</script>) is persistently stored on the server (e.g., in a database or file) and then rendered and executed in the browser of another user who views the affected page. This demonstrates that the attack can impact victims beyond the tester, proving the vulnerability is not self-inflicted or limited to the attacker's session.
Q6
mediumFull explanation →

Which pipeline controls help prevent vulnerable dependencies reaching production? (Choose two.)

A

SBOM generation and review for released builds

SBOMs support dependency tracking and downstream risk review.

B

Manual badge checks at the office door

C

Software composition analysis with policy gates

SCA identifies dependency CVEs before deployment.

D

DNS MX record rotation

Why: A is correct because SBOM (Software Bill of Materials) generation and review provides a detailed inventory of all components in a build, enabling teams to identify and block vulnerable dependencies before release. This aligns with supply chain security best practices, as SBOMs allow automated comparison against vulnerability databases (e.g., NVD) to enforce policy gates early in the pipeline.

Want more Vulnerability Management practice?

Practice this domain
3

Domain 3: Incident Response and Management

All Incident Response and Management questions
Q1
hardFull explanation →

A host is suspected of running fileless malware. Which artefacts should be collected quickly? (Choose two.)

A

Memory image or live response data

Fileless activity may exist mainly in memory.

B

Active network connections and running processes

Live state helps reconstruct behaviour.

C

A list of cafeteria purchases

D

A printed office map

Why: Fileless malware operates in memory without writing to disk, so capturing a memory image or live response data preserves the malicious code, injected DLLs, and process hollowing artifacts that would vanish on reboot. Active network connections and running processes reveal the malware's C2 communications and its in-memory execution context, which are critical for identifying the infection vector and scope.
Q2
mediumFull explanation →

A phishing incident led to credential theft. Which containment actions are appropriate? (Choose two.)

A

Reset affected credentials and revoke active sessions

This cuts off stolen-session and password access.

B

Delete all user mailboxes

C

Disable DNS for the entire company indefinitely

D

Search for mailbox rules or OAuth grants created after compromise

Attackers often create persistence in mailbox or app permissions.

Why: Option A is correct because immediately resetting compromised credentials and revoking active sessions (e.g., via Azure AD 'Revoke-AzureADUserAllRefreshToken' or Active Directory 'Reset-ADAccountPassword' combined with 'Revoke-AuthenticationTokens') invalidates the attacker's access tokens and session cookies, preventing further lateral movement or data exfiltration. This aligns with the NIST SP 800-61 containment phase, which prioritizes cutting off attacker access while preserving forensic evidence.
Q3
hardFull explanation →

Which actions belong in eradication after a confirmed web-shell compromise? (Choose two.)

A

Remove the web shell and close the exploited vulnerability

Both malicious artefact and entry path must be addressed.

B

Reconnect the server before checking persistence

C

Rotate credentials exposed to the compromised web server

Server compromise may expose application or service credentials.

D

Only block the analyst's IP address

Why: Option A is correct because removing the web shell eliminates the attacker's foothold, and closing the exploited vulnerability (e.g., patching the application, disabling vulnerable functions like `eval()` or `system()`, or updating a CMS plugin) prevents re-exploitation. This aligns with the eradication phase of incident response, which aims to remove all artifacts of the compromise and harden the system against the same attack vector.
Q4
mediumFull explanation →

What should be included in incident scoping for ransomware? (Choose three.)

A

Initial infected host and user context

The starting point helps identify root cause.

B

The brand of office chairs near the server room

C

Backup integrity and last known clean restore point

Recovery depends on clean backups.

D

Shares or systems touched by the compromised account

Access path shows spread.

Why: Option A is correct because identifying the initial infected host and user context is critical for understanding the attack vector, containing the threat, and preventing further spread. In ransomware incidents, the first compromised system often reveals the entry point (e.g., phishing email, RDP brute force) and the user account used, which helps scope the blast radius and prioritize remediation.
Q5
hardFull explanation →

A legal hold is issued during an investigation. Which actions support it? (Choose two.)

A

Preserve relevant logs, mailboxes, images, and tickets

Potential evidence must be retained.

B

Let each team decide informally what to delete

C

Purge audit logs to save storage

D

Suspend routine deletion for in-scope evidence

Retention controls prevent accidental loss.

Why: A legal hold (litigation hold) requires preservation of all potentially relevant electronically stored information (ESI). Preserving logs, mailboxes, images, and tickets ensures that data is not altered or deleted, maintaining its integrity for forensic analysis and legal proceedings. This action directly supports the hold by preventing spoliation and ensuring compliance with discovery obligations.
Q6
mediumFull explanation →

A tabletop exercise reveals that no one knows who can approve public statements. What should be updated? (Choose two.)

A

The office seating plan only

B

Contact list and escalation matrix

Responders need current contacts and escalation paths.

C

The malware signature database only

D

Incident communication plan with named approval roles

Communication authority must be explicit.

Why: The tabletop exercise revealed a gap in the incident response process: no one knows who can approve public statements. This is a procedural and communication failure, not a technical one. Updating the incident communication plan with named approval roles (Option D) directly addresses this by defining the specific person or role authorized to speak publicly. The contact list and escalation matrix (Option B) must also be updated to ensure the correct approver can be reached quickly, as it provides the hierarchical path and contact details needed to execute the plan.

Want more Incident Response and Management practice?

Practice this domain
4

Domain 4: Reporting and Communication

All Reporting and Communication questions
Q1
mediumFull explanation →

A CISO wants a concise incident update during active containment. Which elements should be included? (Choose three.)

A

Every raw log line collected so far

B

Containment actions completed and pending

Status shows risk reduction progress.

C

Known decisions or approvals needed

Escalation points help leadership act.

D

Current impact and affected services

Leadership needs business impact.

Why: During active containment, the CISO needs a concise update focused on actions taken and pending, not raw data. Option B is correct because containment actions completed and pending directly inform the CISO of the current response status, enabling rapid decision-making without sifting through logs.
Q2
hardFull explanation →

A vulnerability dashboard for executives should avoid raw technical overload. Which views are useful? (Choose two.)

A

A list of scanner process IDs

B

Unfiltered plugin-output text

C

Critical exposure trend by business service

Trends show whether risk is moving.

D

SLA compliance and overdue remediation by owner

This supports accountability.

Why: Option C is correct because executive dashboards must communicate risk in business terms, not technical raw data. A trend of critical exposures by business service translates vulnerability severity into operational impact, enabling prioritization of remediation resources without requiring technical expertise. This aligns with the Reporting and Communication domain's emphasis on tailoring information to the audience.
Q3
mediumFull explanation →

When briefing legal and privacy teams after a suspected data exposure, which details matter? (Choose two.)

A

Data types and jurisdictions potentially affected

Notification duties depend on data and jurisdiction.

B

A complete list of unrelated server patches

C

Speculation about attacker identity without evidence

D

Timeline of discovery, containment, and known access

Timing and scope affect legal obligations.

Why: Data types (e.g., PII, PHI, PCI) and affected jurisdictions determine legal notification obligations under regulations like GDPR, HIPAA, or CCPA. Jurisdictions dictate breach notification timelines and penalties, making this information critical for legal and privacy teams to assess risk and compliance. Without this detail, the response cannot be properly scoped or legally defensible.
Q4
hardFull explanation →

A remediation report shows repeated SLA breaches by one business unit. Which recommendations are appropriate? (Choose two.)

A

Automatically accept all future risk permanently

B

Review ownership, resourcing, and change-window constraints

Persistent breaches often reflect operational blockers.

C

Hide the business unit from future reports

D

Create an agreed corrective action plan with dates

Action plans turn reporting into improvement.

Why: Option B is correct because reviewing ownership, resourcing, and change-window constraints directly addresses the root causes of repeated SLA breaches. SLA breaches often stem from inadequate staffing, misaligned change windows, or unclear ownership of remediation tasks, not from technical failures alone. This recommendation aligns with the reporting and communication domain's emphasis on actionable, root-cause analysis rather than superficial fixes.
Q5
mediumFull explanation →

Which items help make a post-incident report useful for technical teams? (Choose two.)

A

Generic motivational slogans

B

Unrelated financial forecasts

C

Root cause and exploited control gaps

Technical teams need to know what failed.

D

Specific remediation tasks with owners and validation steps

Actionable tasks enable closure.

Why: Option C is correct because a post-incident report must include the root cause and exploited control gaps to enable technical teams to implement targeted remediation. Without identifying the specific vulnerability (e.g., unpatched CVE, misconfigured firewall rule, weak authentication mechanism) and the control failure that allowed the exploit, the report lacks actionable intelligence for hardening defenses.
Q6
hardFull explanation →

A third-party supplier needs incident information to fix an integration. What should be shared? (Choose two.)

A

Internal blame discussions

B

Credentials for unrelated systems

C

Required remediation outcome and deadline

Clear expectations support accountability.

D

Relevant timeline and technical evidence tied to the integration

The supplier needs facts that support troubleshooting.

Why: Option C is correct because sharing the required remediation outcome and deadline ensures the third-party supplier understands the expected fix and urgency, aligning with incident response communication best practices. This enables the supplier to prioritize their work and deliver a solution that meets the organization's security and operational requirements, without exposing unnecessary internal details.

Want more Reporting and Communication practice?

Practice this domain

Frequently asked questions

How many questions are on the CS0-003 exam?

The CS0-003 exam has 85 questions and must be completed in 165 minutes. The passing score is 750/1000.

What types of questions appear on the CS0-003 exam?

Multiple-choice and performance-based questions covering threat intelligence, vulnerability management, incident response, and security operations. Some questions are performance-based (PBQs), asking you to complete tasks in a simulated environment.

How are CS0-003 questions organised by domain?

The exam covers 4 domains: Security Operations, Vulnerability Management, Incident Response and Management, Reporting and Communication. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual CS0-003 exam questions?

No. These are original exam-style practice questions written against the official CompTIA CS0-003 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 85 CS0-003 questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all CS0-003 questionsTake a timed practice test