Sample questions
CompTIA CySA+ CS0-003 practice questions
A SOC wants to reduce alert fatigue without missing confirmed malicious activity. Which actions are appropriate? (Choose two.)
Trap 1: Delete noisy detections permanently without review
Permanent deletion can blind the SOC.
Trap 2: Route every alert directly to executives
Executives need summarized risk, not raw alert streams.
- A
Suppress alerts only with documented criteria and expiry
Time-bound suppression preserves governance.
- B
Delete noisy detections permanently without review
Why wrong: Permanent deletion can blind the SOC.
- C
Route every alert directly to executives
Why wrong: Executives need summarized risk, not raw alert streams.
- D
Add enrichment such as asset criticality and threat-intel context
Enrichment helps analysts prioritize real risk.
A host is suspected of running fileless malware. Which artefacts should be collected quickly? (Choose two.)
Trap 1: A list of cafeteria purchases
Purchases are unrelated to malware state.
Trap 2: A printed office map
The map does not preserve host compromise evidence.
- A
Memory image or live response data
Fileless activity may exist mainly in memory.
- B
Active network connections and running processes
Live state helps reconstruct behaviour.
- C
A list of cafeteria purchases
Why wrong: Purchases are unrelated to malware state.
- D
A printed office map
Why wrong: The map does not preserve host compromise evidence.
A critical vulnerability affected the customer portal, but no evidence of exploitation was found. What should the executive summary emphasize? If the primary audience is executive leadership, which content choice is most appropriate?
Trap 1: Raw packet captures from the scan
Raw packets belong in technical appendices if needed.
Trap 2: A list of analyst shift times only
Shift times do not convey business risk.
Trap 3: Every command the scanner executed
Command details are not executive-level material.
- A
Raw packet captures from the scan
Why wrong: Raw packets belong in technical appendices if needed.
- B
A list of analyst shift times only
Why wrong: Shift times do not convey business risk.
- C
Every command the scanner executed
Why wrong: Command details are not executive-level material.
- D
Business risk, customer impact assessment, remediation status, and remaining exposure
Executives need business impact and risk posture, not raw technical noise. The report should be tuned to executive leadership while preserving factual accuracy.
A host alert shows certutil.exe downloading a file from an external URL, followed by execution from a user-writable directory. What should the analyst focus on? In the evidence source phase, Which evidence source best supports or refutes the detection?
Trap 1: Only check whether antivirus signatures are current
AV status does not explain this execution chain.
Trap 2: Reinstall the browser used by the user
The suspicious tool chain is certutil and process execution, not browser configuration.
Trap 3: Ignore it because certutil is signed by Microsoft
Signed administrative tools can still be abused by attackers.
- A
Only check whether antivirus signatures are current
Why wrong: AV status does not explain this execution chain.
- B
Reinstall the browser used by the user
Why wrong: The suspicious tool chain is certutil and process execution, not browser configuration.
- C
Ignore it because certutil is signed by Microsoft
Why wrong: Signed administrative tools can still be abused by attackers.
- D
Living-off-the-land binary misuse and the downloaded file's hash, origin, and child process
Certutil can be abused to download payloads; file and process context establishes whether execution is malicious.
An endpoint is actively beaconing to a known malicious IP and spawning credential-dumping tools. The business owner wants evidence preserved. What is the BEST containment action? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?
Trap 1: Run disk cleanup to remove temporary files
Cleanup can destroy evidence and does not contain the threat.
Trap 2: Power off the machine immediately in every case
Powering off can destroy memory evidence and may not be the best first action when controlled isolation exists.
Trap 3: Allow the host to run until the next maintenance window
Confirmed active compromise requires timely containment.
- A
Network-isolate the endpoint through EDR while preserving disk and memory evidence
EDR isolation limits attacker communication without immediately destroying volatile forensic context.
- B
Run disk cleanup to remove temporary files
Why wrong: Cleanup can destroy evidence and does not contain the threat.
- C
Power off the machine immediately in every case
Why wrong: Powering off can destroy memory evidence and may not be the best first action when controlled isolation exists.
- D
Allow the host to run until the next maintenance window
Why wrong: Confirmed active compromise requires timely containment.
A vulnerability report has 900 findings. One medium CVSS vulnerability is listed in CISA KEV and has high EPSS; several high CVSS issues are not exploitable in the environment. What should the analyst recommend? For tool configuration, Which scanner or pipeline change most directly improves result quality?
Trap 1: Remediate only vulnerabilities with vendor logos in the report
Vendor branding is irrelevant to risk.
Trap 2: Always sort only by CVSS base score
CVSS is useful but incomplete without exploitability and exposure.
Trap 3: Remediate alphabetically by CVE ID
CVE order has no risk meaning.
- A
Remediate only vulnerabilities with vendor logos in the report
Why wrong: Vendor branding is irrelevant to risk.
- B
Always sort only by CVSS base score
Why wrong: CVSS is useful but incomplete without exploitability and exposure.
- C
Remediate alphabetically by CVE ID
Why wrong: CVE order has no risk meaning.
- D
Prioritize the KEV/high-EPSS issue after confirming asset exposure
Known exploitation and likelihood can outweigh base CVSS in risk-based prioritization.
A laptop may contain evidence for a legal investigation. What should the responder document during acquisition? During post-incident improvement, which decision is most defensible?
Trap 1: Only the laptop colour
Device description alone is inadequate.
Trap 2: Only the ticket priority
Ticket priority is not chain-of-custody documentation.
Trap 3: Only the user's job title
A job title does not preserve evidence integrity.
- A
Only the laptop colour
Why wrong: Device description alone is inadequate.
- B
Only the ticket priority
Why wrong: Ticket priority is not chain-of-custody documentation.
- C
Only the user's job title
Why wrong: A job title does not preserve evidence integrity.
- D
Who collected it, when, where, hash values, transfer details, and storage location
Chain of custody records evidence handling and integrity from collection onward. In post-incident improvement, responders need action that reduces risk while preserving the investigation record.
A vulnerability programme wants to show whether critical findings are fixed within policy timelines. Which report is best? If the primary audience is technical remediation owner, which content choice is most appropriate?
Trap 1: A list of all closed tickets with no dates
Without dates, SLA performance cannot be measured.
Trap 2: A vendor price comparison
Pricing does not show remediation timeliness.
Trap 3: A report sorted only by scanner plugin ID
Plugin IDs alone do not show ownership or policy compliance.
- A
SLA compliance by severity, asset owner, and business unit
SLA reporting connects remediation timeliness to accountability. The report should be tuned to technical remediation owner while preserving factual accuracy.
- B
A list of all closed tickets with no dates
Why wrong: Without dates, SLA performance cannot be measured.
- C
A vendor price comparison
Why wrong: Pricing does not show remediation timeliness.
- D
A report sorted only by scanner plugin ID
Why wrong: Plugin IDs alone do not show ownership or policy compliance.
After a high-priority SOC escalation, file shares show rapid encryption and ransom-note creation from one workstation. What is the best immediate containment action? During containment, which decision is most defensible? which response best matches incident-response practice?
Trap 1: Run vulnerability scans on every subnet first
Scanning is slower than immediate containment for active encryption.
Trap 2: Restore backups before isolating the host
Restoration before containment may lead to reinfection.
Trap 3: Email all users the ransom note
That spreads panic and adds no technical containment.
- A
Run vulnerability scans on every subnet first
Why wrong: Scanning is slower than immediate containment for active encryption.
- B
Restore backups before isolating the host
Why wrong: Restoration before containment may lead to reinfection.
- C
Email all users the ransom note
Why wrong: That spreads panic and adds no technical containment.
- D
Isolate the workstation and disable its active sessions to file servers
Containment should stop encryption spread while preserving evidence for analysis. In containment, responders need action that reduces risk while preserving the investigation record.
A SIEM alert shows one workstation requesting a high number of Kerberos service tickets for many SPNs, followed by no corresponding service access. Which attack should be suspected? In the alert triage phase, Which action gives the analyst the clearest next triage step?
Trap 1: DNS cache poisoning
DNS poisoning changes name resolution and is not characterized by SPN ticket requests.
Trap 2: ARP spoofing
ARP spoofing is a Layer 2 attack and does not explain Kerberos ticket volume.
Trap 3: Pass-the-hash using NTLM only
This pattern concerns Kerberos service tickets, not NTLM hashes.
- A
DNS cache poisoning
Why wrong: DNS poisoning changes name resolution and is not characterized by SPN ticket requests.
- B
ARP spoofing
Why wrong: ARP spoofing is a Layer 2 attack and does not explain Kerberos ticket volume.
- C
Pass-the-hash using NTLM only
Why wrong: This pattern concerns Kerberos service tickets, not NTLM hashes.
- D
Kerberoasting reconnaissance or ticket harvesting
Unusual TGS-REQ volume across service principals can indicate Kerberoasting activity.
A SOC analyst reviews DNS telemetry and sees a workstation resolving hundreds of algorithmically generated domains at fixed intervals, with most responses returning NXDOMAIN. What evidence should the analyst prioritize to validate command-and-control beaconing? In the evidence source phase, Which evidence source best supports or refutes the detection?
Trap 1: Search only for successful HTTP 200 responses
DGA activity may fail resolution frequently, so HTTP status codes alone miss the behaviour.
Trap 2: Delete the host from the SIEM asset inventory
Removing context makes investigation harder and does not contain the threat.
Trap 3: Block all DNS traffic from the subnet
Immediate blanket blocking may disrupt operations and does not validate the source process.
- A
Search only for successful HTTP 200 responses
Why wrong: DGA activity may fail resolution frequently, so HTTP status codes alone miss the behaviour.
- B
Delete the host from the SIEM asset inventory
Why wrong: Removing context makes investigation harder and does not contain the threat.
- C
Block all DNS traffic from the subnet
Why wrong: Immediate blanket blocking may disrupt operations and does not validate the source process.
- D
Correlate DNS query logs with endpoint process and network connection telemetry
The pattern is suspicious, but process and connection context shows whether a host process is repeatedly attempting outbound C2 communication.
A SOC wants a SOAR playbook for suspected phishing that reduces analyst workload but avoids destructive action before confirmation. Which actions are appropriate for the first automated phase? In the evidence source phase, Which evidence source best supports or refutes the detection?
Trap 1: Close all similar alerts as duplicates
Similarity does not prove benign status or complete containment.
Trap 2: Disable the reporting user's account immediately
The reporter may not be compromised; disabling the account could be unnecessary.
Trap 3: Automatically delete all messages from the sender across all…
Deletion can be appropriate after validation, but automatic destructive action is risky at the first phase.
- A
Close all similar alerts as duplicates
Why wrong: Similarity does not prove benign status or complete containment.
- B
Disable the reporting user's account immediately
Why wrong: The reporter may not be compromised; disabling the account could be unnecessary.
- C
Automatically delete all messages from the sender across all mailboxes
Why wrong: Deletion can be appropriate after validation, but automatic destructive action is risky at the first phase.
- D
Enrich URLs, detonate attachments in a sandbox, and collect mailbox search counts
Early automation should gather context and evidence while keeping analysts in control of disruptive actions.
A phishing detection rule looks only for known malicious URLs and misses newly registered lookalike domains. Which improvements help? (Choose two.)
Trap 1: Allow all newly registered domains
New domains often deserve extra scrutiny, not automatic trust.
Trap 2: Trust emails with company logos automatically
Logos can be copied by attackers.
- A
Add domain age and lookalike/typosquatting checks
New and visually similar domains are common phishing indicators.
- B
Use attachment sandboxing and URL detonation results
Dynamic analysis can reveal malicious behaviour beyond static lists.
- C
Allow all newly registered domains
Why wrong: New domains often deserve extra scrutiny, not automatic trust.
- D
Trust emails with company logos automatically
Why wrong: Logos can be copied by attackers.
A scan of Windows servers reports few findings, but the scanner used no credentials. The security manager suspects missing patch data. What should be changed? For stakeholder management, Which documentation or approval is required to keep the programme defensible?
Trap 1: Trust the unauthenticated result as complete
Unauthenticated scans commonly miss local configuration and patch data.
Trap 2: Increase only the port range
More ports will not reveal installed patch levels reliably.
Trap 3: Disable host firewalls permanently
This is unnecessary and creates risk.
- A
Trust the unauthenticated result as complete
Why wrong: Unauthenticated scans commonly miss local configuration and patch data.
- B
Increase only the port range
Why wrong: More ports will not reveal installed patch levels reliably.
- C
Disable host firewalls permanently
Why wrong: This is unnecessary and creates risk.
- D
Run authenticated scans using least-privilege scanner credentials
Authenticated scanning gives the scanner access to installed software and patch state, improving accuracy.
A SOC analyst reviews DNS telemetry and sees a workstation resolving hundreds of algorithmically generated domains at fixed intervals, with most responses returning NXDOMAIN. What evidence should the analyst prioritize to validate command-and-control beaconing? In the containment trade-off phase, Which response balances containment with evidence preservation?
Trap 1: Search only for successful HTTP 200 responses
DGA activity may fail resolution frequently, so HTTP status codes alone miss the behaviour.
Trap 2: Block all DNS traffic from the subnet
Immediate blanket blocking may disrupt operations and does not validate the source process.
Trap 3: Delete the host from the SIEM asset inventory
Removing context makes investigation harder and does not contain the threat.
- A
Correlate DNS query logs with endpoint process and network connection telemetry
The pattern is suspicious, but process and connection context shows whether a host process is repeatedly attempting outbound C2 communication.
- B
Search only for successful HTTP 200 responses
Why wrong: DGA activity may fail resolution frequently, so HTTP status codes alone miss the behaviour.
- C
Block all DNS traffic from the subnet
Why wrong: Immediate blanket blocking may disrupt operations and does not validate the source process.
- D
Delete the host from the SIEM asset inventory
Why wrong: Removing context makes investigation harder and does not contain the threat.
A SOC wants a SOAR playbook for suspected phishing that reduces analyst workload but avoids destructive action before confirmation. Which actions are appropriate for the first automated phase? In the alert triage phase, Which action gives the analyst the clearest next triage step?
Trap 1: Disable the reporting user's account immediately
The reporter may not be compromised; disabling the account could be unnecessary.
Trap 2: Close all similar alerts as duplicates
Similarity does not prove benign status or complete containment.
Trap 3: Automatically delete all messages from the sender across all…
Deletion can be appropriate after validation, but automatic destructive action is risky at the first phase.
- A
Disable the reporting user's account immediately
Why wrong: The reporter may not be compromised; disabling the account could be unnecessary.
- B
Enrich URLs, detonate attachments in a sandbox, and collect mailbox search counts
Early automation should gather context and evidence while keeping analysts in control of disruptive actions.
- C
Close all similar alerts as duplicates
Why wrong: Similarity does not prove benign status or complete containment.
- D
Automatically delete all messages from the sender across all mailboxes
Why wrong: Deletion can be appropriate after validation, but automatic destructive action is risky at the first phase.
During a post-compromise review, a company wants to test whether legal, PR, IT, and executives understand their roles during a ransomware incident without touching production systems. What exercise is best? During post-incident improvement, which decision is most defensible? which action should be prioritized before closure?
Trap 1: Purchasing a new SIEM without testing procedures
Tools alone do not validate roles and decisions.
Trap 2: Annual password reset only
Password resets do not test cross-functional incident response.
Trap 3: Full destructive malware detonation in production
Testing with real malware in production is unsafe.
- A
Tabletop exercise using a realistic ransomware scenario
Tabletops validate decision paths and communication without operational disruption. In post-incident improvement, responders need action that reduces risk while preserving the investigation record.
- B
Purchasing a new SIEM without testing procedures
Why wrong: Tools alone do not validate roles and decisions.
- C
Annual password reset only
Why wrong: Password resets do not test cross-functional incident response.
- D
Full destructive malware detonation in production
Why wrong: Testing with real malware in production is unsafe.
A vulnerability programme wants to show whether critical findings are fixed within policy timelines. Which report is best? If the primary audience is business service owner, which content choice is most appropriate?
Trap 1: A report sorted only by scanner plugin ID
Plugin IDs alone do not show ownership or policy compliance.
Trap 2: A vendor price comparison
Pricing does not show remediation timeliness.
Trap 3: A list of all closed tickets with no dates
Without dates, SLA performance cannot be measured.
- A
SLA compliance by severity, asset owner, and business unit
SLA reporting connects remediation timeliness to accountability. The report should be tuned to business service owner while preserving factual accuracy.
- B
A report sorted only by scanner plugin ID
Why wrong: Plugin IDs alone do not show ownership or policy compliance.
- C
A vendor price comparison
Why wrong: Pricing does not show remediation timeliness.
- D
A list of all closed tickets with no dates
Why wrong: Without dates, SLA performance cannot be measured.
A supplier provides a software product used in a regulated environment. The security team wants visibility into included libraries and versions. What should they request? For stakeholder management, Which documentation or approval is required to keep the programme defensible?
Trap 1: A building floor plan
Physical layout does not identify software components.
Trap 2: A password complexity screenshot only
Password settings are unrelated to supplied libraries.
Trap 3: A DNS MX record report
Mail exchange records do not describe application dependencies.
- A
A software bill of materials
An SBOM lists software components and versions, supporting dependency risk analysis.
- B
A building floor plan
Why wrong: Physical layout does not identify software components.
- C
A password complexity screenshot only
Why wrong: Password settings are unrelated to supplied libraries.
- D
A DNS MX record report
Why wrong: Mail exchange records do not describe application dependencies.
A user opens an invoice document and shortly afterward the endpoint runs wscript.exe from the user's profile. Which detection logic is most relevant? In the containment trade-off phase, Which response balances containment with evidence preservation?
Trap 1: High CPU usage on the print server
Print server CPU does not explain the user's suspicious process chain.
Trap 2: A password expiry warning
Password warnings are unrelated to script execution.
Trap 3: Successful DHCP renewal
DHCP renewal is normal network operation.
- A
High CPU usage on the print server
Why wrong: Print server CPU does not explain the user's suspicious process chain.
- B
A password expiry warning
Why wrong: Password warnings are unrelated to script execution.
- C
Successful DHCP renewal
Why wrong: DHCP renewal is normal network operation.
- D
Office document spawning a script interpreter from a user context
Office-to-script process chains are common initial execution patterns for phishing payloads.
A vulnerability manager is prioritizing remediation. Which factors should influence risk-based priority? (Choose three.)
Trap 1: Alphabetical order of the CVE identifier
CVE ordering has no risk meaning.
- A
Internet exposure of the affected asset
External reachability increases likelihood of attack.
- B
Alphabetical order of the CVE identifier
Why wrong: CVE ordering has no risk meaning.
- C
Known exploitation in the wild
Active exploitation increases urgency.
- D
Business criticality of the affected service
Impact depends on the service supported by the asset.
During containment of a compromised cloud access key, which actions are appropriate? (Choose two.)
Trap 1: Only delete the public repository commit
The key may already be copied or cached.
Trap 2: Grant the key administrator privileges for investigation
Increasing privileges worsens the risk.
- A
Review audit logs for actions performed with the key
Audit review establishes scope and impact.
- B
Only delete the public repository commit
Why wrong: The key may already be copied or cached.
- C
Grant the key administrator privileges for investigation
Why wrong: Increasing privileges worsens the risk.
- D
Disable or rotate the exposed key
The credential must be invalidated to stop further use.
A vulnerability programme wants to show whether critical findings are fixed within policy timelines. Which report is best? If the primary audience is SOC manager, which content choice is most appropriate?
Trap 1: A report sorted only by scanner plugin ID
Plugin IDs alone do not show ownership or policy compliance.
Trap 2: A list of all closed tickets with no dates
Without dates, SLA performance cannot be measured.
Trap 3: A vendor price comparison
Pricing does not show remediation timeliness.
- A
A report sorted only by scanner plugin ID
Why wrong: Plugin IDs alone do not show ownership or policy compliance.
- B
SLA compliance by severity, asset owner, and business unit
SLA reporting connects remediation timeliness to accountability. The report should be tuned to SOC manager while preserving factual accuracy.
- C
A list of all closed tickets with no dates
Why wrong: Without dates, SLA performance cannot be measured.
- D
A vendor price comparison
Why wrong: Pricing does not show remediation timeliness.
In a regulated payment environment, file shares show rapid encryption and ransom-note creation from one workstation. What is the best immediate containment action? During containment, which decision is most defensible? which action best reduces risk without losing evidence?
Trap 1: Run vulnerability scans on every subnet first
Scanning is slower than immediate containment for active encryption.
Trap 2: Restore backups before isolating the host
Restoration before containment may lead to reinfection.
Trap 3: Email all users the ransom note
That spreads panic and adds no technical containment.
- A
Run vulnerability scans on every subnet first
Why wrong: Scanning is slower than immediate containment for active encryption.
- B
Restore backups before isolating the host
Why wrong: Restoration before containment may lead to reinfection.
- C
Email all users the ransom note
Why wrong: That spreads panic and adds no technical containment.
- D
Isolate the workstation and disable its active sessions to file servers
Containment should stop encryption spread while preserving evidence for analysis. In containment, responders need action that reduces risk while preserving the investigation record.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.