Practice set
CompTIA CySA+ CS0-003 questions
Question 1mediummultiple choice
Full question →A vendor shares indicators marked TLP:AMBER+STRICT. How should the SOC handle them? In the alert triage phase, Which action gives the analyst the clearest next triage step?
Question 2hardmulti select
Full question →Which signals strengthen an alert for Kerberoasting activity? (Choose two.)
Question 3mediummulti select
Full question →Which sources improve asset criticality context for vulnerability prioritization? (Choose two.)
Question 4hardmultiple choice
Full question →A business owner accepts delayed remediation for a production system. What must the report include? If the primary audience is technical remediation owner, which content choice is most appropriate?
Question 5hardmultiple choice
Full question →A business owner accepts delayed remediation for a production system. What must the report include? If the primary audience is executive leadership, which content choice is most appropriate?
Question 6hardmultiple choice
Full question →A post-incident report finds that no one owned a failed alert integration. What should the corrective action include? If the primary audience is executive leadership, which content choice is most appropriate?
Question 7hardmultiple choice
Full question →A post-incident report finds that no one owned a failed alert integration. What should the corrective action include? If the primary audience is SOC manager, which content choice is most appropriate?
Question 8hardmulti select
Full question →A regulator asks for incident evidence after a data exposure. Which items should be coordinated before disclosure? (Choose two.)
Question 9hardmulti select
Full question →A remediation report shows repeated SLA breaches by one business unit. Which recommendations are appropriate? (Choose two.)
Question 10hardmulti select
Full question →A responder is acquiring evidence from a potentially compromised server. Which actions support forensic integrity? (Choose two.)
Question 11hardmulti select
Full question →A root-cause analysis finds that an alert fired but was never triaged. Which corrective actions are useful? (Choose two.)
Question 12mediummulti select
Full question →A SOAR playbook enriches suspicious IP addresses. Which enrichment sources are useful? (Choose two.)
Question 13mediummulti select
Full question →A SOC wants to reduce alert fatigue without missing confirmed malicious activity. Which actions are appropriate? (Choose two.)
Question 14easymultiple choice
Full question →A third-party provider caused an outage during remediation. What should the communication to the vendor focus on? If the primary audience is SOC manager, which content choice is most appropriate?
Question 15hardmultiple choice
Full question →A business owner accepts delayed remediation for a production system. What must the report include? If the primary audience is SOC manager, which content choice is most appropriate?
Question 16hardmultiple choice
Full question →A business owner accepts delayed remediation for a production system. What must the report include? If the primary audience is business service owner, which content choice is most appropriate?
Question 17hardmultiple choice
Full question →A business owner accepts delayed remediation for a production system. What must the report include? If the primary audience is legal/privacy stakeholder, which content choice is most appropriate?
Question 18mediummultiple choice
Full question →A business unit accepts the risk of delaying a patch because downtime would breach a contractual deadline. What should be updated? For tool configuration, Which scanner or pipeline change most directly improves result quality?
Question 19mediummultiple choice
Full question →A business unit accepts the risk of delaying a patch because downtime would breach a contractual deadline. What should be updated? For business prioritization, Which recommendation gives the best risk-based order of work?
Question 20mediummultiple choice
Full question →A business unit accepts the risk of delaying a patch because downtime would breach a contractual deadline. What should be updated? For validation, Which action should be taken before closing or downgrading the finding?
Question 21mediummultiple choice
Full question →A business unit accepts the risk of delaying a patch because downtime would breach a contractual deadline. What should be updated? For control selection, Which control best addresses the stated weakness without hiding risk?
Question 22mediummultiple choice
Full question →A business unit accepts the risk of delaying a patch because downtime would breach a contractual deadline. What should be updated? For stakeholder management, Which documentation or approval is required to keep the programme defensible?
Question 23easymultiple choice
Full question →A CI pipeline blocks a container image because the base layer contains a critical OpenSSL CVE. The application team says the vulnerable binary is not used. What is the BEST next step? For tool configuration, Which scanner or pipeline change most directly improves result quality?
Question 24easymultiple choice
Full question →