Back to CompTIA CySA+ CS0-003 questions

Scenario-based practice

Troubleshooting Scenario Questions

Practise CompTIA CySA+ CS0-003 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

14
scenario questions
CS0-003
exam code
CompTIA
vendor

Scenario guide

How to approach troubleshooting scenario questions

These questions describe a network symptom and ask you to identify the root cause or the correct fix. They appear across all certification exams and reward systematic thinking over memorisation. The best candidates follow a consistent troubleshooting framework even under time pressure.

Quick answer

Troubleshooting Scenario Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related CS0-003 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1mediummultiple choice
Full question →

A UEBA rule flags a user authenticating from London and Singapore within 12 minutes, followed by a mailbox forwarding rule creation. What should the analyst investigate first? In the evidence source phase, Which evidence source best supports or refutes the detection?

Question 2easymultiple choice
Full question →

A DAST scan cannot reach authenticated pages of a web application and reports only public content findings. What should be configured? For tool configuration, Which scanner or pipeline change most directly improves result quality?

Question 3easymultiple choice
Full question →

A DAST scan cannot reach authenticated pages of a web application and reports only public content findings. What should be configured? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

Question 4mediummultiple choice
Full question →

A UEBA rule flags a user authenticating from London and Singapore within 12 minutes, followed by a mailbox forwarding rule creation. What should the analyst investigate first? In the alert triage phase, Which action gives the analyst the clearest next triage step?

Question 5easymultiple choice
Full question →

A DAST scan cannot reach authenticated pages of a web application and reports only public content findings. What should be configured? For business prioritization, Which recommendation gives the best risk-based order of work?

Question 6mediummultiple choice
Full question →

A UEBA rule flags a user authenticating from London and Singapore within 12 minutes, followed by a mailbox forwarding rule creation. What should the analyst investigate first? In the containment trade-off phase, Which response balances containment with evidence preservation?

Question 7easymultiple choice
Full question →

A DAST scan cannot reach authenticated pages of a web application and reports only public content findings. What should be configured? For validation, Which action should be taken before closing or downgrading the finding?

Question 8easymultiple choice
Full question →

A DAST scan cannot reach authenticated pages of a web application and reports only public content findings. What should be configured? For control selection, Which control best addresses the stated weakness without hiding risk?

Question 9mediummulti select
Full question →

An organization has just experienced a successful phishing attack that led to credential theft. The incident response team is performing analysis. Which three of the following indicators of compromise (IOCs) would be most relevant to investigate? (Choose three.)

Question 10mediummultiple choice
Full question →

A UEBA rule flags a user authenticating from London and Singapore within 12 minutes, followed by a mailbox forwarding rule creation. What should the analyst investigate first? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

Question 11hardmultiple choice
Read the full VPN explanation →

A company uses a SIEM platform that ingests logs from various sources. The SOC team receives an alert for a high number of failed login attempts (over 100 in 5 minutes) on the domain controller from a single IP address. The analyst investigates and finds that the failed attempts are for multiple different usernames, including some disabled accounts. The source IP is traced to an external VPN service. The analyst also notices that a few accounts had successful logins from the same IP after the failed attempts. Which of the following is the MOST likely attack type?

Question 12hardmultiple choice
Full question →

An organization uses a SIEM with a rule that triggers when a user fails to authenticate five times within 10 minutes. Last night, the rule fired for a service account from an internal IP. What should be the first triage step?

Question 13easymultiple choice
Read the full DNS explanation →

A SOC analyst receives an alert about a potential data exfiltration via DNS tunneling. Which of the following tools would best help the analyst investigate the alert?

Question 14hardmultiple choice
Full question →

During a vulnerability scan, the scanner reports a high number of open ports on a server that is supposed to be a hardened web server. The analyst investigates and finds that the server is running unnecessary services. Which of the following is the MOST effective long-term solution?

These CS0-003 practice questions are part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style CS0-003 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.