Free CS0-003 CompTIA CySA+ CS0-003 Practice Test

Practice set

CompTIA CySA+ CS0-003 questions

Start full practice test

Question 1hardmulti select

Full question →

A responder is acquiring evidence from a potentially compromised server. Which actions support forensic integrity? (Choose two.)

Full question →

Question 2mediummulti select

Full question →

A SOC wants to reduce alert fatigue without missing confirmed malicious activity. Which actions are appropriate? (Choose two.)

Full question →

Question 3mediummultiple choice

Full question →

A user reports approving an unexpected OAuth consent prompt for an app named 'Invoice Reader'. The app now has mailbox read permissions. What should the incident responder do first? During detection and analysis, which decision is most defensible?

Full question →

Question 4hardmultiple choice

Full question →

A business owner accepts delayed remediation for a production system. What must the report include? If the primary audience is business service owner, which content choice is most appropriate?

Full question →

Question 5hardmultiple choice

Full question →

A business owner accepts delayed remediation for a production system. What must the report include? If the primary audience is legal/privacy stakeholder, which content choice is most appropriate?

Full question →

Question 6mediummultiple choice

Full question →

A host alert shows certutil.exe downloading a file from an external URL, followed by execution from a user-writable directory. What should the analyst focus on? In the containment trade-off phase, Which response balances containment with evidence preservation?

Full question →

Question 7mediummultiple choice

Full question →

A scan of Windows servers reports few findings, but the scanner used no credentials. The security manager suspects missing patch data. What should be changed? For control selection, Which control best addresses the stated weakness without hiding risk?

Full question →

Question 8hardmulti select

Full question →

A host is suspected of running fileless malware. Which artefacts should be collected quickly? (Choose two.)

Full question →

Question 9mediummultiple choice

Full question →

A business unit accepts the risk of delaying a patch because downtime would breach a contractual deadline. What should be updated? For validation, Which action should be taken before closing or downgrading the finding?

Full question →

Question 10easymultiple choice

Full question →

A CI pipeline blocks a container image because the base layer contains a critical OpenSSL CVE. The application team says the vulnerable binary is not used. What is the BEST next step? For tool configuration, Which scanner or pipeline change most directly improves result quality?

Full question →

Question 11hardmultiple choice

Full question →

A container workload unexpectedly starts a shell, mounts the host filesystem, and attempts outbound connections to an unknown IP. Which telemetry is MOST useful? In the containment trade-off phase, Which response balances containment with evidence preservation?

Full question →

Question 12easymultiple choice

Full question →

A critical vulnerability affected the customer portal, but no evidence of exploitation was found. What should the executive summary emphasize? If the primary audience is executive leadership, which content choice is most appropriate?

Full question →

Question 13mediummultiple choice

Full question →

A cloud posture scan finds a storage bucket with public read access containing customer exports. What should the team do first? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

Full question →

Question 14mediummultiple choice

Full question →

A CVSS 9.8 vulnerability affects an internal service reachable only from a restricted admin subnet. Which additional analysis is most useful? For business prioritization, Which recommendation gives the best risk-based order of work?

Full question →

Question 15easymultiple choice

Full question →

A CI pipeline blocks a container image because the base layer contains a critical OpenSSL CVE. The application team says the vulnerable binary is not used. What is the BEST next step? For business prioritization, Which recommendation gives the best risk-based order of work?

Full question →

Question 16mediummultiple choice

Full question →

A cloud posture scan finds a storage bucket with public read access containing customer exports. What should the team do first? For control selection, Which control best addresses the stated weakness without hiding risk?

Full question →

Question 17mediummultiple choice

Full question →

A CVSS 9.8 vulnerability affects an internal service reachable only from a restricted admin subnet. Which additional analysis is most useful? For validation, Which action should be taken before closing or downgrading the finding?

Full question →

Question 18mediummultiple choice

Full question →

A deception credential placed in a file share is used to authenticate to a server. No legitimate user should know the credential. What does this most likely indicate? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

Full question →

Question 19mediummultiple choice

Full question →

A host alert shows certutil.exe downloading a file from an external URL, followed by execution from a user-writable directory. What should the analyst focus on? In the evidence source phase, Which evidence source best supports or refutes the detection?

Full question →

Question 20mediummultiple choice

Full question →

A host alert shows certutil.exe downloading a file from an external URL, followed by execution from a user-writable directory. What should the analyst focus on? In the root-cause analysis phase, Which finding would most directly explain the activity?

Full question →

Question 21mediummultiple choice

Full question →

A legacy system cannot be patched because the vendor no longer supports the application. What should the vulnerability manager request? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

Full question →

Question 22mediummultiple choice

Full question →

A business unit accepts the risk of delaying a patch because downtime would breach a contractual deadline. What should be updated? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

Full question →

Question 23hardmultiple choice

Full question →

A credentialed Linux scan fails on several hosts after SSH hardening. What is the BEST next step? For business prioritization, Which recommendation gives the best risk-based order of work?

Full question →

Question 24mediummultiple choice

Full question →

A legacy system cannot be patched because the vendor no longer supports the application. What should the vulnerability manager request? For business prioritization, Which recommendation gives the best risk-based order of work?

Full question →

Continue with full practice test Read the study guide

Exam question guide

How to use these CS0-003 questions

Use these questions as active recall, not passive reading. Try the question first, review the answer choices, then open the explanation and connect the result back to the exam topic.

Quick answer

Cloud concepts questions usually test the service model (IaaS/PaaS/SaaS) and deployment model (public/private/hybrid/community) appropriate for a given scenario.

IaaS, PaaS and SaaS responsibilities and examples.

Public, private, hybrid and community cloud deployment models.

On-premises vs cloud trade-offs: cost, control, scalability.

How cloud connectivity options (VPN, Direct Connect, ExpressRoute) work.

CS0-003 CompTIA CySA+ CS0-003 practice test

Start a focused practice session

CompTIA CySA+ CS0-003 questions

A responder is acquiring evidence from a potentially compromised server. Which actions support forensic integrity? (Choose two.)

A SOC wants to reduce alert fatigue without missing confirmed malicious activity. Which actions are appropriate? (Choose two.)

A user reports approving an unexpected OAuth consent prompt for an app named 'Invoice Reader'. The app now has mailbox read permissions. What should the incident responder do first? During detection and analysis, which decision is most defensible?

A business owner accepts delayed remediation for a production system. What must the report include? If the primary audience is business service owner, which content choice is most appropriate?

A business owner accepts delayed remediation for a production system. What must the report include? If the primary audience is legal/privacy stakeholder, which content choice is most appropriate?

A host alert shows certutil.exe downloading a file from an external URL, followed by execution from a user-writable directory. What should the analyst focus on? In the containment trade-off phase, Which response balances containment with evidence preservation?

A scan of Windows servers reports few findings, but the scanner used no credentials. The security manager suspects missing patch data. What should be changed? For control selection, Which control best addresses the stated weakness without hiding risk?

A host is suspected of running fileless malware. Which artefacts should be collected quickly? (Choose two.)

A business unit accepts the risk of delaying a patch because downtime would breach a contractual deadline. What should be updated? For validation, Which action should be taken before closing or downgrading the finding?

A CI pipeline blocks a container image because the base layer contains a critical OpenSSL CVE. The application team says the vulnerable binary is not used. What is the BEST next step? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A container workload unexpectedly starts a shell, mounts the host filesystem, and attempts outbound connections to an unknown IP. Which telemetry is MOST useful? In the containment trade-off phase, Which response balances containment with evidence preservation?

A critical vulnerability affected the customer portal, but no evidence of exploitation was found. What should the executive summary emphasize? If the primary audience is executive leadership, which content choice is most appropriate?

A cloud posture scan finds a storage bucket with public read access containing customer exports. What should the team do first? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A CVSS 9.8 vulnerability affects an internal service reachable only from a restricted admin subnet. Which additional analysis is most useful? For business prioritization, Which recommendation gives the best risk-based order of work?

A CI pipeline blocks a container image because the base layer contains a critical OpenSSL CVE. The application team says the vulnerable binary is not used. What is the BEST next step? For business prioritization, Which recommendation gives the best risk-based order of work?

A cloud posture scan finds a storage bucket with public read access containing customer exports. What should the team do first? For control selection, Which control best addresses the stated weakness without hiding risk?

A CVSS 9.8 vulnerability affects an internal service reachable only from a restricted admin subnet. Which additional analysis is most useful? For validation, Which action should be taken before closing or downgrading the finding?

A deception credential placed in a file share is used to authenticate to a server. No legitimate user should know the credential. What does this most likely indicate? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A host alert shows certutil.exe downloading a file from an external URL, followed by execution from a user-writable directory. What should the analyst focus on? In the evidence source phase, Which evidence source best supports or refutes the detection?

A host alert shows certutil.exe downloading a file from an external URL, followed by execution from a user-writable directory. What should the analyst focus on? In the root-cause analysis phase, Which finding would most directly explain the activity?

A legacy system cannot be patched because the vendor no longer supports the application. What should the vulnerability manager request? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A business unit accepts the risk of delaying a patch because downtime would breach a contractual deadline. What should be updated? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A credentialed Linux scan fails on several hosts after SSH hardening. What is the BEST next step? For business prioritization, Which recommendation gives the best risk-based order of work?

A legacy system cannot be patched because the vendor no longer supports the application. What should the vulnerability manager request? For business prioritization, Which recommendation gives the best risk-based order of work?

How to use these CS0-003 questions

Quick answer

Related CS0-003 topic practice pages

CompTIA A+ hardware practice questions

CompTIA A+ mobile devices practice questions

CompTIA A+ networking practice questions

CompTIA A+ operating systems practice questions

CompTIA A+ security practice questions

CompTIA A+ software troubleshooting questions

CompTIA A+ operational procedures questions