CompTIA CySA+

CySA+ exam objectives: The 4 domains that will be covered

The Cybersecurity Analyst (CySA+) certification is an intermediate IT credential offered by CompTIA. It's one of the most popular analyst certifications and was updated in 2023 to align with the most in-demand knowledge and skills requested by employers for professionals tasked with security monitoring, incident detection, prevention and response.

Earn your CySA+, guaranteed!

Get hands-on experience and live expert, instruction. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

Like its predecessor, CompTIA CySA+ CS0-003 still covers the core knowledge of cybersecurity analysts. But the updated version allows you to demonstrate your understanding of threat hunting and threat intelligence for securing modern IT infrastructure and cloud/hybrid environments while performing compromise recovery and incident response using security analyst tools, implementing Zero-Trust principles, and exercising the latest techniques for combating attacks inside and outside of the SOC.

This article explores CySA+ changes since the last exam edition (CS0-002), what is covered on the CySA+ exam, the exam structure, frequently asked questions about the exam, where to take the exam, training resources and more.

For more on the CySA+ exam update, watch our webinar with CompTIA's Patrick Lane, CompTIA CySA+ certification (CS0-003) changes: Everything you need to know.

What's on the CySA+ exam?

Updating from CS0-002 to CS0-003 was necessary to resolve knowledge gaps in the previous version, including more in-depth vulnerability management topics, the newest network architecture concepts and management of pre- and post-incident activities.

According to CompTIA, twenty percent of the exam objectives for the CySA+ credential were updated to cover the following:

Current trends: Evolution of security analyst tools, such as enterprise Security Information and Event Management (SIEM) systems, to include more automated features, such as Security Orchestration and Automated Response (SOAR), to help cyber professionals tasked with incident detection, prevention and response. Other appropriate tools to become familiar with are endpoint detection and response (EDR) and extended detection and response (XDR) which provide monitoring and response that easily integrate across SIEMs.
Cloud and mobile: Expanded coverage of cloud, mobile and zero trust architecture principles for securing digital transformation and protecting an IT infrastructure.
Threat intelligence: More emphasis on threat intel vs. threat hunting, threat feeds vs. threat reports, automation of intel (e.g., automated threat feed) and how to prioritize alerts for better incident response and vulnerability management.

Note: If you choose to pursue the CySA+ 002 exam, you must take it before it retires on December 5, 2023, to get your CompTIA CySA+ certification.

A closer look at the objectives you'll need to master on the exam

The new exam has been streamlined and comprises four instead of five domains. Here’s a breakdown of the key CySA+ domains, subtopics and associated tasks candidates will be tested on.

Domain 1: Security operations (33%)

Explain the importance of system and network architecture concepts in security operations.	Log ingestion Operating system (OS) concepts Infrastructure concepts Network architecture Identity and access management Encryption Sensitive data protection
Given a scenario, analyze indicators of potentially malicious activity.	Network-related Host-related Application-related Other
Given a scenario, use appropriate tools or techniques to determine malicious activity.	Tools Common techniques Programming languages/scripting
Compare and contrast threat-intelligence and threat-hunting concepts.	Threat actors Tactics, techniques, and procedures (TTP) Confidence levels Collection methods and sources Threat intelligence sharing Threat hunting
Explain the importance of efficiency and process improvement in security operations.	Standardize processes Streamline operations Technology and tool integration Single pane of glass

Domain 2: Vulnerability management (30%)

Given a scenario, implement vulnerability scanning methods and concepts.	Asset discovery Special considerations Internal vs. external scanning Agent vs. agentless Credentialed vs. non-credentialed Passive vs. active Static vs. dynamic Critical infrastructure Security baseline scanning Industry frameworks
Given a scenario, analyze output from vulnerability assessment tools.	Tools
Given a scenario, analyze data to prioritize vulnerabilities.	Common Vulnerability Scoring System (CVSS) interpretation Validation Context awareness Exploitability/weaponization Asset value Zero-day
Given a scenario, recommend controls to mitigate attacks and software vulnerabilities.	Cross-site scripting Overflow vulnerabilities Data poisoning Broken access control Cryptographic failures Injection flaws Cross-site request forgery Directory traversal Insecure design Security misconfiguration End-of-life or outdated components Identification and authentication failures Server-side request forgery Remote code execution Privilege escalation Local file inclusion (LFI)/remote file inclusion (RFI)
Explain concepts related to vulnerability response, handling, and management.	Compensating control Control types Patching and configuration management Maintenance windows Exceptions Risk management principles Policies, governance, and service-level objectives (SLOs) Prioritization and escalation Attack surface management Secure coding best practices Secure software development life cycle (SDLC) Threat modeling

Domain 3: Incident response & management (20%)

Explain concepts related to attack methodology frameworks.	Cyber kill chains Diamond Model of Intrusion Analysis MITRE ATT&CK Open Source Security Testing Methodology Manual (OSS TMM) OWASP Testing Guide
Given a scenario, perform incident response activities.	Detection and analysis Containment, eradication, and recovery
Explain the preparation and post-incident activity phases of the incident management life cycle.	Preparation Post-incident activity

Earn your CySA+, guaranteed!

Get hands-on experience and live expert, instruction. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

Domain 4: Reporting & communication (17%)

Explain the importance of vulnerability management reporting and communication.	Vulnerability management reporting Compliance reports Action plans Inhibitors to remediation Metrics and key performance indicators (KPIs) Stakeholder identification and communication
Explain the importance of incident response reporting and communication.	Stakeholder identification and communication Incident declaration and escalation Incident response reporting Communications Root cause analysis Lessons learned Metrics and KPIs

For more specifics and a comprehensive overview of the topic areas tested, see the CS0-003 exam objectives.

What you need to know about maintaining your certification

After passing the exam and acquiring the CySA+ certification, a candidate must complete the renewal requirements every three years. This consists of paying the Continuing Education (CE) fee ($50 a year or $150 for the three-year cycle) and submitting 60 CEUs (this is done by uploading them to their certification account) by the credential's expiration date. These are crucial steps to ensure that your certification remains current and valid.

Get ready to get CySA+ certified

To successfully prepare for this test and improve your chances of passing on the first attempt, consider the self-study resources offered by CompTIA and think about a course from an authorized training provider that can offer instructor-led training Infosec offers an on-demand CySA+ Learning Path if you prefer to study at your own pace. They also offer a live CySA+ Boot Camp with an Exam Pass Guarantee, meaning if you don't pass the exam on your first attempt, you can get a second attempt at no cost to you.

For more on CySA+, visit the Infosec CySA+ hub and watch our webinar, CompTIA CySA+ certification (CS0-003) changes: Everything you need to know.

Earn your CySA+, guaranteed!

Get hands-on experience and live expert, instruction. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

FAQ: CySA+ exam

What job roles should take the CySA+ exam?

CompTIA CySA+ is valuable for professionals in (or aspiring to) the following job roles:

IT security analyst
Security operations center (SOC) analyst
Cybersecurity specialist
Threat intelligence analyst
Cybersecurity analyst
Incident response analyst
Threat hunter
Vulnerability management analyst
Cybersecurity engineer

What is the recommended CySA+ experience?

Network+, Security+ or equivalent knowledge is recommended but not required. Four years of hands-on experience as an incident response analyst or security operations center (SOC) analyst or equivalent experience is also recommended.

How long is the CySA+ exam?

The CySA+ exam is up to 165 minutes long.

How many questions are on the CySA+ exam?

The CySA+ test includes a maximum of 85 multiple-choice and performance-based questions.

What is the passing score for CySA+?

To pass the CySA+ exam you need a minimum of 750 (on a scale of 100-900).

In which languages is the CySA+ test available?

The CS0-003 exam will be available in more languages; Japanese, Portuguese and Spanish tests will follow the English version.

How much does the exam cost?

The CySA+ exam voucher in the U.S. costs $404 at the time of this writing.

When should I purchase my exam voucher?

When you’re ready and feel ready for the test, purchase a voucher and schedule your CySA+ exam.

Where do I purchase my exam voucher?

Either visit the CompTIA Store or the Pearson VUE site, the authorized testing center.

Posted: December 20, 2024

Daniel Brecht

View Profile

Daniel Brecht has been writing for the Web since 2007. His interests include computers, mobile devices and cyber security standards. He has enjoyed writing on a variety of topics ranging from cloud computing to application development, web development and e-commerce. Brecht has several years of experience as an Information Technician in the military and as an education counselor. He holds a graduate Certificate in Information Assurance and a Master of Science in Information Technology.