CompTIA CySA+ Practice Test

Correct answer: Valid patch status and up-to-date software
Explanation:
Indicators of vulnerability typically include out-of-date software, exploitable CVEs, default credentials, and misconfigurations. Valid patch status & up-to-date software indicate already remediated or safe assets — thus not a vulnerability finding. Proper analysis filters out such “clean” systems.

Correct answer: Secure Software Development Life Cycle (SDLC) with integrated vulnerability management
Explanation:
Integrating vulnerability assessment into SDLC ensures new and existing code is scanned, tested, and hardened before deployment. It enforces policy, accountability, and consistency — aligning with exam objectives around vulnerability management and secure design.

Correct answer: Use passive monitoring or credentialed minimal-footprint scan, respecting restrictions
Explanation:
When active scanning is not allowed (due to fragility or compliance), passive vulnerability assessment — via log review, network monitoring, or credentialed non-intrusive checks — is safer. This approach balances security assessment with operational constraints. CySA+ recognizes special circumstances like critical infrastructure scanning.

Correct answer: Agentless external scanning with cloud API / network-based discovery
Explanation:
In cloud or hybrid environments, agentless scanning leveraging network-based discovery or cloud APIs enables vulnerability assessment without installing additional software. This helps reduce operational overhead and ensures cloud assets are not overlooked — part of modern vulnerability management per the 2025 CySA+ objectives.

Correct answer: Compensating control (e.g., network segmentation, access restrictions)
Explanation:
Compensating controls help mitigate risk when immediate remediation (like patching) isn’t feasible. By isolating vulnerable systems, restricting access, and monitoring closely, you reduce attack surface while preventing exploitation. CySA+ expects understanding of compensating controls as part of vulnerability response strategies.

Correct answer: Asset value, exposure, exploitability, and compensating controls — not just raw severity
Explanation:
Real-world vulnerability management requires context: a low-severity flaw on a non-critical, isolated system may be less urgent than a moderate flaw on an exposed production server. Evaluating business impact, exposure risk, asset criticality, and available compensating controls helps prioritize remediation effectively — a key concept in CySA+ Vulnerability Management.

Correct answer: Dynamic application security testing (DAST)
Explanation:
DAST interacts with a running application as an external user, probing for injection flaws, authentication issues, cross-site scripting, and broken access controls. It discovers runtime misconfigurations and behavioral vulnerabilities missed by static-only methods. The vulnerability management domain includes scanning methods and tool usage relevant to web app security.

Correct answer: Apply compensating controls such as network segmentation, access restrictions, or disabling vulnerable service
Explanation:
When a patch isn't available yet, compensating controls help reduce risk — for example network-level restrictions, isolating affected systems, reducing exposure, limiting privileges, or disabling the vulnerable functionality. This risk mitigation strategy is part of vulnerability response and management accepted under CySA+ objectives.

Correct answer: High severity with potential for widespread impact if exploited
Explanation:
CVSS scores rate vulnerabilities by metrics such as exploitability, impact on confidentiality/integrity/availability, and attack vector. A high base score suggests the flaw is easily exploitable and can cause serious damage, warranting prioritized remediation. Prioritization based on CVSS is central to vulnerability management in CySA+.

Correct answer: Authenticated, credentialed internal scan
Explanation:
An authenticated (credentialed) internal scan uses valid credentials to log into hosts and enumerate configurations, missing patches, OS versions, weak services, and misconfigurations. It provides the deepest visibility compared to non-credentialed or external scans, which often miss internal vulnerabilities. The CS0-003 exam emphasizes the difference between credentialed vs. non-credentialed and internal vs. external scanning.

Correct answer: It provides a more complete view of potential attack vectors, enabling correlation between endpoints and network behavior
Explanation:
Host-based data (processes, logs, file changes) and network-based data (traffic flows, connection attempts, anomalies) often complement each other. Combined analysis can reveal how an attacker moved from external network into host, executed malware, and exfiltrated data. This holistic approach is crucial for accurate detection, threat hunting, and response under the Security Operations domain.

Correct answer: Use of multifactor authentication (MFA)
Explanation:
MFA adds a secondary verification factor (something you have or are) beyond just a password. It significantly increases security because even if credentials are compromised, an attacker still needs the second factor to gain access. This aligns with the CS0-003 emphasis on identity and access controls in Security Operations.

Correct answer: Periodic small outbound connections to a remote IP at regular intervals
Explanation:
Beaconing involves malware contacting a command-and-control (C2) server at regular intervals, often with small packet sizes to avoid detection. Recognizing such patterns — consistent timing, remote external IP, small payload — is key for detecting stealthy persistent threats. This falls under “network-related indicators of malicious activity” in the Security Operations domain.

Correct answer: It automates repetitive tasks, accelerating detection and response times while reducing human error
Explanation:
SOAR platforms streamline SOC operations by automating alert triage, enrichment, correlated analysis, and even response actions (e.g. isolation, blocking). This reduces manual workload, speeds up response, and ensures consistent application of procedures — aligning with Security Operations goals for efficiency and process improvement as defined in the exam objectives.

Correct answer: Unexpected high CPU usage plus unknown processes spawning at odd hours
Explanation:
Host-based indicators — like unexplained CPU spikes, unknown processes, unusual child processes, or odd timing — may signal malware execution, cryptomining, or exploit activity. Detecting these anomalies is a fundamental part of threat detection at the host level in the Security Operations domain. Such anomalies often warrant deeper forensic and response actions.

Correct answer: It enables consistent data formats and simplifies correlation across diverse sources
Explanation:
Log ingestion with normalization standardizes logs from different devices (firewalls, servers, endpoints, cloud services) into a uniform schema. This allows correlation rules, search queries, and automated detection to work reliably across the environment. Without normalization, analysts may miss patterns due to inconsistent timestamp formats, field names, or data structures — undermining the SIEM’s effectiveness. This process is core to effective Security Operations as described in the exam objectives.

Correct answer: Public Key Infrastructure (PKI) and TLS/SSL encryption
Explanation:
PKI combined with TLS/SSL provides encryption, integrity, and authentication for data in transit. It prevents eavesdropping or tampering during transport, which is crucial when handling sensitive data or login credentials. The CySA+ objectives list encryption and sensitive data protection under Security Operations, reinforcing the need to understand these cryptographic protections.

Correct answer: Zero Trust architecture
Explanation:
Zero Trust architecture assumes no implicit trust — whether on-premises or in cloud — and requires continuous verification of identity, device health, and access permissions. It helps mitigate lateral movement, credential theft risks, and unauthorized access. Given that CySA+ CS0-003 now emphasizes cloud, hybrid, and zero-trust principles under Security Operations, understanding and applying Zero Trust is key to modern security operations.

Correct answer: Isolate the host and begin detailed log and file analysis
Explanation:
When suspicious outbound traffic is detected, isolating the host (quarantine) helps prevent further potential spread or data exfiltration. Then, detailed analysis of logs (network, OS, application) and files (running processes, binaries, recent changes) is necessary to identify indicators of compromise (IOC), scope the breach, and understand the threat. This aligns with incident detection and analysis best practices in Security Operations and Incident Response.

Correct answer: It ensures that log entries from different systems are correlated accurately
Explanation:
Time synchronization (e.g. via NTP) is critical because many security-analysis tools, SIEMs, and log aggregation systems rely on timestamps to correlate events across multiple hosts and network devices. Without consistent time, logs may appear out of order, making it nearly impossible to reconstruct attack timelines, correlate alerts, or identify the chain of malicious activity. This undermines incident detection, forensic analysis, and accurate root-cause analysis — all core to the Security Operations domain.