CompTIA CySA+ CS0-003 Study Guide: Incident Response and Management

Coverage: CySA+ domain 3.0 Incident Response and Management Purpose: Original study material built from the supplied CySA+ courseware and exam-objective coverage. This is not copied exam content.

How To Use This Guide

Read the high-yield anchors first.
Study each topic until you can explain the analyst action without looking.
Run a practice test and review every missed item.
Return to the section named in the missed-question remediation.
For lab-style readiness, practice with logs, PCAPs, scanners, command output, and short written findings.

Exam Context

Exam code: CS0-003.
Official-style format: up to 85 questions, 165 minutes, multiple-choice and performance-based questions.
Local readiness target: 85% practice pass, 90% comfort target, 95% strong signal.

High-Yield Memory Anchors

Analysts turn evidence into decisions.
Prioritize by risk, exploitability, exposure, asset value, and business impact.
A single indicator rarely proves the whole story; correlate host, network, identity, and timing.
Reports should tell the right audience what happened, why it matters, what to do, and how to verify.
When the exam asks for the best next step, choose the action that preserves evidence, reduces risk, and follows process.

Domain Map

Incident response plan: Define roles, escalation paths, communication channels, and response procedures before incidents occur.
Preparation: Build tools, access, playbooks, logging, contacts, and training before an event.
Detection and analysis: Validate alerts, identify affected assets, scope activity, and determine likely cause.
Containment: Limit spread while preserving critical evidence and business function.
Eradication: Remove attacker access, malware, persistence, and exploited weaknesses.
Recovery: Restore systems safely and monitor for recurrence.
Lessons learned: Review what happened and improve controls, playbooks, training, and detections.
Digital forensics: Collect, preserve, analyze, and report evidence using repeatable methods.
Chain of custody: Document who handled evidence, when, why, and how it was stored.
Legal considerations: Understand privacy, notification, law enforcement, retention, and counsel involvement.
Malware indicators: Identify suspicious files, processes, persistence, registry changes, and network callbacks.
Network attack indicators: Recognize scanning, beaconing, brute force, exfiltration, DNS tunneling, and ARP poisoning clues.
Host attack indicators: Identify suspicious services, accounts, scheduled tasks, logs, and privilege escalation signs.

Visual Model

Incident response lifecycleInspired by NIST incident response guidance: preparation supports the active detect, respond, and recover cycle.

Prepare

Detect

Analyze

Contain

Eradicate

Recover

Lessons learned

Study Notes

Incident response plan

Big Picture

Define roles, escalation paths, communication channels, and response procedures before incidents occur.

Analyst Actions

Follow the plan and escalate when severity or scope changes.
Identify the affected asset, owner, data sensitivity, exposure, and operational impact.
Preserve enough evidence to support the decision and enable review.
Document what was checked, what was found, and what should happen next.

Evidence To Look For

IR plan, call tree, playbooks, severity matrix, and tabletop records.

Exam Traps

Invent roles during the incident.
Keep the plan secret from responders.
Skip escalation criteria.

Hands-On Practice

Write one SIEM, shell, scanner, or ticket query that would produce evidence for this topic.
Decide what would make the finding higher priority.
Decide what would make the finding a false positive or accepted risk.

Preparation

Big Picture

Build tools, access, playbooks, logging, contacts, and training before an event.

Analyst Actions

Verify readiness before the incident starts.
Identify the affected asset, owner, data sensitivity, exposure, and operational impact.
Preserve enough evidence to support the decision and enable review.
Document what was checked, what was found, and what should happen next.

Evidence To Look For

Jump kits, playbooks, access validation, contact lists, and tabletop outcomes.

Exam Traps

Wait to request access during containment.
Disable logging until an incident.
Store all tools on the compromised host.

Hands-On Practice

Write one SIEM, shell, scanner, or ticket query that would produce evidence for this topic.
Decide what would make the finding higher priority.
Decide what would make the finding a false positive or accepted risk.

Detection and analysis

Big Picture

Validate alerts, identify affected assets, scope activity, and determine likely cause.

Analyst Actions

Correlate data sources before declaring scope.
Identify the affected asset, owner, data sensitivity, exposure, and operational impact.
Preserve enough evidence to support the decision and enable review.
Document what was checked, what was found, and what should happen next.

Evidence To Look For

SIEM events, EDR alerts, firewall logs, DNS logs, and user reports.

Exam Traps

Contain before understanding any scope.
Trust a single alert blindly.
Ignore timestamps.

Hands-On Practice

Write one SIEM, shell, scanner, or ticket query that would produce evidence for this topic.
Decide what would make the finding higher priority.
Decide what would make the finding a false positive or accepted risk.

Containment

Big Picture

Limit spread while preserving critical evidence and business function.

Analyst Actions

Choose short-term and long-term containment based on severity and impact.
Identify the affected asset, owner, data sensitivity, exposure, and operational impact.
Preserve enough evidence to support the decision and enable review.
Document what was checked, what was found, and what should happen next.

Evidence To Look For

Network isolation, account disablement, firewall blocks, and containment notes.

Exam Traps

Wipe every system first.
Announce attacker details publicly.
Leave compromised credentials active.

Hands-On Practice

Write one SIEM, shell, scanner, or ticket query that would produce evidence for this topic.
Decide what would make the finding higher priority.
Decide what would make the finding a false positive or accepted risk.

Eradication

Big Picture

Remove attacker access, malware, persistence, and exploited weaknesses.

Analyst Actions

Eliminate root cause after containment.
Identify the affected asset, owner, data sensitivity, exposure, and operational impact.
Preserve enough evidence to support the decision and enable review.
Document what was checked, what was found, and what should happen next.

Evidence To Look For

Removed persistence, patched weakness, credential reset, and malware cleanup evidence.

Exam Traps

Restore before removing persistence.
Leave exploited service exposed.
Only delete visible files.

Hands-On Practice

Write one SIEM, shell, scanner, or ticket query that would produce evidence for this topic.
Decide what would make the finding higher priority.
Decide what would make the finding a false positive or accepted risk.

Recovery

Big Picture

Restore systems safely and monitor for recurrence.

Analyst Actions

Validate clean state before returning assets to production.
Identify the affected asset, owner, data sensitivity, exposure, and operational impact.
Preserve enough evidence to support the decision and enable review.
Document what was checked, what was found, and what should happen next.

Evidence To Look For

Restore records, validation scans, monitoring windows, and owner sign-off.

Exam Traps

Return systems without testing.
Disable monitoring after restore.
Recover from untrusted backups.

Hands-On Practice

Write one SIEM, shell, scanner, or ticket query that would produce evidence for this topic.
Decide what would make the finding higher priority.
Decide what would make the finding a false positive or accepted risk.

Lessons learned

Big Picture

Review what happened and improve controls, playbooks, training, and detections.

Analyst Actions

Hold a blameless review and assign corrective actions.
Identify the affected asset, owner, data sensitivity, exposure, and operational impact.
Preserve enough evidence to support the decision and enable review.
Document what was checked, what was found, and what should happen next.

Evidence To Look For

After-action report, timeline, root cause, and improvement backlog.

Exam Traps

Skip review if service is restored.
Use the meeting to assign blame only.
Hide control failures.

Hands-On Practice

Write one SIEM, shell, scanner, or ticket query that would produce evidence for this topic.
Decide what would make the finding higher priority.
Decide what would make the finding a false positive or accepted risk.

Digital forensics

Big Picture

Collect, preserve, analyze, and report evidence using repeatable methods.

Analyst Actions

Preserve integrity and document actions.
Identify the affected asset, owner, data sensitivity, exposure, and operational impact.
Preserve enough evidence to support the decision and enable review.
Document what was checked, what was found, and what should happen next.

Evidence To Look For

Disk images, memory captures, hashes, timestamps, and examiner notes.

Exam Traps

Analyze originals without imaging.
Change file timestamps casually.
Skip hashing evidence.

Hands-On Practice

Write one SIEM, shell, scanner, or ticket query that would produce evidence for this topic.
Decide what would make the finding higher priority.
Decide what would make the finding a false positive or accepted risk.

Chain of custody

Big Picture

Document who handled evidence, when, why, and how it was stored.

Analyst Actions

Maintain evidence admissibility and integrity.
Identify the affected asset, owner, data sensitivity, exposure, and operational impact.
Preserve enough evidence to support the decision and enable review.
Document what was checked, what was found, and what should happen next.

Evidence To Look For

Custody forms, hash values, transfer records, and secure storage logs.

Exam Traps

Email evidence without tracking.
Let unknown staff handle drives.
Record only the final owner.

Hands-On Practice

Write one SIEM, shell, scanner, or ticket query that would produce evidence for this topic.
Decide what would make the finding higher priority.
Decide what would make the finding a false positive or accepted risk.

Legal considerations

Big Picture

Understand privacy, notification, law enforcement, retention, and counsel involvement.

Analyst Actions

Escalate legal-sensitive issues through approved channels.
Identify the affected asset, owner, data sensitivity, exposure, and operational impact.
Preserve enough evidence to support the decision and enable review.
Document what was checked, what was found, and what should happen next.

Evidence To Look For

Legal hold, breach notification timeline, counsel guidance, and retention rules.

Exam Traps

Publish details before counsel review.
Ignore regulated data.
Delete evidence to reduce exposure.

Hands-On Practice

Write one SIEM, shell, scanner, or ticket query that would produce evidence for this topic.
Decide what would make the finding higher priority.
Decide what would make the finding a false positive or accepted risk.

Malware indicators

Big Picture

Identify suspicious files, processes, persistence, registry changes, and network callbacks.

Analyst Actions

Correlate host and network evidence.
Identify the affected asset, owner, data sensitivity, exposure, and operational impact.
Preserve enough evidence to support the decision and enable review.
Document what was checked, what was found, and what should happen next.

Evidence To Look For

Process trees, autoruns, hashes, C2 traffic, and file paths.

Exam Traps

Assume high CPU always proves malware.
Ignore persistence.
Trust file names alone.

Hands-On Practice

Write one SIEM, shell, scanner, or ticket query that would produce evidence for this topic.
Decide what would make the finding higher priority.
Decide what would make the finding a false positive or accepted risk.

Network attack indicators

Big Picture

Recognize scanning, beaconing, brute force, exfiltration, DNS tunneling, and ARP poisoning clues.

Analyst Actions

Use network telemetry to scope malicious behavior.
Identify the affected asset, owner, data sensitivity, exposure, and operational impact.
Preserve enough evidence to support the decision and enable review.
Document what was checked, what was found, and what should happen next.

Evidence To Look For

Flow logs, packet captures, DNS logs, failed authentication, and unusual volume.

Exam Traps

Ignore east-west traffic.
Treat all DNS as benign.
Analyze only one packet.

Hands-On Practice

Write one SIEM, shell, scanner, or ticket query that would produce evidence for this topic.
Decide what would make the finding higher priority.
Decide what would make the finding a false positive or accepted risk.

Host attack indicators

Big Picture

Identify suspicious services, accounts, scheduled tasks, logs, and privilege escalation signs.

Analyst Actions

Compare host state against baseline.
Identify the affected asset, owner, data sensitivity, exposure, and operational impact.
Preserve enough evidence to support the decision and enable review.
Document what was checked, what was found, and what should happen next.

Evidence To Look For

Event logs, shell history, running services, cron/scheduled tasks, and account changes.

Exam Traps

Ignore new admin accounts.
Assume logs are complete.
Delete suspicious tasks before recording them.

Hands-On Practice

Write one SIEM, shell, scanner, or ticket query that would produce evidence for this topic.
Decide what would make the finding higher priority.
Decide what would make the finding a false positive or accepted risk.

Deep Review Table

Topic	Best Evidence	Best Action
Incident response plan	IR plan, call tree, playbooks, severity matrix, and tabletop records	Follow the plan and escalate when severity or scope changes.
Preparation	Jump kits, playbooks, access validation, contact lists, and tabletop outcomes	Verify readiness before the incident starts.
Detection and analysis	SIEM events, EDR alerts, firewall logs, DNS logs, and user reports	Correlate data sources before declaring scope.
Containment	Network isolation, account disablement, firewall blocks, and containment notes	Choose short-term and long-term containment based on severity and impact.
Eradication	Removed persistence, patched weakness, credential reset, and malware cleanup evidence	Eliminate root cause after containment.
Recovery	Restore records, validation scans, monitoring windows, and owner sign-off	Validate clean state before returning assets to production.
Lessons learned	After-action report, timeline, root cause, and improvement backlog	Hold a blameless review and assign corrective actions.
Digital forensics	Disk images, memory captures, hashes, timestamps, and examiner notes	Preserve integrity and document actions.
Chain of custody	Custody forms, hash values, transfer records, and secure storage logs	Maintain evidence admissibility and integrity.
Legal considerations	Legal hold, breach notification timeline, counsel guidance, and retention rules	Escalate legal-sensitive issues through approved channels.
Malware indicators	Process trees, autoruns, hashes, C2 traffic, and file paths	Correlate host and network evidence.
Network attack indicators	Flow logs, packet captures, DNS logs, failed authentication, and unusual volume	Use network telemetry to scope malicious behavior.
Host attack indicators	Event logs, shell history, running services, cron/scheduled tasks, and account changes	Compare host state against baseline.

Scenario Drill

For each scenario below, write the evidence you would collect, the most likely risk, the next action, and the communication target.

A critical internet-facing server has a remotely exploitable vulnerability, but the application owner says the next maintenance window is three weeks away.
A SIEM alert shows a user authenticating from two countries within ten minutes.
DNS logs show repeated long random-looking subdomains from one workstation.
A vulnerability scanner reports a critical finding on an OT device that cannot be rebooted during business hours.
Leadership asks whether a recent incident is contained, but analysis is still underway.

Final Review Checklist

I can explain incident response plan and choose the best analyst action in a scenario.
I can explain preparation and choose the best analyst action in a scenario.
I can explain detection and analysis and choose the best analyst action in a scenario.
I can explain containment and choose the best analyst action in a scenario.
I can explain eradication and choose the best analyst action in a scenario.
I can explain recovery and choose the best analyst action in a scenario.
I can explain lessons learned and choose the best analyst action in a scenario.
I can explain digital forensics and choose the best analyst action in a scenario.
I can explain chain of custody and choose the best analyst action in a scenario.
I can explain legal considerations and choose the best analyst action in a scenario.
I can explain malware indicators and choose the best analyst action in a scenario.
I can explain network attack indicators and choose the best analyst action in a scenario.
I can explain host attack indicators and choose the best analyst action in a scenario.