CompTIA CySA+ CS0-003 Study Guide: Security Operations

Coverage: CySA+ domain 1.0 Security Operations Purpose: Original study material built from the supplied CySA+ courseware and exam-objective coverage. This is not copied exam content.

How To Use This Guide

Read the high-yield anchors first.
Study each topic until you can explain the analyst action without looking.
Run a practice test and review every missed item.
Return to the section named in the missed-question remediation.
For lab-style readiness, practice with logs, PCAPs, scanners, command output, and short written findings.

Exam Context

Exam code: CS0-003.
Official-style format: up to 85 questions, 165 minutes, multiple-choice and performance-based questions.
Local readiness target: 85% practice pass, 90% comfort target, 95% strong signal.

High-Yield Memory Anchors

Analysts turn evidence into decisions.
Prioritize by risk, exploitability, exposure, asset value, and business impact.
A single indicator rarely proves the whole story; correlate host, network, identity, and timing.
Reports should tell the right audience what happened, why it matters, what to do, and how to verify.
When the exam asks for the best next step, choose the action that preserves evidence, reduces risk, and follows process.

Domain Map

Governance and policy: Use policy, standards, and leadership direction to decide what normal operations should look like.
Risk management: Compare likelihood, impact, and business context before choosing a response.
Control types: Classify controls as preventive, detective, corrective, deterrent, compensating, physical, administrative, or technical.
Attack surface management: Continuously discover exposed assets, services, identities, and external attack paths.
Patch and configuration management: Use approved change windows, testing, deployment rings, rollback plans, and compliance checks.
Threat intelligence: Use intelligence sources to understand adversary tactics, infrastructure, malware, and indicators.
Threat actors: Distinguish motives, capability, resources, and intent across actors.
TTP mapping: Map observed behavior to tactics, techniques, and procedures.
Open-source intelligence: Collect publicly available information ethically and legally.
Threat hunting: Proactively search for abnormal behavior using hypotheses, baselines, and evidence.
Indicators of compromise: Recognize artifacts that suggest compromise may have occurred.
Indicators of attack: Identify behavior showing an attack is underway.
Decoys and deception: Use honeypots, honeytokens, and decoy credentials to detect suspicious access.
Operational visibility: Maintain logs, telemetry, endpoint visibility, network visibility, and baseline awareness.
SIEM and SOAR: Use SIEM for correlation and SOAR for repeatable response automation.
Packet capture analysis: Use packet captures to inspect protocols, sessions, payload clues, and abnormal flows.
Domain and IP reputation: Check external reputation carefully and correlate with local telemetry.
Scripting for analysis: Use scripts to parse logs, automate repetitive checks, and summarize evidence.

Visual Model

Threat hunting loopCySA+ hunting starts with a hypothesis, tests it against telemetry, then improves detections and operations.

Hypothesis

Select data

Query telemetry

Validate evidence

Escalate or close

Tune detections

Study Notes

Governance and policy

Big Picture

Use policy, standards, and leadership direction to decide what normal operations should look like.

Analyst Actions

Map activity to policy requirements and escalate gaps through governance channels.
Identify the affected asset, owner, data sensitivity, exposure, and operational impact.
Preserve enough evidence to support the decision and enable review.
Document what was checked, what was found, and what should happen next.

Evidence To Look For

Policies, standards, risk registers, exception records, and control ownership.

Exam Traps

Ignore governance and focus only on packet captures.
Disable policies until an audit begins.
Treat every policy exception as accepted risk forever.

Hands-On Practice

Write one SIEM, shell, scanner, or ticket query that would produce evidence for this topic.
Decide what would make the finding higher priority.
Decide what would make the finding a false positive or accepted risk.

Risk management

Big Picture

Compare likelihood, impact, and business context before choosing a response.

Analyst Actions

Prioritize the issue that creates the highest business risk, not simply the loudest alert.
Identify the affected asset, owner, data sensitivity, exposure, and operational impact.
Preserve enough evidence to support the decision and enable review.
Document what was checked, what was found, and what should happen next.

Evidence To Look For

Risk score, asset criticality, exposure, exploitability, and compensating controls.

Exam Traps

Sort findings alphabetically.
Patch only systems with the newest operating system.
Treat all low-risk systems as critical.

Hands-On Practice

Write one SIEM, shell, scanner, or ticket query that would produce evidence for this topic.
Decide what would make the finding higher priority.
Decide what would make the finding a false positive or accepted risk.

Control types

Big Picture

Classify controls as preventive, detective, corrective, deterrent, compensating, physical, administrative, or technical.

Analyst Actions

Choose the control type that matches the scenario objective.
Identify the affected asset, owner, data sensitivity, exposure, and operational impact.
Preserve enough evidence to support the decision and enable review.
Document what was checked, what was found, and what should happen next.

Evidence To Look For

Control matrix, audit findings, and implementation evidence.

Exam Traps

Use only physical controls for cloud workloads.
Assume detective controls prevent all attacks.
Replace corrective controls with awareness posters.

Hands-On Practice

Write one SIEM, shell, scanner, or ticket query that would produce evidence for this topic.
Decide what would make the finding higher priority.
Decide what would make the finding a false positive or accepted risk.

Attack surface management

Big Picture

Continuously discover exposed assets, services, identities, and external attack paths.

Analyst Actions

Reduce exposed services and prioritize internet-facing weaknesses.
Identify the affected asset, owner, data sensitivity, exposure, and operational impact.
Preserve enough evidence to support the decision and enable review.
Document what was checked, what was found, and what should happen next.

Evidence To Look For

External scans, asset inventory, shadow IT records, and exposed ports.

Exam Traps

Focus only on retired internal systems.
Disable inventory tools during scanning.
Assume unknown assets are low priority.

Hands-On Practice

Write one SIEM, shell, scanner, or ticket query that would produce evidence for this topic.
Decide what would make the finding higher priority.
Decide what would make the finding a false positive or accepted risk.

Patch and configuration management

Big Picture

Use approved change windows, testing, deployment rings, rollback plans, and compliance checks.

Analyst Actions

Patch or reconfigure vulnerable systems based on severity and operational risk.
Identify the affected asset, owner, data sensitivity, exposure, and operational impact.
Preserve enough evidence to support the decision and enable review.
Document what was checked, what was found, and what should happen next.

Evidence To Look For

Patch compliance dashboards, baselines, maintenance windows, and rollback records.

Exam Traps

Patch production first without testing.
Delay all critical patches until annual review.
Remove rollback plans to save time.

Hands-On Practice

Write one SIEM, shell, scanner, or ticket query that would produce evidence for this topic.
Decide what would make the finding higher priority.
Decide what would make the finding a false positive or accepted risk.

Threat intelligence

Big Picture

Use intelligence sources to understand adversary tactics, infrastructure, malware, and indicators.

Analyst Actions

Apply relevant intelligence to detections, hunts, and blocking decisions.
Identify the affected asset, owner, data sensitivity, exposure, and operational impact.
Preserve enough evidence to support the decision and enable review.
Document what was checked, what was found, and what should happen next.

Evidence To Look For

STIX/TAXII feeds, ISAC notices, vendor reports, and MITRE ATT&CK mapping.

Exam Traps

Treat all indicators as permanent truth.
Use only social media rumors.
Block every IP on the internet.

Hands-On Practice

Write one SIEM, shell, scanner, or ticket query that would produce evidence for this topic.
Decide what would make the finding higher priority.
Decide what would make the finding a false positive or accepted risk.

Threat actors

Big Picture

Distinguish motives, capability, resources, and intent across actors.

Analyst Actions

Use actor context to judge likely objectives and defensive priorities.
Identify the affected asset, owner, data sensitivity, exposure, and operational impact.
Preserve enough evidence to support the decision and enable review.
Document what was checked, what was found, and what should happen next.

Evidence To Look For

TTP patterns, targeting history, tooling, and campaign behavior.

Exam Traps

Assume all actors have identical goals.
Ignore capability and focus only on names.
Treat insider threats as impossible.

Hands-On Practice

Write one SIEM, shell, scanner, or ticket query that would produce evidence for this topic.
Decide what would make the finding higher priority.
Decide what would make the finding a false positive or accepted risk.

TTP mapping

Big Picture

Map observed behavior to tactics, techniques, and procedures.

Analyst Actions

Describe what the attacker is doing rather than only naming one indicator.
Identify the affected asset, owner, data sensitivity, exposure, and operational impact.
Preserve enough evidence to support the decision and enable review.
Document what was checked, what was found, and what should happen next.

Evidence To Look For

MITRE ATT&CK technique IDs, observed commands, process chains, and network patterns.

Exam Traps

Map every event to the same tactic.
Use CVSS as a TTP framework.
Only record the malware family name.

Hands-On Practice

Write one SIEM, shell, scanner, or ticket query that would produce evidence for this topic.
Decide what would make the finding higher priority.
Decide what would make the finding a false positive or accepted risk.

Open-source intelligence

Big Picture

Collect publicly available information ethically and legally.

Analyst Actions

Use OSINT to support threat hunting, attribution context, and exposure review.
Identify the affected asset, owner, data sensitivity, exposure, and operational impact.
Preserve enough evidence to support the decision and enable review.
Document what was checked, what was found, and what should happen next.

Evidence To Look For

Public DNS, WHOIS, certificate transparency, paste sites, repositories, and breach data.

Exam Traps

Access private mailboxes without authorization.
Modify attacker infrastructure.
Skip source reliability review.

Hands-On Practice

Write one SIEM, shell, scanner, or ticket query that would produce evidence for this topic.
Decide what would make the finding higher priority.
Decide what would make the finding a false positive or accepted risk.

Threat hunting

Big Picture

Proactively search for abnormal behavior using hypotheses, baselines, and evidence.

Analyst Actions

Build a hypothesis, query data, validate findings, and improve detections.
Identify the affected asset, owner, data sensitivity, exposure, and operational impact.
Preserve enough evidence to support the decision and enable review.
Document what was checked, what was found, and what should happen next.

Evidence To Look For

Hunt hypothesis, query results, baselines, and documented findings.

Exam Traps

Wait only for automated alerts.
Delete failed hypotheses.
Hunt without a question or data source.

Hands-On Practice

Write one SIEM, shell, scanner, or ticket query that would produce evidence for this topic.
Decide what would make the finding higher priority.
Decide what would make the finding a false positive or accepted risk.

Indicators of compromise

Big Picture

Recognize artifacts that suggest compromise may have occurred.

Analyst Actions

Correlate indicators with other evidence before declaring an incident.
Identify the affected asset, owner, data sensitivity, exposure, and operational impact.
Preserve enough evidence to support the decision and enable review.
Document what was checked, what was found, and what should happen next.

Evidence To Look For

Hashes, domains, IPs, file paths, registry keys, user-agent strings, and log patterns.

Exam Traps

Treat every hash as benign.
Use only one indicator without context.
Ignore time windows and asset role.

Hands-On Practice

Write one SIEM, shell, scanner, or ticket query that would produce evidence for this topic.
Decide what would make the finding higher priority.
Decide what would make the finding a false positive or accepted risk.

Indicators of attack

Big Picture

Identify behavior showing an attack is underway.

Analyst Actions

Look for sequences such as discovery, credential access, lateral movement, and exfiltration.
Identify the affected asset, owner, data sensitivity, exposure, and operational impact.
Preserve enough evidence to support the decision and enable review.
Document what was checked, what was found, and what should happen next.

Evidence To Look For

Process trees, authentication patterns, command history, and network flows.

Exam Traps

Only search for known hashes.
Ignore behavior if antivirus is quiet.
Treat normal patching as exfiltration.

Hands-On Practice

Write one SIEM, shell, scanner, or ticket query that would produce evidence for this topic.
Decide what would make the finding higher priority.
Decide what would make the finding a false positive or accepted risk.

Decoys and deception

Big Picture

Use honeypots, honeytokens, and decoy credentials to detect suspicious access.

Analyst Actions

Investigate any access to a resource that legitimate users should not touch.
Identify the affected asset, owner, data sensitivity, exposure, and operational impact.
Preserve enough evidence to support the decision and enable review.
Document what was checked, what was found, and what should happen next.

Evidence To Look For

Honeytoken access logs, decoy account use, and honeypot traffic.

Exam Traps

Place production secrets in decoys.
Advertise decoy credentials to all staff.
Treat decoys as replacement backups.

Hands-On Practice

Write one SIEM, shell, scanner, or ticket query that would produce evidence for this topic.
Decide what would make the finding higher priority.
Decide what would make the finding a false positive or accepted risk.

Operational visibility

Big Picture

Maintain logs, telemetry, endpoint visibility, network visibility, and baseline awareness.

Analyst Actions

Verify that important assets and controls are producing usable evidence.
Identify the affected asset, owner, data sensitivity, exposure, and operational impact.
Preserve enough evidence to support the decision and enable review.
Document what was checked, what was found, and what should happen next.

Evidence To Look For

SIEM ingestion health, EDR status, NetFlow, DNS logs, and endpoint telemetry.

Exam Traps

Collect logs but never review them.
Disable endpoint telemetry during incidents.
Monitor only test systems.

Hands-On Practice

Write one SIEM, shell, scanner, or ticket query that would produce evidence for this topic.
Decide what would make the finding higher priority.
Decide what would make the finding a false positive or accepted risk.

SIEM and SOAR

Big Picture

Use SIEM for correlation and SOAR for repeatable response automation.

Analyst Actions

Tune detections and automate safe, well-defined actions.
Identify the affected asset, owner, data sensitivity, exposure, and operational impact.
Preserve enough evidence to support the decision and enable review.
Document what was checked, what was found, and what should happen next.

Evidence To Look For

Correlation rules, playbooks, case records, and automation logs.

Exam Traps

Let SOAR make irreversible changes without approval.
Use SIEM as the only backup system.
Ignore false-positive tuning.

Hands-On Practice

Write one SIEM, shell, scanner, or ticket query that would produce evidence for this topic.
Decide what would make the finding higher priority.
Decide what would make the finding a false positive or accepted risk.

Packet capture analysis

Big Picture

Use packet captures to inspect protocols, sessions, payload clues, and abnormal flows.

Analyst Actions

Filter traffic to answer a specific investigation question.
Identify the affected asset, owner, data sensitivity, exposure, and operational impact.
Preserve enough evidence to support the decision and enable review.
Document what was checked, what was found, and what should happen next.

Evidence To Look For

PCAPs, Zeek logs, flow data, DNS queries, and TLS metadata.

Exam Traps

Start with no filter and no hypothesis.
Assume encrypted traffic is always malicious.
Ignore timestamps and endpoints.

Hands-On Practice

Write one SIEM, shell, scanner, or ticket query that would produce evidence for this topic.
Decide what would make the finding higher priority.
Decide what would make the finding a false positive or accepted risk.

Domain and IP reputation

Big Picture

Check external reputation carefully and correlate with local telemetry.

Analyst Actions

Use reputation as supporting evidence, not a final verdict.
Identify the affected asset, owner, data sensitivity, exposure, and operational impact.
Preserve enough evidence to support the decision and enable review.
Document what was checked, what was found, and what should happen next.

Evidence To Look For

Reputation portals, passive DNS, ASN data, and local connection logs.

Exam Traps

Convict based on one reputation score.
Ignore local context.
Assume new domains are always safe.

Hands-On Practice

Write one SIEM, shell, scanner, or ticket query that would produce evidence for this topic.
Decide what would make the finding higher priority.
Decide what would make the finding a false positive or accepted risk.

Scripting for analysis

Big Picture

Use scripts to parse logs, automate repetitive checks, and summarize evidence.

Analyst Actions

Automate repeatable analysis while preserving source evidence.
Identify the affected asset, owner, data sensitivity, exposure, and operational impact.
Preserve enough evidence to support the decision and enable review.
Document what was checked, what was found, and what should happen next.

Evidence To Look For

PowerShell, Bash, Python, regex, parsed log output, and script comments.

Exam Traps

Edit original logs in place.
Run unknown scripts without review.
Use automation without validation.

Hands-On Practice

Write one SIEM, shell, scanner, or ticket query that would produce evidence for this topic.
Decide what would make the finding higher priority.
Decide what would make the finding a false positive or accepted risk.

Deep Review Table

Topic	Best Evidence	Best Action
Governance and policy	Policies, standards, risk registers, exception records, and control ownership	Map activity to policy requirements and escalate gaps through governance channels.
Risk management	Risk score, asset criticality, exposure, exploitability, and compensating controls	Prioritize the issue that creates the highest business risk, not simply the loudest alert.
Control types	Control matrix, audit findings, and implementation evidence	Choose the control type that matches the scenario objective.
Attack surface management	External scans, asset inventory, shadow IT records, and exposed ports	Reduce exposed services and prioritize internet-facing weaknesses.
Patch and configuration management	Patch compliance dashboards, baselines, maintenance windows, and rollback records	Patch or reconfigure vulnerable systems based on severity and operational risk.
Threat intelligence	STIX/TAXII feeds, ISAC notices, vendor reports, and MITRE ATT&CK mapping	Apply relevant intelligence to detections, hunts, and blocking decisions.
Threat actors	TTP patterns, targeting history, tooling, and campaign behavior	Use actor context to judge likely objectives and defensive priorities.
TTP mapping	MITRE ATT&CK technique IDs, observed commands, process chains, and network patterns	Describe what the attacker is doing rather than only naming one indicator.
Open-source intelligence	Public DNS, WHOIS, certificate transparency, paste sites, repositories, and breach data	Use OSINT to support threat hunting, attribution context, and exposure review.
Threat hunting	Hunt hypothesis, query results, baselines, and documented findings	Build a hypothesis, query data, validate findings, and improve detections.
Indicators of compromise	Hashes, domains, IPs, file paths, registry keys, user-agent strings, and log patterns	Correlate indicators with other evidence before declaring an incident.
Indicators of attack	Process trees, authentication patterns, command history, and network flows	Look for sequences such as discovery, credential access, lateral movement, and exfiltration.
Decoys and deception	Honeytoken access logs, decoy account use, and honeypot traffic	Investigate any access to a resource that legitimate users should not touch.
Operational visibility	SIEM ingestion health, EDR status, NetFlow, DNS logs, and endpoint telemetry	Verify that important assets and controls are producing usable evidence.
SIEM and SOAR	Correlation rules, playbooks, case records, and automation logs	Tune detections and automate safe, well-defined actions.
Packet capture analysis	PCAPs, Zeek logs, flow data, DNS queries, and TLS metadata	Filter traffic to answer a specific investigation question.
Domain and IP reputation	Reputation portals, passive DNS, ASN data, and local connection logs	Use reputation as supporting evidence, not a final verdict.
Scripting for analysis	PowerShell, Bash, Python, regex, parsed log output, and script comments	Automate repeatable analysis while preserving source evidence.

Scenario Drill

For each scenario below, write the evidence you would collect, the most likely risk, the next action, and the communication target.

A critical internet-facing server has a remotely exploitable vulnerability, but the application owner says the next maintenance window is three weeks away.
A SIEM alert shows a user authenticating from two countries within ten minutes.
DNS logs show repeated long random-looking subdomains from one workstation.
A vulnerability scanner reports a critical finding on an OT device that cannot be rebooted during business hours.
Leadership asks whether a recent incident is contained, but analysis is still underway.

Final Review Checklist

I can explain governance and policy and choose the best analyst action in a scenario.
I can explain risk management and choose the best analyst action in a scenario.
I can explain control types and choose the best analyst action in a scenario.
I can explain attack surface management and choose the best analyst action in a scenario.
I can explain patch and configuration management and choose the best analyst action in a scenario.
I can explain threat intelligence and choose the best analyst action in a scenario.
I can explain threat actors and choose the best analyst action in a scenario.
I can explain ttp mapping and choose the best analyst action in a scenario.
I can explain open-source intelligence and choose the best analyst action in a scenario.
I can explain threat hunting and choose the best analyst action in a scenario.
I can explain indicators of compromise and choose the best analyst action in a scenario.
I can explain indicators of attack and choose the best analyst action in a scenario.
I can explain decoys and deception and choose the best analyst action in a scenario.
I can explain operational visibility and choose the best analyst action in a scenario.
I can explain siem and soar and choose the best analyst action in a scenario.
I can explain packet capture analysis and choose the best analyst action in a scenario.
I can explain domain and ip reputation and choose the best analyst action in a scenario.
I can explain scripting for analysis and choose the best analyst action in a scenario.