CS0-003 cheat sheet

A one-page reference for the CompTIA CySA+ (CS0-003) exam: the format, how the domains are weighted, and the glossary terms for this exam.

Exam at a glance

Vendor
CompTIA
Level
Intermediate
Questions
85
Time
165 min
Mock pass mark
75%
Domains
4
Practice Qs
147
Code
CS0-003

Domain weightings

How much of the exam each domain covers. Spend your study time in proportion — the heavier the domain, the more questions you'll see.

Key terms

SIEM
SIEM (Security Information and Event Management) is a platform that aggregates and correlates log and event data to detect and investigate threats. CySA+ covers SIEM as a core security-operations tool.
SOAR
SOAR (Security Orchestration, Automation, and Response) is technology that automates and coordinates security workflows and incident response. CySA+ covers it for efficiency and process improvement in security operations.
EDR
EDR (Endpoint Detection and Response) is a tool that continuously monitors endpoints to detect, investigate, and respond to threats. CySA+ covers EDR among the tools used to determine malicious activity.
MITRE ATT&CK
MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations. CySA+ covers it as an attack framework used in threat hunting and detection.
Cyber Kill Chain
The Cyber Kill Chain is a model that describes the stages of a cyberattack from reconnaissance through actions on objectives. CySA+ covers it alongside MITRE ATT&CK as an attack framework.
Threat hunting
Threat hunting is the proactive search for threats that have evaded existing security controls. CySA+ covers threat-hunting concepts and threat intelligence in security operations.
Indicator of compromise
An indicator of compromise (IoC) is an artifact — such as a suspicious IP, file hash, or domain — that suggests a security breach. CySA+ covers analyzing IoCs to identify malicious activity.
CVSS
CVSS (Common Vulnerability Scoring System) is a standard for rating the severity of vulnerabilities on a 0–10 scale. CySA+ covers interpreting CVSS scores to prioritize vulnerabilities.
Vulnerability scanning
Vulnerability scanning is the automated process of identifying security weaknesses in systems and applications. CySA+ covers scanning methods, scope, and analyzing tool output.
False positive
A false positive is a reported finding that is not actually a real vulnerability or threat. CySA+ covers validating scanner output to remove false positives when prioritizing work.
Incident response lifecycle
The incident response lifecycle is the structured set of phases — preparation, detection and analysis, containment, eradication, recovery, and lessons learned — for handling security incidents. CySA+ covers it in the incident-response domain.
Playbook
A playbook is a documented, repeatable procedure for responding to a specific type of security incident. CySA+ covers playbooks in incident-response preparation and automation.
Root cause analysis
Root cause analysis is the post-incident process of determining the underlying cause of an incident to prevent recurrence. CySA+ covers it as a post-incident activity.