CS0-003 cheat sheet
A one-page reference for the CompTIA CySA+ (CS0-003) exam: the format, how the domains are weighted, and the glossary terms for this exam.
Exam at a glance
Vendor
CompTIA
Level
Intermediate
Questions
85
Time
165 min
Mock pass mark
75%
Domains
4
Practice Qs
147
Code
CS0-003
Domain weightings
How much of the exam each domain covers. Spend your study time in proportion — the heavier the domain, the more questions you'll see.
Key terms
- SIEM
- SIEM (Security Information and Event Management) is a platform that aggregates and correlates log and event data to detect and investigate threats. CySA+ covers SIEM as a core security-operations tool.
- SOAR
- SOAR (Security Orchestration, Automation, and Response) is technology that automates and coordinates security workflows and incident response. CySA+ covers it for efficiency and process improvement in security operations.
- EDR
- EDR (Endpoint Detection and Response) is a tool that continuously monitors endpoints to detect, investigate, and respond to threats. CySA+ covers EDR among the tools used to determine malicious activity.
- MITRE ATT&CK
- MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations. CySA+ covers it as an attack framework used in threat hunting and detection.
- Cyber Kill Chain
- The Cyber Kill Chain is a model that describes the stages of a cyberattack from reconnaissance through actions on objectives. CySA+ covers it alongside MITRE ATT&CK as an attack framework.
- Threat hunting
- Threat hunting is the proactive search for threats that have evaded existing security controls. CySA+ covers threat-hunting concepts and threat intelligence in security operations.
- Indicator of compromise
- An indicator of compromise (IoC) is an artifact — such as a suspicious IP, file hash, or domain — that suggests a security breach. CySA+ covers analyzing IoCs to identify malicious activity.
- CVSS
- CVSS (Common Vulnerability Scoring System) is a standard for rating the severity of vulnerabilities on a 0–10 scale. CySA+ covers interpreting CVSS scores to prioritize vulnerabilities.
- Vulnerability scanning
- Vulnerability scanning is the automated process of identifying security weaknesses in systems and applications. CySA+ covers scanning methods, scope, and analyzing tool output.
- False positive
- A false positive is a reported finding that is not actually a real vulnerability or threat. CySA+ covers validating scanner output to remove false positives when prioritizing work.
- Incident response lifecycle
- The incident response lifecycle is the structured set of phases — preparation, detection and analysis, containment, eradication, recovery, and lessons learned — for handling security incidents. CySA+ covers it in the incident-response domain.
- Playbook
- A playbook is a documented, repeatable procedure for responding to a specific type of security incident. CySA+ covers playbooks in incident-response preparation and automation.
- Root cause analysis
- Root cause analysis is the post-incident process of determining the underlying cause of an incident to prevent recurrence. CySA+ covers it as a post-incident activity.