CompTIA CySA+ (CS0-003) · Difficulty

Hard CS0-003 practice questions

Challenge — multi-step scenarios, trade-offs, and subtle distinctions. 14 hard questions available — no sign-up, always free.

Question 1 of 14

A security analyst is planning a vulnerability scan of a manufacturing network segment containing legacy programmable logic controllers (PLCs) and human-machine interface (HMI) systems. During a prior scan, an aggressive active scan caused a PLC to become unresponsive, halting a production line. The analyst must map assets and identify vulnerabilities on this operational technology (OT) segment while minimizing the risk of disrupting production. Which scanning approach BEST meets these requirements?

Reviewed for accuracy · Report an issue
Question 2 of 14

During an active ransomware incident, an analyst confirms that a file server in the finance VLAN is encrypting shares and attempting SMB connections to hosts in other VLANs. Management insists the finance department must retain read-only access to already-encrypted backups on a separate storage appliance while the response team works. The team wants to stop lateral spread without fully powering down the affected server (to preserve volatile evidence). Which containment action BEST meets these constraints?

Reviewed for accuracy · Report an issue
Question 3 of 14

A threat analyst is documenting an intrusion using the Diamond Model of Intrusion Analysis. She has confirmed the malware sample (a custom RAT) and the compromised web server used to host the second-stage payload. To expand the investigation, she wants to identify other victims by pivoting from what she already knows. Which analytic pivot best leverages the confirmed data to discover additional affected organizations?

Reviewed for accuracy · Report an issue
Question 4 of 14

While reviewing a compromised Windows workstation, an analyst runs a WMI query and discovers a __EventFilter bound to a CommandLineEventConsumer that launches a PowerShell script whenever system uptime reaches 200 seconds. No corresponding scheduled task or registry Run key entry exists. Which conclusion best describes what the analyst has found?

Reviewed for accuracy · Report an issue
Question 5 of 14

During an active ransomware incident, the IR team has isolated three infected file servers from the network to stop encryption from spreading. Business leadership demands that critical shared drives be restored within hours to continue operations, but the team has not yet determined how the malware entered the environment. Which containment approach should the IR team implement next to balance operational needs with the ongoing investigation?

Reviewed for accuracy · Report an issue
Question 6 of 14

Two weeks after an incident response team completed the recovery phase for a ransomware event and formally closed the incident, the SOC detects the same malware family callback traffic from a different subnet that was previously believed unaffected. According to the incident response lifecycle, what is the MOST appropriate action for the team to take?

Reviewed for accuracy · Report an issue
Question 7 of 14

During a threat hunt, an analyst reviews Windows event logs and EDR telemetry from an internal file server. They observe that a user account authenticated to the server using a Kerberos ticket, but no corresponding interactive logon or password entry was recorded on the source workstation. The same ticket was then used to access three additional servers within minutes. Which MITRE ATT&CK technique best describes this observed activity?

Reviewed for accuracy · Report an issue
Question 8 of 14

A retail organization's monthly vulnerability scan flags several findings across its environment. The security manager must decide which to remediate first. The affected systems include: (1) an internal HR workstation with a medium-severity local privilege escalation flaw, (2) a public-facing e-commerce web server in the cardholder data environment (CDE) with a medium-severity TLS misconfiguration, (3) a development server with a critical remote code execution flaw that is isolated on an air-gapped test network, and (4) a marketing kiosk with a low-severity outdated browser plugin. Which finding should be remediated first?

Reviewed for accuracy · Report an issue
Question 9 of 14

A CySA+ analyst runs a software composition analysis (SCA) scan against a Node.js application build. The report flags a critical remote code execution vulnerability in a logging library. Investigation shows the development team never directly imported this library; it was pulled in automatically by a charting package listed in package.json. The charting package itself has no fix that removes the vulnerable dependency. What is the MOST appropriate first action for the analyst to recommend?

Reviewed for accuracy · Report an issue
Question 10 of 14

A CySA+ analyst reviews the weekly scan results and must recommend which vulnerability to remediate first. The organization has limited maintenance windows this week. The four findings below all have valid CVSS base scores. Which vulnerability should be prioritized for immediate remediation based on business context and exploitability?

Reviewed for accuracy · Report an issue
Question 11 of 14

A vulnerability analyst reviews a scan report for an internet-facing web server. Three findings are listed: (1) a medium-severity information disclosure flaw exposing internal directory paths, (2) a low-severity outdated TLS cipher suite, and (3) a medium-severity local file inclusion (LFI) vulnerability. Individually, none is rated critical, but the analyst notes that the disclosed paths could reveal the location of writable directories that the LFI could target. Considering these findings together, what should the analyst do first?

Reviewed for accuracy · Report an issue
Question 12 of 14

A security analyst reviews the weekly vulnerability scan report for an internet-facing e-commerce web farm. Four findings are flagged. The organization's remediation policy states that priority should be driven by real-world exploitability and business exposure, not raw base score alone. Which finding should the analyst remediate FIRST?

Reviewed for accuracy · Report an issue
Question 13 of 14

A vulnerability scan flags a critical (CVSS 9.8) remote code execution flaw on an internal application server. During validation, the analyst confirms the vulnerable service is only reachable from a management VLAN that requires jump-host authentication and MFA, and the server holds no sensitive data. The vendor patch will not be released for three weeks. Which action best reflects proper risk-based prioritization for this finding?

Reviewed for accuracy · Report an issue
Question 14 of 14

A SOC analyst reviewing EDR telemetry on a Windows workstation notices that a legitimate process, svchost.exe, was launched by explorer.exe rather than services.exe. Shortly after launch, the process's memory was written to by another process, its original image section was unmapped, and new executable code was mapped into that region before a thread resumed execution. Which technique is MOST likely being observed?

Reviewed for accuracy · Report an issue