CYSA+ EXAM STUDY
GUIDE 2026 COMPLETE
DETAILED ANSWERS
CYSA+ (CS0-003) Exam Study Guide: 100 Q&A
Threat Intelligence (20 Questions)
1. Which threat intelligence source provides real-time information about emerging threats
from a community of security professionals?
A) Open Source Intelligence (OSINT)
B) Proprietary threat feeds
C) Information Sharing and Analysis Centers (ISACs) ✓
D) Publicly available malware repositories
2. What is the primary purpose of the Diamond Model of Intrusion Analysis?
A) To classify malware families
B) To map relationships between adversaries, capabilities, infrastructure, and victims ✓
C) To calculate risk scores for vulnerabilities
D) To organize incident response procedures
3. Which type of indicator of compromise (IoC) would most likely represent a behavioral
pattern rather than a static artifact?
A) File hash (MD5)
B) IP address
C) Registry key
D) Network traffic pattern showing beaconing ✓
4. When evaluating threat intelligence, which characteristic ensures the information is useful
for your specific organization?
A) Timeliness
B) Relevance ✓
,C) Accuracy
D) Confidence level
5. The MITRE ATT&CK framework is primarily used for:
A) Vulnerability scanning
B) Mapping adversary tactics and techniques ✓
C) Risk assessment calculations
D) Security policy development
Vulnerability Management (20 Questions)
6. What is the key difference between a vulnerability scan and a penetration test?
A) Vulnerability scans are automated; penetration tests include manual exploitation ✓
B) Penetration tests are faster to perform
C) Vulnerability scans provide deeper analysis
D) Only penetration tests identify vulnerabilities
7. Which scanning method would be most appropriate for identifying vulnerabilities in a web
application's authentication mechanism?
A) Network discovery scan
B) Credentialed scan
C) Web application scan ✓
D) Port scan
8. A Common Vulnerability Scoring System (CVSS) score of 9.8 would be classified as:
A) Low severity
B) Medium severity
C) High severity
D) Critical severity ✓
9. Which factor is most important when prioritizing vulnerability remediation?
A) Vulnerability age
B) Exploit availability and business impact ✓
C) Vendor patch release date
D) Scan detection method
10. What does a false positive in vulnerability scanning indicate?
A) A real vulnerability that wasn't detected
B) A reported vulnerability that doesn't actually exist ✓
C) A vulnerability that was previously patched
D) A critical vulnerability requiring immediate attention
, Security Operations and Monitoring (20 Questions)
11. Which SIEM capability allows for the identification of patterns across multiple log sources
over time?
A) Log aggregation
B) Correlation ✓
C) Alerting
D) Data normalization
12. What is the primary purpose of a playbook in security operations?
A) To document security policies
B) To provide standardized response procedures for specific scenarios ✓
C) To list all available security tools
D) To track employee training completion
13. Which network monitoring technique is most effective for detecting data exfiltration
through DNS tunneling?
A) Packet capture analysis
B) Analyzing DNS query patterns and volumes ✓
C) Firewall log review
D) NetFlow analysis of overall traffic
14. When analyzing a security alert, what should be the FIRST step?
A) Contain the threat
B) Investigate the affected system
C) Validate the alert ✓
D) Notify management
15. What does UEBA (User and Entity Behavior Analytics) primarily focus on detecting?
A) Known malware signatures
B) Deviations from normal behavioral patterns ✓
C) Network protocol violations
D) Unpatched software vulnerabilities
Incident Response (20 Questions)
16. During which phase of the NIST incident response lifecycle would you implement
measures to prevent recurrence of an incident?
A) Preparation
B) Detection and Analysis
GUIDE 2026 COMPLETE
DETAILED ANSWERS
CYSA+ (CS0-003) Exam Study Guide: 100 Q&A
Threat Intelligence (20 Questions)
1. Which threat intelligence source provides real-time information about emerging threats
from a community of security professionals?
A) Open Source Intelligence (OSINT)
B) Proprietary threat feeds
C) Information Sharing and Analysis Centers (ISACs) ✓
D) Publicly available malware repositories
2. What is the primary purpose of the Diamond Model of Intrusion Analysis?
A) To classify malware families
B) To map relationships between adversaries, capabilities, infrastructure, and victims ✓
C) To calculate risk scores for vulnerabilities
D) To organize incident response procedures
3. Which type of indicator of compromise (IoC) would most likely represent a behavioral
pattern rather than a static artifact?
A) File hash (MD5)
B) IP address
C) Registry key
D) Network traffic pattern showing beaconing ✓
4. When evaluating threat intelligence, which characteristic ensures the information is useful
for your specific organization?
A) Timeliness
B) Relevance ✓
,C) Accuracy
D) Confidence level
5. The MITRE ATT&CK framework is primarily used for:
A) Vulnerability scanning
B) Mapping adversary tactics and techniques ✓
C) Risk assessment calculations
D) Security policy development
Vulnerability Management (20 Questions)
6. What is the key difference between a vulnerability scan and a penetration test?
A) Vulnerability scans are automated; penetration tests include manual exploitation ✓
B) Penetration tests are faster to perform
C) Vulnerability scans provide deeper analysis
D) Only penetration tests identify vulnerabilities
7. Which scanning method would be most appropriate for identifying vulnerabilities in a web
application's authentication mechanism?
A) Network discovery scan
B) Credentialed scan
C) Web application scan ✓
D) Port scan
8. A Common Vulnerability Scoring System (CVSS) score of 9.8 would be classified as:
A) Low severity
B) Medium severity
C) High severity
D) Critical severity ✓
9. Which factor is most important when prioritizing vulnerability remediation?
A) Vulnerability age
B) Exploit availability and business impact ✓
C) Vendor patch release date
D) Scan detection method
10. What does a false positive in vulnerability scanning indicate?
A) A real vulnerability that wasn't detected
B) A reported vulnerability that doesn't actually exist ✓
C) A vulnerability that was previously patched
D) A critical vulnerability requiring immediate attention
, Security Operations and Monitoring (20 Questions)
11. Which SIEM capability allows for the identification of patterns across multiple log sources
over time?
A) Log aggregation
B) Correlation ✓
C) Alerting
D) Data normalization
12. What is the primary purpose of a playbook in security operations?
A) To document security policies
B) To provide standardized response procedures for specific scenarios ✓
C) To list all available security tools
D) To track employee training completion
13. Which network monitoring technique is most effective for detecting data exfiltration
through DNS tunneling?
A) Packet capture analysis
B) Analyzing DNS query patterns and volumes ✓
C) Firewall log review
D) NetFlow analysis of overall traffic
14. When analyzing a security alert, what should be the FIRST step?
A) Contain the threat
B) Investigate the affected system
C) Validate the alert ✓
D) Notify management
15. What does UEBA (User and Entity Behavior Analytics) primarily focus on detecting?
A) Known malware signatures
B) Deviations from normal behavioral patterns ✓
C) Network protocol violations
D) Unpatched software vulnerabilities
Incident Response (20 Questions)
16. During which phase of the NIST incident response lifecycle would you implement
measures to prevent recurrence of an incident?
A) Preparation
B) Detection and Analysis
