CompTIA CySA+ Study Guide
Domain 1: Threat and Vulnerability Management
Key Concepts
• Threat Intelligence:
o Definition: The collection and analysis of information about threats to understand
their capabilities, intentions, and attack patterns.
o Sources: Open-source intelligence (OSINT), proprietary intelligence, and
industry reports.
o Distinctions: Threat intelligence can be strategic, operational, tactical, or
technical, each serving different purposes in understanding threats.
• Vulnerability Management:
o Definition: The process of identifying, evaluating, treating, and reporting on
security vulnerabilities in systems and software.
o Key Steps:
▪ Identification: Using tools like scanners to find vulnerabilities.
▪ Assessment: Evaluating the severity and impact of vulnerabilities.
▪ Remediation: Applying patches and fixes to vulnerabilities.
▪ Reporting: Documenting vulnerabilities and mitigation actions.
o Distinctions: Proactive vulnerability management involves regular scanning and
patching, while reactive management responds to discovered threats.
• Penetration Testing:
o Definition: Simulated cyberattacks on a system to evaluate security defenses.
o Methodologies: Black-box (no prior knowledge), white-box (full knowledge),
gray-box (limited knowledge).
o Distinctions: Penetration testing differs from vulnerability scanning as it actively
exploits vulnerabilities instead of just identifying them.
Practice Questions
1. What are the different types of threat intelligence, and how are they used?
2. Describe the steps involved in vulnerability management.
3. How does penetration testing differ from vulnerability scanning?
Domain 2: Software and Systems Security
Key Concepts
, • Security Solutions and Architectures:
o Endpoint Security: Protects endpoints like desktops, laptops, and mobile devices
with antivirus, anti-malware, and firewalls.
o Network Security: Uses firewalls, intrusion detection/prevention systems
(IDS/IPS), and VPNs to protect network traffic.
o Application Security: Ensures software is designed to resist attacks, including
secure coding practices and application firewalls.
• Identity and Access Management (IAM):
o Definition: Processes and technologies used to manage digital identities and
control access to resources.
o Components:
▪ Authentication: Verifying user identities (e.g., passwords, biometrics).
▪ Authorization: Granting access to resources based on policies.
▪ Accounting: Tracking user activities and access.
o Distinctions: IAM solutions may include single sign-on (SSO), multi-factor
authentication (MFA), and role-based access control (RBAC).
• Secure Software Development:
o Definition: Incorporating security practices into the software development
lifecycle (SDLC).
o Practices: Code review, static and dynamic analysis, threat modeling.
o Distinctions: Secure coding standards like OWASP guide developers in
minimizing vulnerabilities.
Practice Questions
1. What are the key components of identity and access management?
2. How does endpoint security differ from network security?
3. Describe the importance of secure software development practices.
Domain 3: Security Operations and Monitoring
Key Concepts
• Security Information and Event Management (SIEM):
o Definition: A system that collects, analyzes, and correlates security data from
across the network to detect and respond to threats.
o Capabilities: Real-time monitoring, historical analysis, alerting, and reporting.
o Distinctions: SIEMs integrate with other security tools and may include
automation for incident response.
• Incident Response:
Domain 1: Threat and Vulnerability Management
Key Concepts
• Threat Intelligence:
o Definition: The collection and analysis of information about threats to understand
their capabilities, intentions, and attack patterns.
o Sources: Open-source intelligence (OSINT), proprietary intelligence, and
industry reports.
o Distinctions: Threat intelligence can be strategic, operational, tactical, or
technical, each serving different purposes in understanding threats.
• Vulnerability Management:
o Definition: The process of identifying, evaluating, treating, and reporting on
security vulnerabilities in systems and software.
o Key Steps:
▪ Identification: Using tools like scanners to find vulnerabilities.
▪ Assessment: Evaluating the severity and impact of vulnerabilities.
▪ Remediation: Applying patches and fixes to vulnerabilities.
▪ Reporting: Documenting vulnerabilities and mitigation actions.
o Distinctions: Proactive vulnerability management involves regular scanning and
patching, while reactive management responds to discovered threats.
• Penetration Testing:
o Definition: Simulated cyberattacks on a system to evaluate security defenses.
o Methodologies: Black-box (no prior knowledge), white-box (full knowledge),
gray-box (limited knowledge).
o Distinctions: Penetration testing differs from vulnerability scanning as it actively
exploits vulnerabilities instead of just identifying them.
Practice Questions
1. What are the different types of threat intelligence, and how are they used?
2. Describe the steps involved in vulnerability management.
3. How does penetration testing differ from vulnerability scanning?
Domain 2: Software and Systems Security
Key Concepts
, • Security Solutions and Architectures:
o Endpoint Security: Protects endpoints like desktops, laptops, and mobile devices
with antivirus, anti-malware, and firewalls.
o Network Security: Uses firewalls, intrusion detection/prevention systems
(IDS/IPS), and VPNs to protect network traffic.
o Application Security: Ensures software is designed to resist attacks, including
secure coding practices and application firewalls.
• Identity and Access Management (IAM):
o Definition: Processes and technologies used to manage digital identities and
control access to resources.
o Components:
▪ Authentication: Verifying user identities (e.g., passwords, biometrics).
▪ Authorization: Granting access to resources based on policies.
▪ Accounting: Tracking user activities and access.
o Distinctions: IAM solutions may include single sign-on (SSO), multi-factor
authentication (MFA), and role-based access control (RBAC).
• Secure Software Development:
o Definition: Incorporating security practices into the software development
lifecycle (SDLC).
o Practices: Code review, static and dynamic analysis, threat modeling.
o Distinctions: Secure coding standards like OWASP guide developers in
minimizing vulnerabilities.
Practice Questions
1. What are the key components of identity and access management?
2. How does endpoint security differ from network security?
3. Describe the importance of secure software development practices.
Domain 3: Security Operations and Monitoring
Key Concepts
• Security Information and Event Management (SIEM):
o Definition: A system that collects, analyzes, and correlates security data from
across the network to detect and respond to threats.
o Capabilities: Real-time monitoring, historical analysis, alerting, and reporting.
o Distinctions: SIEMs integrate with other security tools and may include
automation for incident response.
• Incident Response:
