CompTIA CySA+ (CS0-003) Study Guide — The Cert That Lands SOC Analyst Jobs

CompTIA CySA+ is the cert that takes you from "I know security concepts" to "I can analyze a real intrusion." It's specifically aimed at the SOC analyst, threat hunter, and incident responder roles — the jobs that ingest logs, write detections, and pivot through an attack timeline. The current version is CS0-003, released mid-2023 and the only version delivered today.

If Security+ proved you understood security, CySA+ proves you can do it.

Who CySA+ is for

You should consider CySA+ if any of these match:

• You're a current Security+ holder looking to earn $10k–$25k more
• You're targeting SOC Analyst, Cybersecurity Analyst, Threat Intelligence Analyst, or Incident Responder roles
• You need a DoD 8140 / 8570 IAT Level II or CSSP Analyst-approved cert
• You want a step toward CASP+ / SecurityX without committing to CISSP yet

If your goal is offensive security or pentesting, PenTest+ is the better fit. CySA+ is a defensive cert.

Exam structure

• Up to 85 questions in 165 minutes — substantially longer than Security+
• Multiple choice and performance-based questions (PBQs)
• Passing score: 750 / 900
• Four domains:

Domain	Weight
1. Security Operations	33%
2. Vulnerability Management	30%
3. Incident Response & Management	20%
4. Reporting & Communication	17%

The 165-minute window is generous. PBQs are heavier than Security+ — expect log analysis, packet capture interpretation, and "given this output, what's the next step" scenarios.

What CS0-003 changed from CS0-002

If you're studying with older material:

• Software & systems security domain was removed.
• Reporting & communication was added — soft-skill content (writing IR reports, communicating to non-technical stakeholders, regulatory reporting).
• Vulnerability management weight increased.
• Threat hunting frameworks got more emphasis. Expect MITRE ATT&CK, Diamond Model, and Cyber Kill Chain to all appear.

The four frameworks you must memorize cold

CySA+ leans heavily on threat-modeling frameworks. Know each one's structure and when each one is used:

1. Lockheed Martin Cyber Kill Chain

Linear, 7-step model: Reconnaissance → Weaponization → Delivery → Exploitation → Installation → Command & Control → Actions on Objectives. Best for understanding the attacker's process. Weakness: assumes a single linear path, doesn't capture insider threats well.

2. MITRE ATT&CK

Matrix of tactics (the why — 14 columns: Initial Access, Execution, Persistence, etc.) and techniques (the how — hundreds of specific entries like T1078 Valid Accounts). Industry standard for detection engineering. You won't be asked to recite technique numbers, but you must know what tactics belong where in the matrix.

3. Diamond Model of Intrusion Analysis

Four vertices — adversary, infrastructure, capability, victim — connected by edges. Used for attribution and pivot analysis: if you know one vertex, you can hunt for the others.

4. NIST SP 800-61 IR lifecycle

Four phases: Preparation → Detection & Analysis → Containment, Eradication & Recovery → Post-Incident Activity. CySA+ heavily favors NIST's terminology over older ISC2 phrasing.

Log analysis fundamentals

A solid third of the PBQs will hand you a chunk of log output and ask what's happening. Train yourself on:

• Apache / Nginx access logs — recognize SQLi (UNION SELECT), directory traversal (../../etc/passwd), command injection (;cat), web shell uploads, and the difference between scanning (high 404 rate) vs exploitation (200 on a weird path).
• Windows Event Viewer — Event ID 4624 (logon), 4625 (failed logon), 4672 (special privileges), 4688 (process creation), 4720 (account created), 7045 (service installed). The 47xx events around account changes are gold for insider-threat scenarios.
• Linux syslog / auth.log — sudo abuse, SSH brute force, process anomalies.
• Firewall and NetFlow logs — beaconing patterns, data exfiltration via DNS, port-knock sequences.
• Sysmon — Event 1 (process create), Event 3 (network connection), Event 7 (image loaded), Event 11 (file create).

Pull a free Splunk or ELK lab and parse 50 real logs by hand before the exam. The pattern recognition transfers.

Vulnerability management — what they actually want

Two skills get tested heavily:

1. Reading scan output. You'll get a snippet of Nessus, OpenVAS, or Nexpose output and be asked to prioritize. The right answer is rarely "the highest CVSS." It's "the highest CVSS exposed externally with no compensating control." Practice with sample reports.

2. CVSS interpretation. Know the base, temporal, and environmental metric groups. Memorize that:

• AV (Attack Vector) = Network/Adjacent/Local/Physical
• AC (Attack Complexity) = Low/High
• PR (Privileges Required) = None/Low/High
• UI (User Interaction) = None/Required
• S (Scope) = Unchanged/Changed
• C/I/A (Confidentiality/Integrity/Availability) = High/Low/None

A CVSS 9.8 exposed externally with no patch and known exploit-in-the-wild is your "drop-everything-and-fix" signal.

A 6-week plan (Security+ already passed)

If you don't have Security+, add 3–4 weeks of foundational study before this plan.

Week 1: Threat intelligence + frameworks

Memorize the four frameworks above. Read recent ATT&CK group profiles (APT29, Lazarus, FIN7) — you'll see them referenced.

Week 2: Log analysis

Set up a Splunk free trial or use Boss of the SOC datasets. Parse logs daily. Build a personal cheat sheet of suspicious patterns.

Week 3: Vulnerability management + scanning

Run OpenVAS or Nessus Essentials against an intentionally vulnerable VM (Metasploitable, OWASP Juice Shop). Read the output critically.

Week 4: Incident response + digital forensics

NIST 800-61 inside-out. Disk imaging tools, chain of custody, memory forensics (Volatility), network forensics (Zeek, Suricata).

Week 5: Reporting + soft skills + first practice exam

Often skipped, often the difference between a 720 and a 760. Practice writing IR summaries. Take a full-length practice exam.

Week 6: Mixed review + book the exam

Two timed practice exams. Review wrong answers. Book the real one when you score 80%+.

Common pitfalls

• Treating CySA+ like Security+ Plus. It's not. CySA+ is hands-on and analytical; Security+ is conceptual.
• Skipping the reporting domain. It's 17%. Easy points if you study, easy losses if you don't.
• Memorizing CVE numbers. Don't. The exam tests how to triage, not which CVE matters.
• Ignoring SOAR. Security orchestration, automation, and response — playbooks, automated containment, ticketing integrations. Show up on at least 2–3 questions.

After CySA+

CySA+ is mid-tier. The natural next moves:

• Stay defensive → CompTIA SecurityX (CASP+) for advanced practitioner topics, or GCIH / GCFE for SANS-track depth.
• Pivot offensive → CompTIA PenTest+ for red-team fundamentals, or directly to OSCP if you have time.
• Management track → ISACA CISM or ISC2 CISSP once you have 5 years of experience.
• Cloud security → ISC2 CCSP — the cloud-specific defensive analog.

Frequently asked questions

Is CySA+ harder than Security+?

Yes. Substantially. CySA+ assumes you know everything Security+ tested and can apply it to live data. The PBQs are deeper and the multiple choice has fewer "obvious" wrong answers.

Do I need Security+ before CySA+?

CompTIA recommends it but doesn't require it. You can attempt CySA+ directly, but unless you have 3+ years of SOC experience, you'll waste money.

How much does CySA+ cost in 2026?

Voucher is around $425 USD from CompTIA. Same price as Security+, but the prep time and material cost are higher.

Is CySA+ on the DoD 8140 list?

Yes. CySA+ is approved for IAT Level II and CSSP Analyst, Infrastructure Support, Incident Responder, and Auditor roles.

CySA+ or PenTest+ — which is more valuable?

Depends on the role you want. CySA+ is twice as common in defensive/SOC job postings; PenTest+ is more common in red team and consulting postings. SOC roles outnumber pentest roles roughly 5:1, so CySA+ is the safer bet for first cyber job.

---

Get a feel for the questions. Run 30 free questions on CompTIA CySA+ — no credit card, no email-trap.