CompTIA CySA+ certification changes: Everything you need to know

Information security analyst is the fastest growing job category in the U.S., with 32 percent overall growth expected between 2018 and 2028. Take advantage of this opportunity and learn about the updated CompTIA CySA+ certification, which was refreshed in April 2020 to align with the most in-demand skills in this growing field.

Join Patrick Lane, Director of Products at CompTIA, in this audio version of our webinar to learn everything you need to know about the latest CySA+ certification and exam (CS0-002), including evolving security analyst job skills, common job roles for CySA+ holders, tips to pass the updated CySA+ exam and questions from live viewers.

– Get your FREE cybersecurity training resources:
– View Cyber Work Podcast transcripts and additional episodes:

[00:00] CS: It’s celebration here in the studio, because the Cyber Work With Infosec podcast is a winner. Thanks to the Cybersecurity Excellence Awards for awarding us a Best Cybersecurity Podcast Gold Medal in our category. We’re celebrating, but we’re giving all of you the gift. We’re once again giving away a free month of our Infosec Skills platform, which features targeted learning modules, cloud-hosted cyber ranges, hands-on projects, certification practice exams and skills assessments.

To take advantage of this special offer for Cyber Work listeners, head over to or click the link in the description below. Sign up for an individual subscription as you normally would. Then in the coupon box, type the word cyberwork, c-y-b-e-r-w-o-r-k, no spaces, no capital letters, and just like magic, you can claim your free month. Thank you once again for listening to and watching our podcast. We appreciate each and every one of you coming back each week.

Enough of that, let's the begin episode.

[01:04] CS: Welcome to another episode of the Cyber Work with Infosec podcast, the weekly podcast in which we talk with a variety of industry thought leaders to discuss the latest cybersecurity trends, how those trends are affecting the work of infosec professionals as well as offering tips for those trying to break in or move up the ladder in the cybersecurity industry.

Today’s podcast episode is the audio from a webinar we released on April 29th entitled CompTIA CySA+ Certification Changes: Everything you need to know. The role of information security analyst is the fastest growing job category in the US at the moment with 32% overall growth expected between 2018 and 2028. If you’re thinking of moving your skills and career in this direction, check this episode out to learn about the updated CompTIA Cybersecurity Analyst or CySA+ certification. It received a refresh in April of 2020 to align with the most in-demand skills in this growing field. What are those skills?

With us today, our guest, Patrick Lane, Director of Products at CompTIA, will teach us everything you need to know about the CS0-002 certification exam updates including the evolving job skills of security analysts, common job roles for CySA+ holders, tips to pass the updated CySA+ exam, and we took CySA+ questions from live viewers, which you’ll get to hear.

Now let’s zip you over to the webinar with Patrick Lane and moderator, Camille Raymond, entitled CompTIA CySA+ Certification Changes: Everything you need to know.

[02:34] CR: A little bit about Patrick, is Patrick directs the IT workforce skills certifications for CompTIA, including Security+, PenTest+, CySA+ and CASP+. He assisted the US National Cybersecurity Alliance to create the lockdown your log-in campaign to promote multi-factor authentication nationwide. He has implemented a wide variety of projects, including an internet and help desk for 11,000 end users.

Patrick is an Armed Forces communications and electronics association lifetime member. Born and raised on US Military bases and he has authored and coauthored multiple books including Hack Proofing Linux: A Guide to Open Source Security.

Patrick, you have an extensive background. We are so happy to have you today and excited to hear about the updates that we are seeing from CompTIA. I will go ahead and kind of turn it over to you.

[03:32] PL: Wonderful. Thank you very much, and it’s an honor to be here speaking with you. I am one of the shepherds of the Security+, CySA+, PenTest+ and CASP+ certifications as you hear. In that responsibility at CompTIA, I want you to know that IT jobs, they’re still available. If you go to our information at or in the US, which is where we have the immediate data from, we’re still seeing IT hiring taking place and there are still IT jobs available for you.

As you learn about the topics today for the security analyst job role skill, you need to understand that there are jobs available right now. It doesn’t appear that cybersecurity is taking a hit right now. We’re going to be monitoring the situation, of course. But at the moment, we’re still looking good and we’re encouraging everyone to continue to get IT certifications and to get jobs.

I just talked with a fellow yesterday or on Monday from India got a raise because he earned the CySA+ certification. If companies like Verizon are giving raises and stuff in this environment, I think that we’re going to find a lot of need and demand in this industry still for skilled workers.

What we’ve had to do, CompTIA, is move all of our exams online due to COVID-19. As of April 15th, all of these exams are available online, including A+, Network+, Security+, PenTest+, CySA+, CASP+, Cloud+, Linux+, Server+, all of them are available online now. I think the only one that’s not is CTT+, and that’s an instructor certification which requires a video recording of yourself.

All of the exams that you’re used to taking at a Person VUE testing center are now online through, it’s called OnVUE. If you have a voucher and you need to register, go to the Pearson VUE site and when you use your voucher, it will give you a choice of if you want to take the exam online or on-ground. At that point, that’s your decision to make probably depending on the local government lockdowns in your area, depending on which way you want to take it.

We want to make this announcement to everyone. Thank you, Infosec, for letting me make this statement.

[06:25] CR: No problem. Happy to have you on.

[06:28] PL: All right everyone. Here is the agenda. I’m going to first talk about why did CompTIA create CySA+. We’ll talk about the cybersecurity pathway. We’ll talk about the updates in CS0-002 and we’re also going to talk about some of the specific details of the cert and we’ll wrap up with a question and answer section.

Why did CompTIA create CySA+? We created it because after the 2013-2014 attacks, we found that cybersecurity needed to go in a new direction. In the past, we were using signature-based tools, things like firewalls, and it was a fortress mentality, that if you had your company inside that fortress and you had a firewall and antivirus software, you could pretty much believe that you were secure, and that was the understanding throughout the 1990s and the 2000s.

But as we got to the 2010s, what happened is that the bad guys got as smart as the good guys and the bad actors learned ways to get inside the network. The cybersecurity industry look at new tools, new tools based on behavioral analytics. This new set of tools – Or they weren’t new. They’d actually been around forever, but now we realize we need them, so they became popular. These new tools are based on behavioral analytics. They include things like a packet capture tool, an intrusion detection system. They secure the information in an event management system, and there are a lot of threat intelligence material out there as well.

We had to begin looking inside the network and we had to start looking for anomalies on the network that indicate bad behavior, and it’s a lot harder than it used to be. These tools allow you to filter all of your network traffic and they will flag with a security alert something, some activity that’s occurred on your network or with one of your systems that indicates there may be malware on your system, some kind of incident that you’re going to have to look at.

These tools will provide flags. They will say, “Here’s something that looks like an issue that you need to look at.” As a security analyst then, you would say, “Okay, great. I’ve been monitoring my network. I have found an anomaly that may indicate that behavior.” Now I have to figure out how I’m going to respond to that incident. Security analysts are also responsible for this incident response. You can see it was a real sea change in the cybersecurity world. We’ve gone from signature-based solutions to behavioral analytics solutions. You need both kind of tools running on your network, but you also need both kind of employees and IT pros who have these skills.

There were five main areas. In fact, the exam is based on these five areas. Each one of these bullet points at the bottom of this page is basically one of the domains on the exam. You have to be able to do five things at least. You need to be able to leverage threat intelligence and threat detection techniques. You need to be able to analyze and interpret data that you find.

You need to be able to identify and address the vulnerabilities that you find and you have to be able to suggest preventive measures and implement those measures through incident response. You also have to effectively respond to recover from incidents, and recovery and reporting is one of the issues we’re going to talk about later.

There's been a lot of additional security risk with COVID-19. The headlines just in the last two weeks have been very alarming. CompTIA has written a blog that covers basically how CompTIA believes IT pros need to prepare themselves in this current environment, but it also talks about how companies in general need to protect themselves, and that includes end-user training as well. If you can, if you wouldn’t mind, there is a blog that we've written recently and a video to boot, but the blog is basically cybersecurity and the remote workforce. What IT pros need to do?

In there, we cover basically how we need to focus more on risk management, because a lot of the risks that have occurred with COVID-19 or because we weren’t prepared, the IT industry has not implemented enough risk management. What has happened with COVID-19 is, as IT professionals and organizations in general saw COVIT-19 coming, we didn't think that it was going to be a big deal. So we weren’t preparing for it. But suddenly I think it was on March 13th, it suddenly was a big deal. So we were all sent home, and unfortunately most of us, most companies that I’ve spoken with, none of us were prepared. So we’ve been left scrambling trying to protect our remote workforce after the remote workforce went home.

If you look at risk management best practices, that is not the best practice and you would usually want to set up things well in advance, but I don't think pandemic was at the top of many of our lists as a risk. Moving forward, we’re going to find a lot more risk management. CompTIA is going to be pushing IT risk management, and maybe we even need certifications in it so this doesn't happen again. Anyhow, please go visit that blog and just know that we've got solutions as far as skills go.

If we look at CySA+, why we created it? CompTIA created it as a direct response of this need for security analysts and this new world of behavioral analytics-based tools. This has been the fastest growing certification in CompTIA’s history. Also, the security analyst job role is also the fastest growing job role in history according to the US Bureau of Labor Statistics. The first three months of 2016 right after the big hacks, the historic hacks, we immediately saw a huge bump. Within three months, that job role increased 8% in the US, which is a record that that is yet to be beaten.

The CompTIA cybersecurity career pathway represents CYSA+. If we look at the pathway from core skills certifications, start from the basics with ITF+, and that's Internet Technology Fundamentals Plus, we start with that because it's really great for people who are going in the IT career and they want to find out where they want to go. Covers a little bit of programming, a little bit of infrastructure, a little bit of cybersecurity. If you take that course, it's really good survey course. Something you would take if you were trying to figure out a career for yourself, and it’s been very effective in helping people because you’ll learn quickly if you don't like programming. You’ll learn quickly if you don't like cybersecurity, and you’ll learn quickly if you don’t like infrastructure. I recommend that course for everyone.

Then we would go into A+ for devices and support of those devices, support desk, helpdesk. Network+, which is network administration. Then, Security+, which actually teaches you how to secure the network. An important note for anyone who’s taking Security+, you have to know networking skills before you can take Security+ because you'll have a hard time passing Security+, because you can't secure a network unless you know how the network works.

After Security+, it’s then a pathway we find, is a lot of people would go into either infrastructure where they want to stay in the IT infrastructure team or if they want to go in the cybersecurity, and cybersecurity is a whole separate set of tasks. What we have is a split in the pathway where if you take the cybersecurity career pathway, you’d immediately go to CySA+ and PenTest+. CySA+ and PenTest+ represents a blue team and red team testing. CySA, security analyst, is a blue team certification. They're basically playing defense. However, as you're going to find out, you’d become a lot more aggressive with our defense. In fact, we often say we’re going on the offense with our defense. You'll find out why later.

Also, PenTest+, the red team. That's the team that implements the penetration testing, the vulnerability assessment. Also, we’ll tag items that need to be managed in that process. PenTest+ is really the red team, finding vulnerabilities. CySA+, blue team, trying to defend the network against those hackers that are coming in. Many of the organizations we speak with do red team blue team drills within their organization to keep their pen testers and their security analysts on their toes.

Last one is the CompTIA advanced security practitioner, CASP+. That teaches the advanced skills of the security architect, security engineer. It’s a five years+ skill level, and that is a good one for cybersecurity professionals who want to stay hands-on on the keyboard, who want to say technical. They don't want to go into the management aspect. CASP has been used of people in the Navy 5 years+, 10 years+ to assess their skills especially in their forward operations for cyber command.

Job growth indicators are still strong. Right now, information security analysts, they’re still making around $100,000 a year. Also, it’s important that you get a certification such as CYSA+, because right now, 80% of all hiring managers are looking for certifications to make their IT and cybersecurity hires. 80% of them. Why? Because most hiring managers don't have any idea about the technology. If you said, “Hey, I need to find somebody who's really good at threat intelligence with the MITRE navigation.”

You might have someone say, “What?” But if you said – Someone's resume, look for CYSA+, the CompTIA security analysts cert. That will teach them that has those skills in it. Just look for that on their resume. Yes, that is something a hiring manager can do, and that's what they’re already doing 80% of the time. Also, the security analyst job in particular is growing faster than the others. As you can see, it's got like almost a 30% growth rate.

We update our exams every three years. Just keep them up-to-date. It's part of our continuous improvement loop. It’s also an ISO ANSi requirement that we’re under 17024. What we’re finding as we’ve been updating CYSA+, that it is kind of a moving target. 80% of this job role remains the same from three years ago, but 20% of it is a moving target. Those of you teaching or if you're teaching this course or if you’re going to get taught in this, you'll see that security analysts core skills remain the same, and that's continuous security monitoring. Monitoring everything on the network 24/7, trying to find threats and responding to them.

The core function is going to be the same. But remember, I talked about that 20% that's changed? Let's look at that. Right now there's more focus on software security. In the past, we just focused on systems. Now we’ve got a focus on software two. Why? Over the past five years, we've invested in billions of dollars into network security. The networks are more secure. The investments have paid off. IT pros are telling us now that software is becoming more of the problem, because software that’s being released on to the networks isn't being tested properly. We have to test our software. We have to be able to update it when it's out there. We need to focus more on software security.

Actually, one of the domains in the new version covers software in systems security. Also, there is a growing trend on going on the offense with defense that I mentioned earlier. This is becoming more and more important, particularly with threat intelligence. I'll talk more about that when we talk about tools.

There’s also more of an emphasis on incident response. Incident response is changing. Incident response is changing because there is less traditional operating systems out there. We’re finding far more embedded IoT devices with custom operating systems on them. Perhaps just a very – How would I say it? Just you’ve got some seriously stripped down versions of the Linux kernel out there that don't have basic ports blocked and such.

A lot of this is very easy to fix. It’s just the thought has to be taken in order to add it into the software development process. If you're a developer, please practice secure DevOps skills. Please practice the DevSec ops skills. We hear it both ways, secure DevOps and DedSec ops. This is an area the industry needs to focus on.

Lastly, the increased IT regulatory environment. What we have there is we’re finding more and more of our companies, the majority of them that we work with, are being regulated, and they’re being regulated by very huge privacy laws in some cases, such as GDPR, the California Privacy Protection Act. You also have things like SOCs, PCIDSS, it’s the payment card industry data security standard.

We did a survey of like – I think we did a survey of our Security+ students, and the majority of them are being regulated, and the majority of them don't like it. Regulation can be a hassle, but if we approach it and learn about it in advance, what we could do is be prepared for it, because what it involves, especially with security analysts, it involves you to report. You need to be able to report up the chain of command for these regulatory security controls so that you can ensure that they've been met.

There's a lot of talk in the new security analyst exam of this increased IT regulatory environment and what we have to do to prepare for it. How did the industry changes affect these job roles? Everything I’ve outspoken about is reflected in the new job roles for CS0-002. If we look at the left-hand side of the table on your screen, the main job roles are still security analyst, security engineer and threat intelligence analyst. When we look for the jobs that are listing CYSA+, these are the three main job roles.

There are secondary job roles that have appeared though. The last job task analysis called these secondary job roles. These are jobs that part of the job requires security analyst skills. So you have to know about them. The primary job roles have remained the same, and that focuses on continuous security monitoring, and that's going to be the position security analyst, security engineer, threat intelligence analyst. But those secondary jobs I was talking about, let's look at them. The one that focuses more on software security is application security analyst. That’s the new job role that’s appeared with the new version.

Another is threat hunter, and that's the idea of going on the offense with defense. A threat hunter is a position that actually looks outside of the security operations center for threats that you're not capturing in the security operations center. Things that might be escaping your SIMS, your security information event management system.

There is also a lot of research involved with it. I'll be talking about some of the tools and threat intelligence tools you're going to find, but doing analysis, working with spreadsheets in these attack navigators, you'll see a lot of this is analysis of data and there’s a great amount on the Internet that we can look at and a huge emphasis on the threat modeling. Actually looking at the actors in your industry, and we can protect ourselves pretty well now off those some large databases we've gotten by industry over the past three years over which attacks are occurring. To which industry and which groups are attacking those industries? Because we’re finding, they all mimic themselves.

All right. Oh! The incident response increase, that also includes automation. Are you familiar with security orchestration and automated response? That's listed in the new certification. Companies like Splunk are creating or purchasing new companies such as Phantom. Splunk purchased Phantom, because what Phantom does is it's a SOAR device, and it can actually send calls to a security information and event management system such as Splunk to automate some of the responses. Only the simple ones, such as quarantining a system that's communicating with a command and control system, for example. Phantom is great at that. Phantom sends calls and playbooks.

If there is a certain incident that you’ve detected and you have a playbook for it, such as the playbook for quarantining a device, it can make those basic moves for you. That doesn't take away anyone's job. It just allows security analysts to get through nine 90,000 security alerts a day that we have been. One of our companies we work with gets 90,000 security alerts a day. How do you get through that many? You need to make some serious changes if that's the case, and you could use some automation as well.

Automation, by the way, in cybersecurity is just to get the job done, because it's not getting done right now. With automation, we have not seen any job losses. All we have seen automation for in cybersecurity is to try to get the job complete. I think it's important that we view automation that way in this industry just to get the job done to take people's jobs away.

Also, increased IT regulatory environments, the compliance analyst position in particular has come up as a job role that people are advertising for and including CySA+. This is one of the job requirements. I wanted to mention these new job roles for you. These are, as I said, secondary job role. What it can do, it gives us a great leading indicator on where the security analyst position is going. I mean, perhaps in three more years, we might have almost half threat intelligence. Let's see what happens. But anyway, I thought this was really interesting and I wanted to share it with you, more jobs available for you.

Here are the six main changes between the previous version and the new version. Most of the changes are reflected in those industry job roles I was talking about. Just the effect it would have on the exam objectives. Threat vulnerability management, 22% of the exam covers that. In the old version, there is actually two domains related to that. However, as cybersecurity because more complicated, we’re finding a lot of these basic threat and vulnerability management skills are going down the Security+, and more of the analysis aspect of it is now covered in security analyst. This only makes sense.

If you want to go on to security – If you want to be a security analyst, make sure that you have network and Security+. If you don't have Network+, make sure you understand the fundamentals of networking, and Security+ is all about securing the network. If you understand those core cybersecurity functions, it makes the security analyst job far easier.

Also, next, you see software and vulnerability management. Three years ago, there was only systems management. Software is now coming to the forefront. Three, security operations and monitoring, this focuses on the functions of a security operations center, which is continuous monitoring. That has been the core function of a security analyst throughout time and it still is the core function of a security analyst. Incident response, that too now focuses more on threat intelligence. Then the response to different environments and different devices that we haven't had to deal with as much before, but now we have to identify and track and monitor them.

Then compliance and assessment is now an entire domain. Think about that. Compliance and assessment is its own domain in the new version. This is just assigned to all of us that we have to understand regulations. We have then to understand how to comply to them. In cybersecurity, we have to understand the security controls, because ultimately each one of the regulations that we have to comply to, to us, is just a series of security controls.

A security control might include monitor the network continuously and find and identify threats and respond to them. That might be one of the security controls. You as a security analyst then have to support that security control. What's that going to involve from you? Reporting. It's going to have you look at visualization tools and be able to report out from those visualization tools that would show proof that that is being accomplished. Now you of course will usually work with a manager for this role, but it's important that you understand these concepts as an IT Pro. We’ve been able to ignore regulatory in the past. No more. It is becoming more and more important that you know these skills.

Now, the next two slides, we can actually forward. We can just forward through them. This is additional information on those changes I was talking about. So you can go one more. But that way, you have a reference.

All right, let's take a look at the new exam specifically. The new exam code is CS0-002, and if we take a look, here's a summary of all that we’ve discussed so far. It talks about it’s an exam, CS0-002. It's a vendor-neutral certification that will determine an IT pro's ability to proactively defend and continuously improve the security of an organization. It’s going to do this by leveraging intelligence, threat intelligence techniques, analyzing the data, identifying vulnerabilities, suggesting preventive measures and then responding to and recovering from those incidents all while doing it in a compliant manner.

Organizations that helped us out were across-the-board. We had people both from the government and from corporate and from small to medium-size businesses. We also have a global representation. We tried to focus on healthcare, finance, all of the different industries that are represented by IT. In it, you'll find companies like Netflix, RxSense, Spoon Consulting, also KirkpatrickPrice, Paylocity, Japan Business Systems, as well as Boulder Community Health. We try to get some smaller health organizations too, because the health organizations seem to be coming under attack right now in particular. We have developed this with HIPAA in mind, as well and SOCs in mind, as well as PCIDSS in mind, as well as DoD FISMA in mind. New way of thinking, folks. As you can see, the people who are helping us with this, a lot of them are just larger companies.

Next, the CyAS+ exam will include hands-on performance-based simulation. There are three main categories, because you have to be able to do hands-on work as well as analysis work using these tools. The three main categories of tools you may be tested on in the CySA+ exam are network protocol analyzers, such as Wireshark, network intrusion and detection systems such as Zeke, which used to be called Bro, but now it’s Zeke. Then Snort, also, security information and event management software.

It's important to note with the SIMS software, the open threat exchange. That is threat management software and we’re finding threat management is becoming far more important and the whole idea of threat intelligence. An open threat exchange, such as OTX, will bring in bulletins from around the world of current cybersecurity issues. You can look through those and determine if you need to make any changes to yourself and your own network. They are very valuable, but there're new tools that have been introduced at least over the last five years. But one is the profile likely attackers on your network, because it's going to make a big difference if you're a bank, you’re on ISP or if you're even CompTIA.

There's a really great tool out there called the MITRE ATT&CK Navigator, and in there you can actually identify the different threat groups out there. You can identify who they're attacking. But I think the best thing apart it is that you can determine based on your company what role you are. If you're a healthcare company, it will actually show you what the hackers are attacking, which resources they're attacking, and playbooks for how you can defend against those attacks.

Tools like that are becoming more important, because if you’re a company, you want to know where they're going to attack and how you can defend yourself down there. I mean, if a hacker is coming at your face, did you want put too much to protect your stomach? Too many resources to protect your stomach when they're going to be going for your face? No. You want to basically put on that facemask possibly before you protect your stomach. That's the idea, and it appears to be very, very effective. So, we encourage that.

Here are the exam objectives for CS0-002. We launched it April 21st. It's available worldwide. The pricing retail USD is 359. The testing provider is Pearson VUE Testing Centers, and now on VUE. This exam is the first CompTIA exam to be released online for its debut. There are multiple choice and performance-based questions, 85 questions. The test as long, it’s 165 minutes. Pass rates the same in Security+, 750. It's only in English at the moment. That may change. Right now, only English. The prereqs, we really recommend you have Network+, Security+ or equivalent knowledge.

Also, where this lands in a career, security analysts are usually around the four-year level because it takes a while to get that experience. But if you learn those skills now, then you could come up through the ranks, IT helpdesk, network administrator, security administrator all the way up to a security analyst. Also, it's important to note the old version CS0-001. The old version is going to retire in October. If you have a voucher for CySA+, it will work on either version. Your voucher will work for 001 or 002.

All right. Next, I'm just going to take a very quick skip through these domains. First is threat and vulnerability. I just want to point out here, we’re focusing on the cloud as well. What we're finding is that about 55% of all of our Security+ alumni who were making up 10% of the industry, at least, are working in the cloud now. Our frontline employees are now working on the cloud more than they’re working on-prem. We believe moving forward, everything is going to be a hybrid environment. There may be very little discussion about it. When we talk about a network, we assume hybrid moving forward. Maybe we won’t even be mentioning the cloud anymore. It just will be what is.

Next please. Software and system security as I said, if you're not aware of the security, the software development lifecycle or secure programming practices, you need to focus on domain too. It's a new area for us. We’ve typically just analyzed systems. Now we’re analyzing software. We have to understand that process for the first time.

Domain three. Remember, this is the core job function. It really focuses on security monitoring –

[39:06] CR: All right. Not sure. It looks like we lost Patrick for a moment here. I think why don't we go ahead and we will skip to the end of the presentation. Hopefully we’ll get him to join back on. A few people are asking about CPEs. You can submit this webinar as a CPE hour for your certifying body. Go ahead and remember to check though as it varies a little bit with each different – With each different certifying body as to what counts, but we would be happy to give you a certificate of completion for those of you who joined us today.

[39:45] PL: This is Patrick.

[39:45] CR: Patrick is back. Hi Patrick. Yay!

[39:48] PL: Yeah. I'm using my phone to get back. Sorry about that. I’m on my iPhone now. Well, where are we at now? I’m ready to move forward, and I've turned off my video.

[39:59] CR: Perfect. Thanks everyone for your patience, and we appreciate everyone's adaptability as some of us have are working from home and in different settings than we’re used to. Appreciate everyone's flexibility there.

Patrick, I've got the slide back out for domain three, which is the security operations and monitoring. I believe that is where we left off.

[40:21] PL: Yes. That was an excellent recovery, by the way. Okay. Domain three, as we were speaking of, I was just talking about the proactive threat hunting there, and that is that job threat hunter where we’re searching outside of the security operations center for threats that we aren't catching usually. This is happening more and more, and I consider that like a rover in soccer, where you go to wherever you are needed.

Domain four, incident response. I’d mentioned, we’re broadening incident response to cover more types of indicators of compromise that are beyond our traditional systems. But another we need to focus on his basic digital forensics techniques. If you really are going to be focusing on these new IoT devices and these embedded systems, unfortunately, each one is a custom operating system. So many times, the only way we can get to the bottom of the problem is to push forensics to the limit and go into reverse engineering. Try to figure out how they developed that kernel. Try to figure out how we can defend against that threat. We’re going to see a little more forensics.

With domain five, which you’ve got understand of course is compliance. We've already mentioned so much more. Compliance is here. So much more compliance is good to be coming your way as data privacy becomes more and more an issue over the coming years. This is an area we need to accept, adopt and live with as IT pros.

Just as a summary slide, this is my last slide I have to cover. I just wanted to say, once again, CompTIA had created security and analyst certification. We created it because the industry had a huge need for this job role and this whole idea of using this new generation of behavioral analytics tools. One last note, I was just talking yesterday with Dr. James Stanger, CompTIA’s chief evangelist. He’s our chief certification evangelist. He is working in threat intelligence a lot right now.

One of the things that he told me is that moving forward, he sees a lot of security analysts really focusing on research and the threat research in particular. When they're looking at that MITRE ATT&CK Navigator, a lot of people are actually downloading information from that, putting into spreadsheets and then using that information to determine who the real threat actors are. I just want to encourage you all to go out there and explore with that tool, because it’s a lot of fun, but it is also going to take you into this new generation of a security analyst’s thought. I hope you enjoy that.

That wraps it up. Thank you everyone.

[43:30] CR: Great, and thank you Patrick and thanks so much for hopping on so quickly after we had our little glitch they're. We have a lot of great questions and unfortunately I don't think we'll get to all of them, but we will try to get through as many as we can on. The ones we don't get to, we will have someone follow up with you regarding.

A couple of questions that we’re going to start with is how long has this certification been around?

[44:01] PL: Oh! We released it originally in 2017 shortly after the historic attacks of the previous several years. We released it originally in I believe February of 2017. This is the second version of it. The second set of exam objectives for it. That's why we're here today and we’re talking about a lot of the differences and similarities between those two, but this job role has only become popular recently.

[44:36] CR: Sure. Now, Patrick, for those listening that already have the version 1 certification. Once version 2 comes out in October, will they have to take that new version or will their version 1 certification still be active?

[44:55] PL: Their version 1 certification will still be active for three years. From the date that they received their certification for 001, they have three years to renew it through a series of continuing education units or they can take CS0-002. If they pass it, they will also renew that way. I would actually encourage people to take the new version if you can, because there's a lot more skills in it that the industry is looking for. But you're allowed to take either version until October when 001 will retire. Then you'll only be able to choose 002 after October.

[45:41] CR: Perfect. Thank you. That answers a couple of questions. A lot of people were wondering regarding that. We have a next question here. With the privacy laws, will the new exam include the California Privacy Law, especially as it is similar to Europe's GDPR? How much involvement to those laws have in the exam?

[46:03] PL: Right. Well, they are going to be covered in that exam. It's more of an explain level. We’re talking more knowledge-based. If we look at Bloom’s Taxonomy, we’re on level 2 with that. We need to be able to explain, discuss the topics, because as far as the way they’re going to impact you personally, well, you're going to be supporting those controls, which are usually going to be implemented by a security manager that you work with.

[46:35] CR: Perfect. We have a question from Daniel regarding machine learning and will there be questions or is there any focus in the exam on machine learning?

[46:48] PL: Right. Yes, there is. That term comes up several different times. We cover machine learning and AI, those topics. I would actually have to take a look to go in deeper to how much they’re covered on the exam, but those topics are covered because we’re finding they’re among the highest trending emerging technologies out there. That is absolutely integrated into this exam.

We’d have to take a stroll through the exam objectives together to learn that. You should be able to download these here. They should be in the resources section of this webinar. Please feel free to download those and search and find the various techniques and topics you're looking for in the exam objectives.

[47:38] CR: Perfect. Thanks, Patrick. A couple more questions that we have coming through, and again, so many great questions here. Thank you to everyone who has submitted. Another question is does CySA+ automatically renew your Security+ certification?

[48:01] PL: Yes, it does. We have a concept that is if you take a higher level certification in the CompTIA security pathway, it will renew the downstream certifications. If you take CySA+, that would renew A+, Network+ and Security+.

[48:27] CR: Fantastic. Great question from Tyrone, and that is great news. I think a great example of why you should keep taking more certifications, because you can only add more knowledge to yourself, and that's great. Looks like we have time for just a couple more here. Another question from Karen is you mentioned the cloud. Does that mean AI will be covered in the exam?

[49:00] PL: I mentioned the cloud, so as AI going to be covered in the exam.

[49:05] CR: Yes, I believe that's what I'm seeing is the question.

[49:09] PL: Right. Now, whether or not it’s tied directly, it’s a good question. Well, we do cover the cloud. We do cover AI and machine learning. I don't know the exact relationship of that.

[49:25] CR: Okay. Sure. We’ll look into that and follow-up then. Perfect. A couple more questions. One more – Sorry. The screen is scrolling on here.

[49:43] PL: I guess more information. Yes, 3.4, comparing contrast, automation concepts and technologies. In that includes workflow orchestration such as SOAR. It does cover scripting, application programming interface integration, automated malware signature creation, data enrichment, threat feed combinations, machine learning, use of automated protocols and standards, continuous integration and continuous deployment delivery is what it's covering.

We’re comparing and contrasting those automated concepts and technologies. Largely, what we’re going to be doing is taking it into a conceptual cloud environment. It is likely that machine learning skills and such that you are speaking of would be higher levels than security analyst, probably five years+. We’re mostly monitoring and doing incident responses, incident response. We are using machine learning, but from a compare and contrast automation concepts and technologies perspective.

[50:51] CR: Great. Thanks for looking into that, and hopefully that adds some clarity to that question there. We’re going to go for our last question here. For those that have this CySA+, can they can grandfathered into the Network+ certification? I think they mean if they skip over some of those earlier certifications, does that grant them those lower ones?

[51:18] PL: Right. All of our – No, it does not. All of our recommendations are recommendations for pre-reqs. There are plenty of people who come out of college with bachelor degrees who are going right into CySA+ and they’re getting hired, and they have bachelor degrees in information systems. We even see people with software bachelor degrees. But for bachelor degrees, we’re finding often times they can just jump right into the security analyst position, believe it or not. I’ve heard several examples of that from various CISOs. Do that help answer the question? Perhaps you’d ask it again.

[51:59] CR: Yeah.

[52:00] PL: Okay.

[52:01] CR: Yeah. No, I think that did. Jeff, that asked question, if you have further needs, we’d be happy to follow-up with you. We’ll squeeze in one last question here. How long is the certification good for? From Dennis.

[52:16] PL: Okay. It's going to be good for three years from the date you passed. Within that three years, then you have two ways you can renew it. I guess three ways. One is you could get a higher level cert to renew it, like you got CASP+. Another way then you could get the – You could renew it by getting 60 continuous education units over a three-year period, or you could take the new exam, and a lot of people are doing that, and you can just take the CS0-002 exam and that will renew your cert, or if you take CS0-002 right now, in three years, there will be a new CS0-003. If you take 002, in three years, you could also renew if you wanted to take an 003. Right now, if you want to renew 001, you can also just take 002 to do that. There's a lot of different ways to renew. A lot of it just depends on your personal preference.

[53:19] CS: I hope you enjoyed today's webinar episode. Just as a reminder, many of our podcasts also contain video elements and in some cases future walk-throughs and demonstrations that need to be watched as well as heard. These can all be found on our YouTube page. Just go to and type in Cyber Work with Infosec. Check out our collection of tutorials, interviews, other webinars and podcasts. As ever, search Cyber Work with Infosec in your podcast app of choice for more of these episodes. If you wouldn’t mind, we would always love a five-star rating and review in whatever format or platform you use to listen to podcasts. It really does help us out.

For a limited time only, the Cyber Work podcast is offering listeners one free month with our Infosec skills learning platform. to take advantage of this special offer for Cyber Work listeners, head over to or click the link in the episode description. Sign up for an individual subscription as you normally would. Then in the coupon box, type the word cyberwork, no spaces, no capital letters, and use it to claim your free month.

Thanks once again to Patrick Lane and Camille, and thank you all for listening. We’ll speak to you next week.

Free cybersecurity training resources!

Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.


Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.


Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.


Level up your skills

Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.