CySA+ exam objectives: The 4 domains that will be covered

Daniel Brecht
October 2, 2023 by
Daniel Brecht

The Cybersecurity Analyst (CySA+) certification is an intermediate IT credential offered by CompTIA. It's one of the most popular analyst certifications and was updated in 2023 to align with the most in-demand knowledge and skills requested by employers for professionals tasked with security monitoring, incident detection, prevention and response. 

Earn your CySA+, guaranteed!

Earn your CySA+, guaranteed!

Get hands-on experience and live expert, instruction. Enroll now to claim your Exam Pass Guarantee!

Like its predecessor, CompTIA CySA+ CS0-003 still covers the core knowledge of cybersecurity analysts. But the updated version allows you to demonstrate your understanding of threat hunting and threat intelligence for securing modern IT infrastructure and cloud/hybrid environments while performing compromise recovery and incident response using security analyst tools, implementing Zero-Trust principles, and exercising the latest techniques for combating attacks inside and outside of the SOC. 

This article explores CySA+ changes since the last exam edition (CS0-002), what is covered by the CySA+ CS0-003’s domains the exam structure, frequently asked questions about the exam, where to take the exam, training resources and more.

What's on the CySA+ exam?

Updating from CS0-002 to CS0-003 was necessary to resolve knowledge gaps in the previous version, including more in-depth vulnerability management topics, the newest network architecture concepts and management of pre- and post-incident activities.  

According to CompTIA, twenty percent of the exam objectives for the CySA+ credential were updated to cover the following: 

  • Current trends: Evolution of security analyst tools, such as enterprise Security Information and Event Management (SIEM) systems, to include more automated features, such as Security Orchestration and Automated Response (SOAR), to help cyber professionals tasked with incident detection, prevention and response. Other appropriate tools to become familiar with are endpoint detection and response (EDR) and extended detection and response (XDR) which provide monitoring and response that easily integrate across SIEMs. 

  • Cloud and mobile: Expanded coverage of cloud, mobile and zero trust architecture principles for securing digital transformation and protecting an IT infrastructure.  

  • Threat intelligence: More emphasis on threat intel vs. threat hunting, threat feeds vs. threat reports, automation of intel (e.g., automated threat feed) and how to prioritize alerts for better incident response and vulnerability management. 

Note: If you choose to pursue the CySA+ 002 exam, you must take it before it retires on December 5, 2023, to get your CompTIA CySA+ certification. 

A closer look at the objectives you'll need to master on the exam 

The new exam has been streamlined and comprises four instead of five domains. Here’s a breakdown of the key CySA+ domains, subtopics and associated tasks candidates will be tested on. 

Domain 1: Security operations (33%) 

Explain the importance of system and network architecture concepts in security operations. 
  • Log ingestion 
  • Operating system (OS) concepts 
  • Infrastructure concepts
  • Network architecture
  • Identity and access management
  • Encryption
  • Sensitive data protection 
Given a scenario, analyze indicators of potentially malicious activity. 
  • Network-related 
  • Host-related 
  • Application-related 
  • Other 
Given a scenario, use appropriate tools or techniques to determine malicious activity. 
  • Tools 
  • Common techniques 
  • Programming languages/scripting 
Compare and contrast threat-intelligence and threat-hunting concepts. 
  • Threat actors
  • Tactics, techniques, and procedures (TTP)
  • Confidence levels
  • Collection methods and sources
  • Threat intelligence sharing
  • Threat hunting 
Explain the importance of efficiency and process improvement in security operations. 
  • Standardize processes 
  • Streamline operations 
  • Technology and tool integration 
  • Single pane of glass  

Domain 2: Vulnerability management (30%)

Given a scenario, implement vulnerability scanning methods and concepts. 
  • Asset discovery 
  • Special considerations
  • Internal vs. external scanning
  • Agent vs. agentless
  • Credentialed vs. non-credentialed
  • Passive vs. active
  • Static vs. dynamic
  • Critical infrastructure
  • Security baseline scanning
  • Industry frameworks 
Given a scenario, analyze output from vulnerability assessment tools. 
  • Tools
Given a scenario, analyze data to prioritize vulnerabilities. 
  • Common Vulnerability Scoring System (CVSS) interpretation 
  • Validation 
  • Context awareness 
  • Exploitability/weaponization
  • Asset value
  • Zero-day 
Given a scenario, recommend controls to mitigate attacks and software vulnerabilities. 
  • Cross-site scripting 
  • Overflow vulnerabilities
  • Data poisoning
  • Broken access control
  • Cryptographic failures
  • Injection flaws
  • Cross-site request forgery
  • Directory traversal
  • Insecure design
  • Security misconfiguration
  • End-of-life or outdated components
  • Identification and authentication failures
  • Server-side request forgery
  • Remote code execution
  • Privilege escalation
  • Local file inclusion (LFI)/remote file inclusion (RFI) 
Explain concepts related to vulnerability response, handling, and management. 
  • Compensating control 
  • Control types 
  • Patching and configuration management 
  • Maintenance windows 
  • Exceptions
  • Risk management principles
  • Policies, governance, and service-level objectives (SLOs)
  • Prioritization and escalation
  • Attack surface management
  • Secure coding best practices
  • Secure software development life cycle (SDLC)
  • Threat modeling 

Domain 3: Incident response & management (20%) 

Explain concepts related to attack methodology frameworks. 
  • Cyber kill chains
  • Diamond Model of Intrusion Analysis
  • Open Source Security Testing Methodology Manual (OSS TMM)
  • OWASP Testing Guide 
Given a scenario, perform incident response activities. 
  • Detection and analysis 
  • Containment, eradication, and recovery 
Explain the preparation and post-incident activity phases of the incident management life cycle.
  • Preparation 
  • Post-incident activity 

Earn your CySA+, guaranteed!

Earn your CySA+, guaranteed!

Get hands-on experience and live expert, instruction. Enroll now to claim your Exam Pass Guarantee!

Domain 4: Reporting & communication (17%) 

Explain the importance of vulnerability management reporting and communication. 
  • Vulnerability management reporting 
  • Compliance reports
  • Action plans
  • Inhibitors to remediation
  • Metrics and key performance indicators (KPIs)
  • Stakeholder identification and communication 
Explain the importance of incident response reporting and communication. 
  • Stakeholder identification and communication 
  • Incident declaration and escalation 
  • Incident response reporting 
  • Communications 
  • Root cause analysis
  • Lessons learned
  • Metrics and KPIs 

For more specifics and a comprehensive overview of the topic areas tested, see the CS0-003 exam objectives 

Get ready to get CySA+ certified 

Just the facts: Frequently asked questions about the exam 

What job roles should take the exam? 

CompTIA CySA+ is valuable for professionals in (or aspiring to) the following job roles: 

  • IT security analyst 

  • Security operations center (SOC) analyst 

  • Cybersecurity specialist 

  • Threat intelligence analyst 

  • Cybersecurity analyst 

  • Incident response analyst 

  • Threat hunter 

  • Vulnerability management analyst 

  • Cybersecurity engineer 

What is the recommended experience?  

Network+, Security+ or equivalent knowledge. Minimum of 4 years of hands-on experience as an incident response analyst or security operations center (SOC) analyst or equivalent experience. 

How long is the exam?  

165 minutes 

How many questions are on the exam?  

The CySA+ test includes a maximum of 85 multiple choice and performance-based questions. 

What is the passing score?  

750 (on a scale of 100-900) 

In which languages is the test available 

The CS0-003 exam will be available in more languages; Japanese, Portuguese and Spanish tests will follow the English version. 

How much does the exam cost?  

$392 USD  

When should I purchase my exam voucher?  

When you’re ready and feel ready for the test, purchase a voucher and schedule your CySA+ exam. 

Where do I purchase my exam voucher?  

Either visit the CompTIA Store or the Pearson VUE site, the authorized testing center.  

What you need to know about maintaining your certification 

After passing the exam and acquiring the CySA+ certification, a candidate must complete the renewal requirements every three years, which consists of paying the Continuing Education (CE) fee ($50 a year or $150 for the three-year cycle) and also submitting 60 CEUs (this is done by uploading them to their certification account) by the expiration date of the credential. These are crucial steps to ensure that your certification remains current and valid.  

Earn your CySA+, guaranteed!

Earn your CySA+, guaranteed!

Get hands-on experience and live expert, instruction. Enroll now to claim your Exam Pass Guarantee!

Master the CySA+ objectives & conquer the exam 

To successfully prepare for this test and improve your chances of passing on the first attempt, consider the self-study resources offered by CompTIA and think about a course from an authorized training provider that can offer instructor-led training, learning paths, as well as assessments and role-based roadmaps to validate in-demand cyber skills like threat hunting. If it makes sense for your time and knowledge, you may want to prepare for the test with a CySA+ Training Boot Camp. 

CompTIA suggests that candidates dedicate between 30 and 40 hours of studying before sitting for the exam, but that varies according to existing knowledge of the topics and previous hands-on cybersecurity experience. 

For more on CySA+, visit the Infosec CySA+ hub and watch our webinar, CompTIA CySA+ certification (CS0-003) changes: Everything you need to know.

Daniel Brecht
Daniel Brecht

Daniel Brecht has been writing for the Web since 2007. His interests include computers, mobile devices and cyber security standards. He has enjoyed writing on a variety of topics ranging from cloud computing to application development, web development and e-commerce. Brecht has several years of experience as an Information Technician in the military and as an education counselor. He holds a graduate Certificate in Information Assurance and a Master of Science in Information Technology.