Cybersecurity cert-prep add-on

CompTIA CySA+ Exam Prep Add-On

Convert SOC Analyst Fundamentals into a CySA+ (CS0-003) ramp for the Tier 2 SOC analyst credential.

$147 add-on45h additional studyTarget exam: CompTIA CySA+Exam fee: $404

What the add-on ships

++Four domain reviews mapped to the official CompTIA CySA+ CS0-003 exam objectives
++Four full-length 85-question mock exams in PBQ format
++Detection logic and log-analysis worked examples (the heart of CS0-003)
++Incident response and vulnerability management scenario library
++Direct link to the official CompTIA exam blueprint as the canonical reference

Built on the parent course

++SOC Analyst Fundamentals six-module curriculum aligned to NIST SP 800-61, NIST SP 800-92, and MITRE ATT&CK
++Detection, triage, containment, and hunting practice from the parent course that maps directly to CySA+ PBQ scenarios

Parent course: soc analyst fundamentals

Best for

++SOC Analysts moving from Tier 1 to Tier 2 with CySA+ as the validating signal
++Vulnerability management specialists building toward DoD 8140 Cyber Defense Analyst role assignment
++Threat hunters early in career looking for the next credential after Security+

Practice surface

++Four PBQ-format mock exams in the CompTIA scenario style
++Log-analysis worked examples (Windows event logs, syslog, EDR telemetry)
++Targeted weak-area question drilling per CySA+ exam objective

Buy the add-on

$147 on top of the soc analyst fundamentals parent course. Lifetime access to the practice materials, mock exams, and exam-day worksheets.

See the parent course

Exam summary

CompTIA CySA+ (CS0-003) is CompTIA's Tier 2 SOC analyst credential. Four domains spanning security operations, vulnerability management, incident response, and reporting / communication. 85 multiple-choice and performance-based questions, 165 minutes, passing score 750 on a scaled 100-900 scale. DoD 8140 approved for Cyber Defense Analyst and Cyber Defense Incident Responder work roles.

Domain reviews

Security Operations

33%

The largest domain. Log analysis, monitoring, threat hunting, SIEM tradecraft, malware analysis fundamentals.

++Log sources: Windows event logs, syslog, EDR telemetry, network flow
++SIEM correlation rules and query languages (KQL, SPL)
++Threat hunting hypotheses and methodology
++Network analysis: PCAP review, IDS/IPS tuning
++Malware analysis: static, dynamic, sandbox analysis

Primary sources:

Vulnerability Management

30%

Discovery, analysis, prioritization, validation, and reporting of vulnerabilities.

++Scanning: authenticated vs unauthenticated, agent-based, OSINT
++CVSS v3.1 and v4.0 scoring
++EPSS for exploitation prioritization
++CISA Known Exploited Vulnerabilities (KEV) catalog
++Validation: false-positive analysis, exploit proof-of-concept

Primary sources:

Incident Response and Management

20%

NIST SP 800-61 Rev. 2 lifecycle applied at Tier 2 depth.

++Preparation, detection and analysis, containment, eradication, recovery, post-incident
++Containment strategies: short-term vs long-term, isolation, evidence preservation
++Evidence handling: order of volatility (RFC 3227), chain of custody
++Lessons-learned process and after-action reporting

Primary sources:

Reporting and Communication

17%

How to communicate findings to technical and non-technical audiences.

++Vulnerability report structure, severity classification, remediation timeline
++Stakeholder identification and audience-appropriate communication
++Compliance reporting: GDPR Article 33, SEC cybersecurity disclosure, HIPAA breach notification
++Metrics and KPIs for SOC and vulnerability management programs

Primary sources:

SEC Cybersecurity Disclosure Rules

Practice scenarios (6)

Practice scenarios are scenario-based learning, not exam-question mimicry. Each scenario maps to a specific exam domain and includes a worked explanation plus a primary-source citation. Reproducing actual exam items would violate the cert body's NDA; the format here exercises the same underlying concepts under different surface phrasing.

Preview scenario 1 of 6 · Security Operationsfree preview

A SOC analyst reviews EDR telemetry and sees a PowerShell process spawned by Microsoft Word, then a network connection to an unfamiliar external IP. Which MITRE ATT&CK technique best describes the initial pattern?

A. T1078 Valid Accounts
B. T1059.001 Command and Scripting Interpreter: PowerShell, often invoked via T1566 Phishing or T1137 Office Application Startup
C. T1490 Inhibit System Recovery
D. T1003 OS Credential Dumping

Answer: B

Word spawning PowerShell with network egress is the canonical macro-or-template-exploit pattern. T1059.001 (PowerShell execution) is the named child technique; the parent chain typically involves T1566 (phishing) or T1137 (Office startup). Valid Accounts, Inhibit System Recovery, and Credential Dumping are different tactics and do not fit the observed signal.

Reference: MITRE ATT&CK T1059.001

Unlock the rest

5 more practice scenarios with full explanations and primary-source citations

The remaining scenarios cover every exam domain at the same depth as the preview above. Includes the exam-day strategy guide and additional study resources. $147 one-time, lifetime access.

Exam-day strategy

++Read each PBQ question slowly. The question is the largest weight on the exam and the PBQ scenarios often hinge on a single detail.
++On log-analysis PBQs, look for the deviation from baseline first. The exam tests whether you can spot what is unusual.
++Memorize the NIST SP 800-61 Rev. 2 phase names exactly. Containment-Eradication-Recovery and Post-Incident Activity are the names CySA+ tests against.
++Watch for distractors that confuse CVSS (severity) with EPSS (exploitation likelihood).
++Pace at roughly 1 minute 50 seconds per question. Flag and return on PBQs that need deep log review.

Additional resources

Sources

Official CompTIA CySA+ exam page (certifying body)

Exam fee and blueprint last verified 2026-05-22. Confirm current values with the certifying body before scheduling the exam.

What the add-on ships

++Four domain reviews mapped to the official CompTIA CySA+ CS0-003 exam objectives

++Four full-length 85-question mock exams in PBQ format

++Detection logic and log-analysis worked examples (the heart of CS0-003)

++Incident response and vulnerability management scenario library

++Direct link to the official CompTIA exam blueprint as the canonical reference

Exam summary

Domain reviews

Security Operations

33%

The largest domain. Log analysis, monitoring, threat hunting, SIEM tradecraft, malware analysis fundamentals.

++Log sources: Windows event logs, syslog, EDR telemetry, network flow
++SIEM correlation rules and query languages (KQL, SPL)
++Threat hunting hypotheses and methodology
++Network analysis: PCAP review, IDS/IPS tuning
++Malware analysis: static, dynamic, sandbox analysis

Primary sources:

Vulnerability Management

30%

Discovery, analysis, prioritization, validation, and reporting of vulnerabilities.

++Scanning: authenticated vs unauthenticated, agent-based, OSINT
++CVSS v3.1 and v4.0 scoring
++EPSS for exploitation prioritization
++CISA Known Exploited Vulnerabilities (KEV) catalog
++Validation: false-positive analysis, exploit proof-of-concept

Primary sources:

Incident Response and Management

20%

NIST SP 800-61 Rev. 2 lifecycle applied at Tier 2 depth.

++Preparation, detection and analysis, containment, eradication, recovery, post-incident
++Containment strategies: short-term vs long-term, isolation, evidence preservation
++Evidence handling: order of volatility (RFC 3227), chain of custody
++Lessons-learned process and after-action reporting

Primary sources:

Reporting and Communication

17%

How to communicate findings to technical and non-technical audiences.

++Vulnerability report structure, severity classification, remediation timeline
++Stakeholder identification and audience-appropriate communication
++Compliance reporting: GDPR Article 33, SEC cybersecurity disclosure, HIPAA breach notification
++Metrics and KPIs for SOC and vulnerability management programs

Primary sources:

SEC Cybersecurity Disclosure Rules

Practice scenarios (6)

Preview scenario 1 of 6 · Security Operationsfree preview

A. T1078 Valid Accounts
B. T1059.001 Command and Scripting Interpreter: PowerShell, often invoked via T1566 Phishing or T1137 Office Application Startup
C. T1490 Inhibit System Recovery
D. T1003 OS Credential Dumping

Answer: B

Reference: MITRE ATT&CK T1059.001

Unlock the rest

5 more practice scenarios with full explanations and primary-source citations

The remaining scenarios cover every exam domain at the same depth as the preview above. Includes the exam-day strategy guide and additional study resources. $147 one-time, lifetime access.

Exam-day strategy

++Read each PBQ question slowly. The question is the largest weight on the exam and the PBQ scenarios often hinge on a single detail.

++On log-analysis PBQs, look for the deviation from baseline first. The exam tests whether you can spot what is unusual.

++Memorize the NIST SP 800-61 Rev. 2 phase names exactly. Containment-Eradication-Recovery and Post-Incident Activity are the names CySA+ tests against.

++Watch for distractors that confuse CVSS (severity) with EPSS (exploitation likelihood).

++Pace at roughly 1 minute 50 seconds per question. Flag and return on PBQs that need deep log review.