1

CySA+ Objective Notes

CompTIA Cybersecurity Analyst (CySA+) Certification Exam
Objectives EXAM NUMBER: CS0-003
1.0 Security Operations – 33%
1.1 Explain the importance of system and network architecture concepts in
security operations.

 Log ingestion – Log ingestion is the process of collecting, processing,

and storing log data from various sources within an organization's IT
infrastructure. Logs are records of events generated by software
applications, operating systems, network devices, and other components,
capturing details like access, errors, system performance, and user
activities. The purpose of log ingestion is to centralize this data in a single
system, often a Security Information and Event Management (SIEM)
platform, where it can be analyzed for security monitoring,
troubleshooting, compliance, and performance optimization.

o Time synchronization – Time synchronization in the context of

log ingestion refers to aligning the timestamps of logs collected
from various sources across an organization's IT infrastructure.
Since logs come from different systems—servers, applications,
firewalls, and other network devices—ensuring they all share a
consistent time format and are synchronized with a single time
standard (such as Coordinated Universal Time, UTC) is essential for
accurate log analysis and correlation.

o Logging levels – Log levels in the context of log ingestion refer to

the categorization of log messages based on their severity or
importance. Each log message generated by a system, application,
or network device is assigned a log level, which helps prioritize and
filter logs for analysis. Common log levels include:
 Operating system (OS) concepts

o Windows Registry – The Windows Registry is a database in

Microsoft Windows that stores settings and configurations for the
operating system, applications, and connected devices. It organizes
information in a structured format, allowing Windows and programs
to retrieve settings like user preferences, installed software, and
system hardware details. The registry is essential for managing
system behavior, and changes to it can directly impact how
Windows and applications operate.

o System hardening – System hardening is the process of

strengthening a computer system’s security by reducing
vulnerabilities and potential attack points. This is achieved by
configuring settings, removing unnecessary software, and applying
security patches to protect against cyber threats. The goal is to
make the system more resilient to attacks and better able to
prevent unauthorized access.

o File structure – A file structure is the way files and folders are
organized on a computer or storage system. It helps keep data
organized in a hierarchy, where folders (or directories) contain files
and may also contain subfolders, creating a structured path to each
2

CySA+ Objective Notes

file. This organization makes it easier to find, access, and manage
files within a system.

 Configuration file locations – Configuration file locations

are specific folders or paths on a computer where files that
store settings for applications or the operating system are
kept. These files contain information that controls how
software behaves, such as user preferences or network
settings. Knowing where these files are located helps in
managing, troubleshooting, or customizing system and
application configurations.

o System processes – System processes are programs or tasks that

run in the background on a computer to keep it operating smoothly.
These processes handle essential functions like managing memory,
responding to user input, and running applications. They ensure
that the operating system and programs work together efficiently
and provide the services needed for the computer to function
properly.

o Hardware architecture – Hardware architecture is the design and

structure of a computer’s physical components, such as the
processor, memory, and storage. It defines how these parts
interact and work together to perform tasks. Understanding
hardware architecture helps in choosing and configuring hardware
that best meets the needs of specific software or workloads.

 Infrastructure concepts

o Serverless – Serverless is a cloud computing model where you

can run applications and services without managing the underlying
servers. Instead, the cloud provider handles the server setup,
scaling, and maintenance, allowing you to focus only on writing and
deploying code. It’s a cost-effective way to run applications, as
you’re only charged for the computing resources when your code is
actively running.

o Virtualization – Virtualization is a technology that allows you to

create multiple simulated environments or "virtual machines" on a
single physical computer. Each virtual machine acts like a separate
computer with its own operating system and applications. This
helps make better use of resources, as multiple virtual systems can
run on one physical device, reducing the need for extra hardware.

o Containerization – Containerization is a technology that allows

you to package an application and all its dependencies into a single
"container," making it easy to run consistently on any computer.
Unlike virtual machines, containers share the host system’s
operating system, making them lightweight and fast to start. This
helps developers deploy applications quickly and reliably across
different environments, like development, testing, and production.

 Network architecture
3

CySA+ Objective Notes

o On-premises – An on-premises network is a computer network
where all the hardware, servers, and data storage are physically
located within a company's own facilities. This setup allows the
organization to have full control over its network, including
security, maintenance, and data management. Unlike cloud
networks, which are hosted by third-party providers, an on-
premises network requires the company to handle all upkeep and
infrastructure.

o Cloud – A cloud network is a computer network where resources

like servers, storage, and applications are hosted and managed by
an external cloud provider, accessible over the internet. This setup
allows users to access data and services from anywhere without
needing physical hardware on-site. It also reduces the need for
companies to manage and maintain their own network
infrastructure, as the cloud provider handles these tasks.

o Hybrid – A hybrid network is a network setup that combines both

on-premises infrastructure and cloud resources. It allows
organizations to keep some data and applications on-site while also
using cloud services, giving flexibility to choose the best location
for different needs. This approach helps balance control, cost, and
scalability by leveraging both private and cloud resources.

o Network segmentation – Network segmentation is the practice

of dividing a computer network into smaller, isolated sections, or
"segments." This helps improve security by limiting access
between different parts of the network, so if one segment is
compromised, it doesn't affect the others. It also improves
performance and makes it easier to manage network traffic.

o Zero trust – Zero Trust is a security approach where no one, inside

or outside a network, is automatically trusted. Instead, every user
and device must be verified each time they try to access resources,
no matter their location. This model helps reduce the risk of
unauthorized access by requiring strict authentication and
continuously monitoring all network activity.

o Secure access secure edge (SASE) – Secure Access Service

Edge (SASE) is a cloud-based security model that combines
network and security functions to securely connect users to
applications, regardless of location. SASE integrates tools like VPN,
firewalls, and secure web gateways into a single service, making it
easier to manage security across remote offices and users. This
approach enhances security while optimizing network performance
for distributed workforces.

o Software-defined networking (SDN) – A Software-Defined

Network (SDN) is a modern approach to networking where control
over the network is managed through software rather than
traditional hardware. SDN allows administrators to centrally control
and automate network settings, making it easier to manage traffic,
improve performance, and adapt quickly to changing needs. This
setup brings flexibility and efficiency to networks, especially in
large or complex environments.
4

CySA+ Objective Notes

 Identity and access management – Identity and Access

Management (IAM) is a framework of policies and technologies used to
ensure that the right individuals have the appropriate access to resources
within an organization. IAM verifies user identities and controls what users
can do and access, enhancing security by managing permissions and
reducing unauthorized access risks.

o Multifactor authentication (MFA) – Multifactor Authentication

(MFA) is a security process that requires users to verify their
identity using multiple forms of authentication, such as a password,
a fingerprint, or a code sent to their phone. By requiring more than
one method of verification, MFA adds an extra layer of security,
making it harder for unauthorized users to access accounts or
systems.

o Single sign-on (SSO) – Single Sign-On (SSO) is an authentication

method that allows users to access multiple applications or
systems with a single set of login credentials. With SSO, users only
need to log in once to gain access to all authorized resources,
simplifying the login process and enhancing user convenience
while maintaining security.

o Federation – In Identity and Access Management (IAM), federation

is a method that allows users to access resources across multiple
organizations or domains using a single set of credentials. By
establishing trust between different systems or identity providers,
federation enables seamless authentication and access without
requiring separate logins, improving both security and user
convenience across platforms.

o Privileged access management (PAM) – Privileged Access

Management (PAM) is a security solution designed to control,
monitor, and secure access to critical systems and data by
privileged users, such as administrators with elevated permissions.
PAM restricts access to sensitive resources, provides oversight on
privileged actions, and helps prevent unauthorized use or abuse of
high-level access, thereby enhancing organizational security.

o Passwordless – Passwordless authentication is a security method

that allows users to access systems or applications without
entering a traditional password. Instead, it relies on alternative
methods like biometrics, security keys, or one-time codes sent to a
device, providing a more secure and user-friendly way to log in by
reducing the risks associated with passwords.

o Cloud access security broker (CASB) – A Cloud Access Security

Broker (CASB) is a security tool that acts as a gatekeeper between
an organization’s on-premises infrastructure and cloud services,
enforcing security policies for cloud access and usage. CASBs
provide visibility, data protection, threat protection, and
compliance control, helping organizations securely extend their
security practices to cloud environments.
5

CySA+ Objective Notes

 Encryption – Encryption is a security process that transforms data
into a coded format, making it unreadable to unauthorized users.
Only those with the correct decryption key can revert the data to its
original form, ensuring that sensitive information remains secure during
storage or transmission.

o Public key infrastructure (PKI) – Public Key Infrastructure

(PKI) is a framework of policies, technologies, and
procedures used to create, manage, and validate digital
certificates and public-private key pairs. PKI enables secure
communication and authentication over networks by verifying
identities and encrypting data, making it essential for secure online
transactions, email, and network access.

o Secure sockets layer (SSL) inspection – Secure Sockets Layer

(SSL) inspection is a security process that decrypts and analyzes
encrypted SSL/TLS traffic to detect potential threats or malicious
content. By examining data before it’s re-encrypted and forwarded
to its destination, SSL inspection helps organizations maintain
security while monitoring for risks within encrypted
communications.

 Sensitive data protection

o Data loss prevention (DLP) – Data Loss Prevention (DLP) is

a set of tools and strategies designed to prevent sensitive
data from being accidentally or maliciously shared, leaked,
or lost. DLP solutions monitor and control data movement within
and outside an organization, helping to protect confidential
information and ensure compliance with data protection policies.

o Personally identifiable information (PII) – Personally

Identifiable Information (PII) is any data that can be used to identify
an individual, either on its own or when combined with other
information. Examples of PII include names, Social Security
numbers, addresses, and phone numbers. Protecting PII is
crucial to safeguard individuals' privacy and prevent
identity theft.

o Cardholder data (CHD) – Cardholder Data (CHD) refers to

the information on a payment card that is used for
processing transactions. This includes the primary account
number (PAN), cardholder name, expiration date, and security code
(CVV). Protecting CHD is essential to prevent fraud and ensure
compliance with standards like PCI-DSS.

1.2 Given a scenario, analyze indicators of potentially malicious activity.

 Network-related
o Bandwidth consumption – Bandwidth consumption refers to the
amount of data transmitted over a network within a specific period.
High bandwidth consumption can affect network performance,
slowing down data transfer speeds for users and applications.
Monitoring bandwidth usage helps manage and optimize network
resources.
6

CySA+ Objective Notes

o Beaconing – Beaconing is a behavior in which a compromised
device repeatedly communicates with an external server or
attacker at regular intervals. This communication helps attackers
maintain control, receive instructions, or exfiltrate data from the
infected device. Beaconing patterns are often monitored by
security teams to detect and stop potential malware or
cyberattacks.

o Irregular peer-to-peer communication – Irregular peer-to-peer

communication refers to unusual or unexpected data exchanges
directly between devices on a network, bypassing centralized
servers. This type of communication can indicate suspicious
activity, such as malware spreading or unauthorized data sharing,
and is often monitored to detect potential security threats.

o Rogue devices on the network – Rogue devices are

unauthorized devices connected to a network without permission,
potentially posing security risks. These devices can be used to
access sensitive data, introduce malware, or create vulnerabilities
within the network. Identifying and removing rogue devices is
essential for maintaining network security.

o Scans/sweeps – Scans or sweeps are techniques used to probe a

network or system to discover active devices, open ports, or
vulnerabilities. These activities, often conducted by attackers to
gather information for potential exploits, can also be used by
security teams to assess network security. Monitoring for unusual
scans or sweeps helps detect possible reconnaissance efforts.

o Unusual traffic spikes – Unusual traffic spikes are sudden,

unexpected increases in network activity that may indicate
potential security issues, such as a cyberattack or malware activity.
These spikes can overwhelm network resources, leading to
slowdowns or disruptions. Monitoring traffic patterns helps detect
and investigate unusual spikes to protect network stability and
security.

o Activity on unexpected ports – Activity on unexpected ports

refers to network traffic occurring on ports that are typically
unused or closed in a given environment. Such activity can be a
sign of malicious behavior, like malware or unauthorized access
attempts, as attackers often use unusual ports to avoid detection.
Monitoring and restricting port usage helps identify and mitigate
these potential threats.

 Host-related
o Processor consumption – Processor consumption refers to the
amount of CPU power being used by applications and processes on
a system. High processor consumption can slow down system
performance and may indicate intensive tasks or potential issues
like malware. Monitoring CPU usage helps maintain optimal system
performance and detect unusual activity.

o Memory consumption – Memory consumption refers to the

amount of RAM being used by applications and processes on a
7

CySA+ Objective Notes

system. High memory consumption can impact system
performance, causing slowdowns or crashes, and may indicate
resource-intensive tasks or issues like memory leaks. Monitoring
memory usage helps ensure efficient system operation and detect
abnormal activity.

o Drive capacity consumption – Drive capacity consumption refers

to the amount of storage space used on a hard drive or storage
device. High consumption can lead to limited storage availability,
affecting system performance and preventing data from being
saved. Regularly monitoring drive usage helps manage storage
effectively and avoid potential issues.

o Unauthorized software – Unauthorized software refers to

applications installed on a system without permission or approval
from the organization or IT team. Such software can introduce
security risks, including malware or data breaches, and may violate
company policies. Monitoring for unauthorized software helps
maintain security and compliance within the network.

o Malicious processes – Malicious processes are harmful programs

or tasks running on a system, often designed to damage, steal
data, or give unauthorized access to attackers. These processes
can operate in the background and may go unnoticed while
compromising system security. Detecting and stopping malicious
processes is essential to protect systems from cyber threats.
o Unauthorized changes – Unauthorized changes are modifications
made to a system, application, or configuration without approval or
proper authorization. Such changes can introduce security risks,
disrupt operations, or lead to compliance violations. Monitoring for
unauthorized changes helps maintain system integrity and security.

o Unauthorized privileges – Unauthorized privileges refer to

access rights or permissions granted to users or processes without
proper authorization. These elevated privileges can lead to security
risks, as they may allow unauthorized access to sensitive data or
system functions. Managing and monitoring privileges helps
prevent misuse and protect system security.

o Data exfiltration – Data exfiltration is the unauthorized transfer

of data from a system or network, typically by malicious actors.
This often involves sensitive information being stolen and sent
outside the organization, posing serious security and privacy risks.
Detecting and preventing data exfiltration is crucial to protect
against data breaches.

o Abnormal OS process behavior – Abnormal OS process behavior

refers to unusual or unexpected actions by operating system
processes, such as high resource usage, unexpected connections,
or unusual activity patterns. This behavior can indicate potential
security threats, like malware or unauthorized access. Monitoring
for such anomalies helps detect and respond to possible system
compromises.
8

CySA+ Objective Notes

o File system changes or anomalies – File system changes or
anomalies refer to unexpected modifications, deletions, or
additions of files and folders within a system. Such changes can be
signs of malicious activity, like malware altering files or
unauthorized access. Monitoring these changes helps detect
potential security threats and maintain system integrity.

o Registry changes or anomalies – Registry changes or anomalies

are unexpected modifications to the Windows Registry, which
stores critical system settings and configurations. Such changes
can indicate malicious activity, as malware or unauthorized users
may alter registry entries to gain persistence or control over the
system. Monitoring registry changes helps detect and prevent
potential security threats.

o Unauthorized scheduled tasks – Unauthorized scheduled tasks

are automated tasks set up without proper approval, often to run at
specific times or intervals on a system. These tasks can be used by
malicious actors to execute harmful scripts or maintain
unauthorized access. Detecting unauthorized scheduled tasks is
essential for preventing potential security risks and ensuring
system integrity.

 Application-related
o Anomalous activity – Application-related anomalous activity
refers to unusual or unexpected behavior in software applications,
such as sudden spikes in resource usage, unexpected network
connections, or abnormal user actions. This behavior may indicate
potential security issues, like malware or misuse, and monitoring it
helps identify and respond to threats early.

o Introduction of new accounts – The introduction of new

accounts refers to the creation of user or system accounts within a
network or system. While new accounts are sometimes necessary,
unauthorized or unexpected accounts can signal potential security
threats, such as an attacker creating backdoor access. Monitoring
for new accounts helps detect suspicious activity and maintain
access control.

o Unexpected output – Unexpected output refers to system or

application results that differ from normal or anticipated behavior,
such as unusual messages, errors, or data changes. This can
indicate issues like software bugs, configuration problems, or
potential security threats. Identifying unexpected output helps in
troubleshooting and addressing possible risks.

o Unexpected outbound communication – Unexpected outbound

communication is unanticipated data sent from a system to an
external network or server. This activity can be a sign of malicious
behavior, such as data exfiltration or malware trying to connect to
a command-and-control server. Monitoring outbound
communication helps detect and prevent potential security
breaches.
9

CySA+ Objective Notes

o Service interruption – A service interruption is a disruption in the
normal operation of a system, application, or network service,
causing it to become unavailable to users. This can result from
technical issues, maintenance, or cyberattacks, and often impacts
productivity and access to resources. Quickly identifying and
resolving service interruptions is essential to restore functionality
and minimize downtime.

o Application logs – Application logs are records generated by

software applications that document events, errors, and other
significant activities. These logs help administrators and
developers monitor application performance, troubleshoot issues,
and analyze security events. Regularly reviewing application logs is
essential for maintaining smooth and secure operations.
 Other
o Social engineering attacks – Social engineering attacks are
manipulative tactics used by attackers to trick individuals into
revealing sensitive information or performing actions that
compromise security. These attacks often exploit human
psychology rather than technical vulnerabilities, such as through
phishing emails or impersonation. Preventing social engineering
requires user awareness and training on recognizing and resisting
these tactics.

o Obfuscated links – Obfuscated links are web links deliberately

altered or masked to hide their true destination, often to trick users
into clicking on malicious sites. Attackers may use shortened URLs
or add deceptive text to make the link appear safe. Recognizing
obfuscated links is important for avoiding phishing and other online
threats.

1.3 3 Given a scenario, use appropriate tools or techniques to determine

malicious activity.

 Tools
o Packet capture – Packet capture is the process of intercepting
and recording data packets traveling over a network. This
technique allows network administrators and security analysts to
analyze network traffic for troubleshooting, performance
monitoring, or identifying potential security threats. Packet capture
helps provide insights into network behavior and detect unusual or
malicious activity.

o Wireshark – Wireshark is a popular, open-source tool used for

capturing and analyzing network traffic in real time. It allows
network administrators and security professionals to inspect data
packets at a detailed level, helping with troubleshooting,
performance monitoring, and security analysis. Wireshark is widely
used for its powerful features in diagnosing network issues and
investigating potential threats.

o tcpdump – tcpdump is a command-line tool for capturing and

analyzing network traffic on a network interface. It provides
detailed information on data packets, helping network and security
professionals monitor, troubleshoot, and investigate network
10

CySA+ Objective Notes

activity. tcpdump is valued for its flexibility and ability to filter
specific types of traffic.

o Log analysis/correlation – Log analysis and correlation involve

examining and linking data from various logs to identify patterns,
detect anomalies, and uncover security incidents. By correlating
logs from multiple sources, such as servers, applications, and
network devices, security teams can gain insights into complex
events and respond to potential threats more effectively. This
process is essential for proactive threat detection and incident
response.

o Security information and event management (SIEM) –

Security Information and Event Management (SIEM) is a system
that collects, analyzes, and correlates security data from across an
organization's network in real time. SIEM helps security teams
detect, investigate, and respond to potential threats by providing a
centralized view of security events and alerts. It combines both
event logging and analysis tools to enhance threat detection and
streamline incident management.

o Security orchestration, automation, and response (SOAR) –

Security Orchestration, Automation, and Response (SOAR) is a set
of tools and processes that help security teams manage, automate,
and streamline responses to security threats. SOAR enables faster,
more consistent incident response by automating routine tasks,
integrating security tools, and providing guided workflows for
complex incidents. This improves efficiency and effectiveness in
handling cybersecurity operations.

o Endpoint security – Endpoint security is the practice of protecting

devices like computers, mobile phones, and tablets (endpoints)
from cyber threats. It involves using security software and policies
to detect, prevent, and respond to threats that target these
devices. Endpoint security is essential for safeguarding an
organization's network by securing every device connected to it.

o Endpoint detection and response (EDR) – Endpoint Detection

and Response (EDR) is a cybersecurity solution that continuously
monitors and analyzes endpoint activities to detect, investigate,
and respond to security threats. EDR provides real-time visibility,
threat detection, and automated responses to suspicious activities
on devices like computers and mobile phones. It helps security
teams quickly identify and mitigate potential risks to protect the
organization’s network.

o Domain name service (DNS) and Internet Protocol (IP)

reputation – Domain Name Service (DNS) and Internet Protocol
(IP) reputation refer to the trustworthiness and history of
domain names and IP addresses based on past behaviors
and associations. High or positive reputation indicates legitimate
use, while low or negative reputation can signal malicious
activities, such as phishing or spam. Monitoring DNS and IP
reputation helps organizations identify and block potentially
harmful sources in network traffic.
11

CySA+ Objective Notes

o WHOIS – WHOIS is a public database that provides

information about the ownership and registration details of
domain names and IP addresses. It includes data like the
domain owner's name, contact information, registration dates, and
hosting provider. WHOIS is commonly used to verify domain
ownership, investigate cyber threats, and gain insights into
the origin of internet activity.

o AbuseIPDB – AbuseIPDB is a public database that collects

and reports information about IP addresses involved in
malicious activities, such as hacking, spamming, or fraud.
Users and organizations can look up IP addresses, report suspicious
activity, and check an IP’s reputation based on community
feedback. AbuseIPDB helps in identifying and blocking
potentially harmful IP addresses to improve network
security.

o File analysis – File analysis is the process of examining files to

understand their content, structure, and behavior, often to detect
malicious elements like viruses or malware. It involves inspecting
file metadata, code, and patterns to identify potential threats. File
analysis helps security teams assess and respond to risks
associated with suspicious files.

o Strings – In file analysis, "strings" are sequences of readable text

extracted from a file, often used to gain insights into its content or
behavior. Analysts examine strings to detect clues, such as URLs,
commands, or code fragments, which can help identify if a file is
malicious. Analyzing strings is a common technique to quickly
reveal potentially harmful or suspicious elements within a file.

o VirusTotal – VirusTotal is an online service that analyzes files and

URLs for viruses, malware, and other security threats by scanning
them with multiple antivirus engines and security tools. Users can
upload files or URLs to check for potential risks, and VirusTotal
provides a report with detection results. It’s widely used
for quick threat assessment and malware detection.

o Sandboxing – Sandboxing is a security technique that isolates

files, applications, or code in a controlled environment where they
can be safely executed and analyzed. This containment prevents
any harmful actions from affecting the main system, allowing
security teams to observe the behavior of potentially malicious files
or programs without risking infection. Sandboxing is commonly
used to detect and analyze malware.

o Joe Sandbox – Joe Sandbox is an advanced malware analysis

platform that examines suspicious files and URLs in a controlled
environment to detect malicious behavior. It supports multiple
operating systems, including Windows, macOS, Linux, and Android,
providing detailed reports on malware actions and characteristics.
Security professionals use Joe Sandbox to understand threats and
develop effective defense strategies.
12

CySA+ Objective Notes

o Cuckoo Sandbox – Cuckoo Sandbox is an open-source
automated malware analysis tool that enables security
teams to run and observe suspicious files in a virtual
environment, or "sandbox." It analyzes files across various
operating systems and provides detailed reports on their behavior,
such as network activity and system modifications. Cuckoo
Sandbox helps identify and understand malware threats
without risking the main system.

 Common techniques –
o Pattern recognition – Pattern recognition is the process of
identifying recurring structures, sequences, or behaviors within
data. In cybersecurity, it helps detect anomalies, such as unusual
network activity or suspicious file behaviors, by recognizing known
threat patterns. Pattern recognition is key to detecting potential
security threats early and improving response times.

o Command and control – Command and Control (C2) refers to the

communication channel that attackers use to remotely manage
infected devices or malware within a network. Through C2,
attackers can issue commands, steal data, and control
compromised systems. Detecting and blocking C2 traffic is crucial
to disrupting malicious operations and preventing further damage.

o Interpreting suspicious commands – Interpreting suspicious

commands involves analyzing commands executed on a system to
determine if they indicate malicious activity. Security analysts look
for unusual or unauthorized commands that could suggest
compromise, such as commands for data exfiltration or privilege
escalation. Identifying these commands helps detect and respond
to potential security threats.

o Email analysis – Email analysis is the process of examining email

content, headers, attachments, and links to detect signs of
phishing, malware, or other malicious activity. It helps identify
suspicious elements, such as forged sender information or harmful
attachments, to protect users and organizations from email-based
threats. Email analysis is essential for preventing cyberattacks that
use email as an entry point.

o Header – In the context of emails, a header is the part of the email

that contains technical details about its origin, path, and delivery. It
includes information such as the sender's address, recipient's
address, time stamps, and the servers it passed through. Analyzing
headers helps identify spoofing, phishing, and other suspicious
activities by revealing the email's true source and routing.

o Impersonation – Impersonation is a tactic in which attackers

pretend to be a trusted individual or organization to deceive and
manipulate their target. Common in phishing and social
engineering attacks, impersonation aims to trick victims into
sharing sensitive information, clicking malicious links, or
performing actions that benefit the attacker. Recognizing
impersonation is essential to prevent fraud and data breaches.
13

CySA+ Objective Notes

o DomainKeys Identified Mail (DKIM) – DomainKeys Identified
Mail (DKIM) is an email security standard that uses cryptographic
signatures to verify that an email was sent by an authorized
domain and has not been altered in transit. By attaching a digital
signature to outgoing emails, DKIM helps recipients confirm the
authenticity of the sender and protect against email spoofing. It is
an important tool for enhancing email security and trust.

o Domain-based Message Authentication, Reporting, and

Conformance (DMARC) – Domain-based Message Authentication,
Reporting, and Conformance (DMARC) is an email security protocol
that helps prevent email spoofing by allowing domain owners to
specify how email receivers should handle messages that fail
authentication checks (like SPF and DKIM). DMARC policies improve
email security by instructing receivers to reject, quarantine, or
allow suspicious emails, while also providing reports on
authentication results. It helps protect recipients from phishing and
enhances trust in legitimate emails from the domain.

o Sender Policy Framework (SPF) – Sender Policy Framework

(SPF) is an email authentication protocol that helps prevent email
spoofing by allowing domain owners to specify which mail servers
are authorized to send emails on their behalf. By checking the SPF
records in the DNS, email receivers can verify if an email comes
from an approved source and reject messages that fail this check.
SPF helps reduce spam and phishing by ensuring email
authenticity.

o Embedded links – Embedded links are clickable hyperlinks within

an email or document that direct users to a website or resource
when clicked. These links can be useful but may also be used
maliciously in phishing attacks to lead users to fraudulent or
harmful sites. Verifying embedded links before clicking is important
for security.

o File analysis – File analysis is the examination of files to

understand their contents, structure, and behavior, often to detect
potential threats like malware. It involves inspecting attributes,
metadata, and code within the file to identify any suspicious or
malicious elements. File analysis helps security teams assess risks
and prevent harmful files from compromising systems.

o Hashing – Hashing is a process that converts data into a fixed-

length string of characters, typically using a mathematical
algorithm. This unique "hash" acts as a digital fingerprint for the
data, allowing for quick verification of its integrity. Hashing is
commonly used in security to ensure data hasn't been altered and
to securely store passwords.

o User behavior analysis – User Behavior Analysis (UBA) is the

process of monitoring and analyzing users' actions within a system
to identify unusual or risky behaviors. By establishing a baseline of
normal activities, UBA helps detect potential security threats, such
as insider threats or compromised accounts, by flagging deviations
14

CySA+ Objective Notes

from typical patterns. This enhances security by identifying
suspicious behavior early.

o Abnormal account activity – Abnormal account activity refers to

unusual or unexpected actions performed by a user account, such
as accessing unfamiliar resources, logging in at odd hours, or
initiating large data transfers. This behavior can indicate a
compromised account or insider threat. Monitoring for such
anomalies helps detect potential security incidents and protect
sensitive information.

o Impossible travel – Impossible travel refers to a security alert

triggered when a user logs in from two geographically distant
locations within a timeframe that makes physical travel between
them impossible. This can indicate a compromised account, as it
suggests unauthorized access. Detecting impossible travel helps
identify potential security breaches and protect accounts from
misuse.

 Programming languages/scripting –
o JavaScript Object Notation (JSON) – JavaScript Object Notation
(JSON) is a lightweight data format used to store and transmit data
between a server and a web application. It is easy to read and write
for both humans and machines, using a structure of key-value pairs
and arrays to organize data. JSON is widely used for its
simplicity and efficiency in web development and APIs.

o Extensible Markup Language (XML) – Extensible Markup

Language (XML) is a flexible, text-based format used to store and
transport data in a structured way. It organizes data with custom
tags to define elements, making it both human-readable and
machine-readable. XML is commonly used for data exchange
between systems, especially in web services and APIs.

o Python – Python is a versatile, high-level programming language

known for its readability and ease of use. It supports multiple
programming paradigms, including procedural, object-oriented,
and functional programming, and is widely used for web
development, data analysis, automation, and more. Python's
extensive libraries and active community make it a popular choice
for beginners and professionals alike.

o PowerShell – PowerShell is a task automation and configuration

management framework developed by Microsoft, featuring a
command-line shell and scripting language. It is widely used for
managing and automating tasks on Windows, but also supports
cross-platform use on macOS and Linux. PowerShell is especially
popular in IT administration for managing systems, automating
processes, and handling complex configurations.

o Shell script – A shell script is a file containing a series of

commands written for a command-line interpreter, or shell, used to
automate tasks in Unix-like operating systems. It allows users to
execute multiple commands in sequence, making it useful for
15

CySA+ Objective Notes

system administration, file manipulation, and routine maintenance
tasks. Shell scripts save time by automating repetitive processes.

o Regular expression – A regular expression, or regex, is a

sequence of characters that defines a search pattern, used
for matching, finding, or manipulating text. Regex is
commonly used in programming and text processing to validate
input, search for specific patterns, or replace text. Its flexibility
makes it a powerful tool for handling complex string operations.

1.4 Compare and contrast threat-intelligence and threat-hunting concepts.

 Threat actors –
o Advanced persistent threat (APT) – An Advanced Persistent
Threat (APT) is a prolonged and targeted cyberattack in which
attackers infiltrate a network to steal data or disrupt operations
over an extended period. APTs are often highly sophisticated, using
stealthy techniques to remain undetected and maintain long-term
access. They typically target sensitive organizations like
government agencies or corporations, posing serious security risks.

o Hacktivists – Hacktivists are individuals or groups who use

hacking techniques to promote political or social causes. They
often target organizations, governments, or individuals they view
as opposing their beliefs, aiming to disrupt services, leak
information, or raise awareness. Hacktivism blends activism and
hacking, leveraging cyberattacks as a form of protest or advocacy.

o Organized crime – Organized crime as threat actors refers to

criminal groups that use cyberattacks to conduct illegal activities
for financial gain. These groups are often highly skilled and well-
funded, using sophisticated methods to steal data, commit fraud,
or extort money from businesses and individuals. Organized crime
groups pose significant threats to cybersecurity due to their
coordinated, profit-driven approach.

o Nation-state – A nation-state as a threat actor refers to a

government or state-sponsored group that conducts cyberattacks
to achieve strategic, political, or economic objectives. These actors
are highly sophisticated, well-resourced, and often target critical
infrastructure, government agencies, or corporations to gather
intelligence or disrupt operations. Nation-state attacks pose serious
risks due to their complexity and potential impact on national
security.

o Script kiddie – A script kiddie is an inexperienced hacker who

uses pre-made tools or scripts, often created by others, to launch
cyberattacks without deep technical knowledge. They typically aim
for easy targets and lack the skills to create their own exploits,
posing lower-level but still potentially disruptive threats. Script
kiddies often engage in hacking for fun, attention, or minor
disruptions.

o Insider threat
16

CySA+ Objective Notes

 Intentional – An intentional insider threat is a security risk
posed by someone within an organization, such as an
employee or contractor, who deliberately misuses their
access to harm the organization. This can include actions
like data theft, sabotage, or leaking sensitive information.
Intentional insiders are dangerous because they have
legitimate access and knowledge of internal systems.

 Unintentional – An unintentional insider threat occurs

when an individual within an organization accidentally
causes a security risk, often due to negligence or human
error. Examples include clicking on phishing links,
mishandling sensitive data, or failing to follow security
protocols. Though unintentional, these actions can lead to
data breaches or compromise systems.

o Supply chain – In cybersecurity, the supply chain refers to the

network of external vendors, suppliers, and partners that provide
products or services to an organization. Threat actors target supply
chains to compromise a trusted third party, gaining indirect access
to their intended target. Supply chain attacks can lead to
widespread security breaches, as compromised suppliers can
spread vulnerabilities across multiple organizations.

 Tactics, techniques, and procedures (TTP) – Tactics, Techniques, and

Procedures (TTP) refer to the methods and patterns used by threat actors
to carry out cyberattacks. Tactics are the high-level objectives, techniques
are the approaches used to achieve these objectives, and procedures are
the specific steps taken. Understanding TTPs helps security teams
anticipate, detect, and defend against cyber threats more effectively.

 Confidence levels – Confidence levels in cybersecurity refer to the

degree of certainty about the accuracy or reliability of threat intelligence
or analysis. They help indicate how strongly analysts believe in the validity
of information, such as threat indicators or risk assessments. Using
confidence levels aids in prioritizing actions and making informed security
decisions.

o Timeliness – In cybersecurity, timeliness refers to how current and

relevant threat intelligence or security information is. Timely
information is crucial for identifying, responding to, and mitigating
threats before they cause harm. The faster threat data is available
and acted upon, the more effective it is in preventing or minimizing
attacks.

o Relevancy – In cybersecurity, relevancy refers to how applicable

or pertinent threat intelligence is to an organization's specific
environment, assets, or security posture. Relevant information
helps prioritize threats that could realistically impact the
organization, allowing security teams to focus on the most
meaningful risks.

o Accuracy – In cybersecurity, accuracy refers to the correctness

and reliability of threat intelligence or security information.
Accurate data ensures that security teams base their decisions on
17

CySA+ Objective Notes

true and precise information, reducing the likelihood of false
positives or missed threats. High accuracy is essential for effective
threat detection and response.

 Collection methods and sources

o Open source – In cybersecurity, open source refers to software or
tools whose source code is freely available for anyone to view,
modify, and distribute. Open-source tools are often collaborative,
allowing a community of developers to contribute to their
improvement, which can lead to rapid innovation and transparency.
Open-source software is widely used for security testing, analysis,
and other cybersecurity functions.

 Social media - Social media is a digital platform that allows

people to create, share, and interact with content and
connect with others online.

 Blogs/forums – A blog or forum is an online space where

individuals or communities can share information, post
discussions, and exchange ideas on various topics.

 Government bulletins – Government bulletins are official

updates or announcements issued by government agencies
to inform the public about important information, policies, or
alerts on topics such as security, health, and safety.

 Computer emergency response team (CERT) – A

Computer Emergency Response Team (CERT) is a group
responsible for responding to cybersecurity incidents,
analyzing threats, and coordinating recovery efforts to
protect an organizations or nation’s digital infrastructure.

 Cybersecurity incident response team (CSIRT) – A

Cybersecurity Incident Response Team (CSIRT) is a
specialized team that manages, investigates, and resolves
cybersecurity incidents, helping to mitigate damage, secure
systems, and prevent future threats.

 Deep/dark web – The deep web refers to parts of the

internet not indexed by search engines, including private
databases and secure sites, while the dark web is a hidden
portion of the deep web that requires special software, like
Tor, to access and often hosts anonymous and sometimes
illicit activities.

o Closed source
 Paid feeds
 Information sharing organizations
 Internal sources

 Threat intelligence sharing –

o Incident response,
o Vulnerability management –
o Risk management –
o Security engineering –
18

CySA+ Objective Notes

o Detection and monitoring

 Threat hunting –
o Indicators of compromise (IoC)
 Collection
 Analysis
 Application –
o Focus areas
 Configurations/ misconfigurations
 Isolated networks
 Business-critical assets and processes –
o Active defense –
o Honeypot

1.5 Explain the importance of efficiency and process improvement in

security operations.

 Standardize processes –
o Identification of tasks suitable for automation
 Repeatable/do not require human interaction –
o Team coordination to manage and facilitate automation
 Streamline operations –
o Automation and orchestration
 Security orchestration, automation, and response (SOAR) –
o Orchestrating threat intelligence data
 Data enrichment
 Threat feed combination –
o Minimize human engagement
 Technology and tool integration –
o Application programming interface (API) –
o Webhooks –
o Plugins

 Single pane of glass

2.0 Vulnerability Management – 30%

2.1 Given a scenario, implement vulnerability scanning methods and concepts. •

 Asset discovery –
o Map scans –
o Device fingerprinting
 Special considerations –
o Scheduling –
o Operations –
o Performance –
o Sensitivity levels –
o Segmentation –
o Regulatory requirements
 Internal vs. external scanning
 Agent vs. agentless
 Credentialed vs. non-credentialed
 Passive vs. active
 Static vs. dynamic –
o Reverse engineering –
19

CySA+ Objective Notes

o Fuzzing
 Critical infrastructure –
o Operational technology (OT) –
o Industrial control systems (ICS) –
o Supervisory control and data acquisition (SCADA)
 Security baseline scanning
 Industry frameworks, -
o Payment Card Industry Data Security Standard (PCI DSS) –
o Center for Internet Security (CIS) benchmarks –
o Open Web Application Security Project (OWASP) –
o International Organization for Standardization (ISO) 27000 series

2.2 Given a scenario, analyze output from vulnerability assessment tools.

 Tools –
o Network scanning and mapping o
 Angry IP Scanner o
 Maltego –
o Web application scanners o
 Burp Suite o
 Zed Attack Proxy (ZAP) o
 Arachni o
 Nikto –
o Vulnerability scanners o
 Nessus o
 OpenVAS,
o Debuggers o
 Immunity debugger o
 GNU debugger (GDB) –
o Multipurpose o
 Nmap o
 Metasploit framework (MSF) o
 Recon-ng –
o Cloud infrastructure assessment tools o
 Scout Suite o
 Prowler o
 Pacu

2.3 Given a scenario, analyze data to prioritize vulnerabilities.

 Common Vulnerability Scoring System (CVSS) interpretation –

o Attack vectors –
o Attack complexity –
o Privileges required –
o User interaction – Scope, Impact o Confidentiality o Integrity o
Availability •
 Validation –
o True/false positives –
o True/false negatives,
 Context awareness –
o Internal –
o External –
o Isolated
 Exploitability/weaponization
20

CySA+ Objective Notes

 Asset value
 Zero-day

2.4 Given a scenario, recommend controls to mitigate attacks and software

vulnerabilities.

 Cross-site scripting –
o Reflected –
o Persistent •
 Overflow vulnerabilities –
o Buffer –
o Integer –
o Heap –
o Stack
 Data poisoning
 Broken access control
 Cryptographic failures
 Injection flaws
 Cross-site request forgery
 Directory traversal
 Insecure design
 Security misconfiguration
 End-of-life or outdated components
 Identification and authentication failures
 Server-side request forgery
 Remote code execution
 Privilege escalation
 Local file inclusion (LFI)/remote file inclusion (RFI)

2.5 Explain concepts related to vulnerability response, handling, and

management.

 Compensating control
 Control types –
o Managerial –
o Operational –
o Technical –
o Preventative –
o Detective –
o Responsive –
o Corrective
 Patching and configuration management –
o Testing –
o Implementation –
o Rollback –
o Validation
 Maintenance windows
 Exceptions
 Risk management principles –
o Accept –
o Transfer –
o Avoid –
o Mitigate •
 Policies, governance, and servicelevel objectives (SLOs) •
21

CySA+ Objective Notes

 Prioritization and escalation •
 Attack surface management –
o Edge discovery –
o Passive discovery –
o Security controls testing –
o Penetration testing and adversary emulation –
o Bug bounty, -
o Attack surface reduction
 Secure coding best practices –
o Input validation –
o Output encoding –
o Session management –
o Authentication –
o Data protection –
o Parameterized queries • •
 Secure software development life cycle (SDLC)
 Threat modeling

3.0 Incident Response and Management – 20%

3.1 Explain concepts related to attack methodology frameworks.

 Cyber kill chains

 Diamond Model of Intrusion Analysis
 MITRE ATT&CK
 Open Source Security Testing Methodology Manual (OSS TMM)
 OWASP Testing Guide

3.2 Given a scenario, perform incident response activities.

 Detection and analysis –

o IoC –
o Evidence acquisitions
 Chain of custody
 Validating data integrity
 Preservation o Legal hold
o Data and log analysis

 Containment, eradication, and recovery –

o Scope –
o Impact –
o Isolation –
o Remediation –
o Re-imaging –
o Compensating controls

3.3 Explain the preparation and post-incident activity phases of the incident
management life cycle.

 Preparation –
o Incident response plan –
o Tools –
o Playbooks,
o Tabletop –
22

CySA+ Objective Notes

o Training –
o Business continuity (BC) / disaster recovery (DR),
 Post-incident activity –
o Forensic analysis –
o Root cause analysis –
o Lessons learned

4.0 Reporting and Communication – 17%

4.1 Explain the importance of vulnerability management reporting and
communication.

 Vulnerability management reporting –

o Vulnerabilities –
o Affected hosts –
o Risk score –
o Mitigation –
o Recurrence –
o Prioritization
 Compliance reports
 Action plans –
o Configuration management –
o Patching, -
o Compensating controls –
o Awareness, education, and training –
o Changing business requirements •
 Inhibitors to remediation –
o Memorandum of understanding (MOU) –
o Service-level agreement (SLA) –
o Organizational governance –
o Business process interruption –
o Degrading functionality –
o Legacy systems, -
o Proprietary systems
 Metrics and key performance indicators (KPIs) –
o Trends –
o Top 10 –
o Critical vulnerabilities and zero-days –
o SLOs
 Stakeholder identification and communication

4.2 Explain the importance of incident response reporting and

communication.

 Stakeholder identification and communication

 Incident declaration and escalation
 Incident response reporting –
o Executive summary –
o Who, what, when, where, and why –
o Recommendations –
o Timeline,
o Impact –
o Scope –
o Evidence •
23

CySA+ Objective Notes

 Communications –
o Legal –
o Public relations o
 Customer communication
 Media –
o Regulatory reporting –
o Law enforcement,
 Root cause analysis
 Lessons learned
 Metrics and KPIs –
o Mean time to detect –
o Mean time to respond –
o Mean time to remediate –
o Alert volume
24

CySA+ Objective Notes

Acronyms List

ACL Access Control List

API Application Programming Interface
APT Advanced Persistent Threat
ARP Address Resolution Protocol
AV Antivirus
BC Business Continuity
BCP Business Continuity Plan
BGP Border Gateway Protocol
BIA Business Impact Analysis
C2 Command and Control
CA Certificate Authority
CASB Cloud Access Security Broker
CDN Content Delivery Network
CERT Computer Emergency Response Team
CHD Cardholder Data
CI/CD Continuous Integration and Continuous Delivery
CIS Center for Internet Security
COBIT Control Objectives for Information and Related Technologies
CSIRT Cybersecurity Incident Response Team
CSRF Cross-site Request Forgery
CVE Common Vulnerabilities and Exposures
CVSS Common Vulnerability Scoring System
DDoS Distributed Denial of Service DoS Denial of Service
DKIM Domain Keys Identified Mail
DLP Data Loss Prevention
DMARC Domain-based Message Authentication, Reporting, and Conformance
DNS Domain Name Service
DR Disaster Recovery
EDR Endpoint Detection and Response
FIM File Integrity Monitoring
FTP File Transfer Protocol
GDB GNU Debugger
GPO Group Policy Objects
HIDS Host-based Intrusion Detection System
HIPS Host-based Intrusion Prevention System
HTTP Hypertext Transfer Protocol
HTTPS Hypertext Transfer Protocol Secure IaaS Infrastructure as a Service
ICMP Internet Control Message Protocol
ICS Industrial Control Systems
IDS Intrusion Detection System
IoC Indicators of Compromise
IP Internet Protocol
IPS Intrusion Prevention System
IR Incident Response
ISO International Organization for Standardization
IT Information Technology
ITIL Information Technology Infrastructure Library
JSON JavaScript Object Notation
KPI Key Performance Indicator
LAN Local Area Network
LDAPS Lightweight Directory Access Protocol
LFI Local File Inclusion
LOI Letter of Intent
25

CySA+ Objective Notes

MAC Media Access Control
MFA Multifactor Authentication
MOU Memorandum of Understanding
MSF Metasploit Framework
MSP Managed Service Provider
MSSP Managed Security Service Provider
MTTD Mean Time to Detect
MTTR Mean Time to Repair
NAC Network Access Control
NDA Non-disclosure Agreement
NGFW Next-generation Firewall
NIDS Network-based Intrusion Detection System
NTP Network Time Protocol
OpenVAS Open Vulnerability Assessment Scanner
OS Operating System
OSSTMM Open-Source Security Testing Methodology Manual
OT Operational Technology
OWASP Open Web Application Security Project
PAM Privileged Access Management
PCI DSS Payment Card Industry Data Security Standard
PHP Hypertext Preprocessor
PID Process Identifier
PII Personally Identifiable Information
PKI Public Key Infrastructure
PLC Programmable Logic Controller
POC Proof of Concept
RCE Remote Code Execution
RDP Remote Desktop Protocol
REST Representational State Transfer
RFI Remote File Inclusion
RXSS Reflected Cross-site Scripting
SaaS Software as a Service
SAML Security Assertion Markup Language
SASE Secure Access Secure Edge
SCADA Supervisory Control and Data Acquisition SDLC Software Development Life Cycle
SDN Software-defined Networking
SFTP Secure File Transfer Protocol
SIEM Security Information and Event Management
SLA Service-level Agreement
SLO Service-level Objective
SOAR Security Orchestration, Automation, and Response
SMB Server Message Block
SMTP Simple Mail Transfer Protocol
SNMP Simple Network Management Protocol
SOC Security Operations Center
SPF Sender Policy Framework
SQL Structured Query Languge
SSL Secure Sockets Layer
SSO Single Sign-on
SSRF Server-side Request Forgery
STIX Structured Threat Information Expression
SWG Secure Web Gateway
TCP Transmission Control Protocol
TFTP Trivial File Transfer Protocol
TLS Transport Layer Security
26

CySA+ Objective Notes

TRACE Trade Reporting and Compliance Engine
TTP Tactics, Techniques, and Procedures
UEBA User and Entity Behavior Analytics
URI Uniform Resource Identifier
URL Uniform Resource Locator
USB Universal Serial Bus
VLAN Virtual
LAN VM Virtual Machine
VPN Virtual Private Network
WAF Web Application Firewall
WAN Wide Area Network
XDR Extended Detection Response
XML Extensible Markup Language
XSS Cross-site Scripting
XXE XML External Entity
ZAP Zed Attack Proxy
ZTNA Zero Trust Network Access