CySA+ Cheat Sheet: Pass CS0-003 With This Study Guide

CySA+ Cheat Sheet

If you aim to become a cyber security analyst, obtaining CompTIA’s CySA+ certification is a great way to further your career. CySA+ is a widely recognized certification that will demonstrate to employers your understanding of crucial skills and knowledge all cyber security analysts must know.

CySA+ is a complex exam that will test you on a wide range of knowledge domains. To help you prepare and ace this exam, we’ve created a CySA+ cheat sheet. This cheat sheet will quickly go over key concepts, abbreviations, and other crucial pieces of information you need to know prior to taking this exam. 

Download this CompTIA CySA+ cheat sheet here.  

CompTIA CySA+ Cheat Sheet Search

Search our CompTIA CySA+ cheat sheet to find the right cheat for the term you're looking for. Simply enter the term in the search bar and you'll receive the matching cheats available.

About CompTIA CySA+

About CompTIA CySA+

CompTIA’s CySA+ certification stands for cyber security analyst and purposes to test one’s understanding of knowledge and tools cyber security analysts will use on the job. 

CySA+ is a 165-minute exam comprised of a maximum of 85 multiple-choice and performance-based questions. You’ll need a score of at least 750/900 to pass the exam. 

The exam is categorized into four knowledge domains, weighted as follows:

  • Security Operations (33%)
  • Vulnerability Management (30%)
  • Incident Response and Management (20%)
  • Reporting and Communication (17%)
CySA+ Domains

CySA+ Cheat Sheet Exam Domains

This cheat sheet details the most crucial information found in each domain. Each domain is broken up into subdomains. 

Security Operations

The largest portion of the exam tests your understanding of cyber security tools and your ability to assess, defend, and harden asset security. 

System & Network Architecture

Concept Elaboration
System hardeningTools, techniques, and best practices used to shore up the protection of IT assets. 
Cloud• Public cloud - Off-premises cloud environments where infrastructure is not owned by the end user.
• Hybrid - using a combination of cloud-based and on-premises computing
• On-premises - otherwise known as private cloud, on-premises cloud computing is located in a company’s brick-and-mortar building and has its own dedicated resources. 
Zero trustNo implicit trust. Every interaction must be validated.
VirtualizationAllows for the hardware resources of a computer to be divvied up into multiple virtual computers, called virtual machines (VMs). 
ContainerizationSoftware deployment process that bundles an application’s code with the requisite libraries and files needed to run on any infrastructure. 
PKIPublic key infrastructure
SSOSingle sign-on
MFAMulti-factor authentication
FederationArrangement between companies allowing for user to sign on 
DLPData loss prevention system
PIIPersonal identifiable information

Tools & Techniques

Concept Elaboration
WiresharkOpen-source packet capture analysis tool
tcpdumpCLI Packet analyzer tool 
SIEMSecurity information and event management
SOARSecurity, orchestration, automation, and response
EDREndpoint detection and response
VirusTotalFree website used for file and url malware analysis
Email analysis• Header
• Impersonation
• DomainKeys Identified Mail (DKIM)
• Sender Policy Framework (SPF)
Programming languages/scripting• JSON
Python
PowerShell
Shell script
• XML
SandboxingRunning code in a safe environment to test code and prevent threats. 

Threat Intelligence & Threat Hunting

Concept Elaboration
Threat actors• Advanced persistent threat (APT)
• Hacktivists
• Organized crime
• Nation-state
• Script kiddie
• Insider threat
TTPTactics, techniques, and procedures
Confidence levels • Timeliness
• Relevancy
• Accuracy
Collection methods and sources• Open source
• Closed source
Threat intelligence sharing• Incident response
• Vulnerability management
• Risk management
• Security engineering
• Detection and monitoring
Threat hunting• Indicators of compromise (IOC)
• Honeypot
• Active defense
• Configurations/misconfigurations

Vulnerability Management

The second largest knowledge domain will test your ability to identify, evaluate, and respond to security vulnerabilities. 

Vulnerability Scanning & Assessment

ConceptElaboration
Asset discoveryMap scans and device fingerprinting.
Internal scanningScanning internal devices for vulnerabilities.
External scanningAssessing external threats to IT assets.
Credentialed scanUsing privileged credentials to scan systems.
Non-credentialed scanScanning of systems not using credentials.
Passive scanningScans for traffic on a network in a way that isn’t likely to be detected by IDS or IPS. 
Active scanningNoisey type of scanning that targets specific ports and services to gather specific information. 
Critical infrastructure• Operational technology (OT)
• Industrial control systems (ICS)
• Supervisory control and data acquisition (SCADA)
Industry frameworks• Payment Card Industry Data Security Standard (PCI DSS)
• Center for Internet Security (CIS) benchmarks
• Open Web App Security Project (OWASP)
• International Organization for Standardization (ISO)

Data Analyzation

ConceptElaboration
Network scanning and mapping• Angry IP Scanner
Maltego
Web application scannersBurp Suite
• Zed Attack Proxy (ZAP)
• Arachni
• Nikto
Vulnerability scanners• Nessus
• OpenVAS
Debuggers• Immunity debuggers
• GNU debuggers
NmapPopular CLI network mapping tool
Metasploit Framework (MSF)Open-source penetration testing tool
Recon-ngOpen-source tool used for reconnaissance. 
Cloud infrastructure assessment tools• Scout Suite
• Prowler
• Pacu

Prioritizing Vulnerabilities

ConceptElaboration
Common Vulnerability Scoring System Interpretation (CVSS)• Attack vectors
• Attack complexity
• Privileges required
• User interaction
• Scope
Impact • Confidentiality - was private information gained access to
• Integrity - was data changed
• Availability - can data still be accessed
Validation• True/false positives
• True/false negatives
Context awareness • Internal
• External
• Isolated
Exploitability/weaponizationWhat was used to exploit the vulnerability in question.  
Asset valueCombination of the value to the owner, maintenance cost, damage caused if lost, and penalties that would be incurred if it was lost.
Zero-dayAn unknown vulnerability.

Software Vulnerabilities

Concept Elaboration
Cross-site scriptingInjected malicious code into a website
Overflow vulnerabilities• Buffer
• Integer
• Heap
• Stack
Data poisoningAdding malicious information to poison training data. 
Cross-site request forgeryTricking authenticated users into executing actions favorable to the hacker, such as transferring funds, changing passwords, or email addresses.  
Directory traversalWeb vulnerability that allows hackers to easily access restricted directories. 
Insecure designCreating software that is inherently vulnerable. 
End–of-life or outdated componentsInherently vulnerable systems that no longer receive security patches. 
Privilege escalationGaining access to accounts you shouldn’t be able to access. 
Local file inclusion (LFI)Including a file that has not been validated.

Vulnerability Response, Handling, and Management

Concept Elaboration
Compensating controlControl put in place to satisfy a security measure deemed too difficult to implement. 
Control types• Managerial
• Operational
• Technical
• Preventative
• Detective
• Responsive
• Corrective
Patching and configuration management• Testing
• Implementation
• Rollback - returns software to previous state
• Validation
Risk management principles• Accept
• Transfer - using insurance to transfer risk
• Avoid
• Mitigate
SLOsService level objectives
Attack surface management• Edge discovery - mapping edge network devices
• Passive discovery
• Security controls testing
Penetration testing and adversary emulation
Bug bounty - financially incentivizing ethical hackers to find bugs
• Attack surface reduction
Secure coding best practices • Input validation - ensuring only certain characters can be input.
• Output encoding - ensuring data can safely be encoded into another format
• Session management
• Authentication - verifying the identity of a user
• Data protection
• Parameterized queries 
SDLCSecure software development life cycle
Threat modeling Systematic way of finding threats and securing systems and data. 

Incident Response & Management

This domain will test your ability to prepare for, respond to, and manage the fallout of a cyber attack. 

Attack Methodology Framework

ConceptElaboration
Cyber kill chainLockheed Martin developed a framework for identifying and preventing cyber intrusions. 
Diamond Model of Intrusion AnalysisFour-step model that identifies the adversary, capabilities, infrastructure, and victims
MITRE ATT&CKThe most in-depth attach methodology framework focusing on real-life tactics and techniques.
Open Source Security Testing Methodology Manual (OSS TMM)Developed by ISECOM and used for security testing and analysis. 
OWASP Testing GuideIn-depth guide for testing the cyber security of web apps.  

Incident Respond Activities

ConceptElaboration
IoCIndicator of compromise
Evidence acquisitions• Chain of custody
• Validating data integrity
• Preservation
• Legal hold
Data and log analysisUsing a SIEM to collect, log, and understand data. 
Containment, eradication, and recovery• Scope
• Impact
• Isolation
• Remediation - fixing vulnerabilities
• Re-imaging - wiping or clearing a computer in an attempt to rid it of malware.
• Compensating controls

Preparation & Post-Incident Handling

ConceptElaboration
Incident response planA detailed incident response plan to be carried out after an incident. 
PlaybooksStandardized steps to take after an incident has occurred. 
TabletopNon-technical training exercise that prepares employees for how to respond to a cyber security incident. 
Business continuity (BC)Plan to ensure a business quickly recovers after an incident.  
Post-incident activity• Forensic analysis - analysis of data to understand how the attack took place.
• Root cause analysis
• Lessons learned - a detailed written report of lessons learned from the incident. 

Reporting & Communication

17% of the questions you receive will pertain to the day-to-day tasks of a cyber security analyst that relate to reporting and communicating security information to co-workers, stakeholders, and those not well versed in the language of cyber security. 

Vulnerability Management Reporting & Communication

ConceptElaboration
Vulnerability management reporting• Vulnerabilities
• Affected hosts
• Risk score
• Mitigation
• Recurrence
• Prioritization
Action plans• Configuring management
• Patching
• Compensating controls
• Awareness, education, and training
• Changing business requirements
Inhibitors to remediation• Memorandum of understanding (MOU)
• Service-level agreement (SLA)
• Organizational governance
• Business process interruption
• Degrading functionality
• Legacy systems
• Proprietary systems
Metrics and key performance indicators (KPIs)• Trends
• Top 10
• Critical vulnerabilities and zero-days
• Service level objectives (SLOs)

Incident Response Reporting & Communication

ConceptElaboration
Stakeholder identification and communicationIdentify stakeholders and communicate effectively
Incident declaration and escalationInforming stakeholders and effectively escalating event. 
Incident response reporting• Executive summary
• Who, what, when, where, and why
• Recommendations
• Timeline
• Impact
• Scope
• Evidence
Communications• Legal
• Public relations
• Media
• Regulatory reporting
• Law enforcement
Root cause analysisUse forensics to understand the origin of attack. 
Metrics and KPIs• Mean time to detect
• Mean time to respond
• Mean time to remediate
• Alert volume

Conclusion

This CompTIA CySA+ cheat sheet is a quick and easy-to-use guide that provides you with an understanding of what you will be tested on when you take CompTIA’s CySA+ exam. 

Not everything covered on this cheat sheet will be on the exam. However, it’s important to grasp the aforementioned material as it’s all fair game come test time. Take your time when studying for this exam, and be sure to use quality study material to prepare. 

To prepare you for CompTIA CySA+ and a career in the cyber security industry, we invite you to join our Accelerator Program. When you join, you’ll receive access to over 1,000 courses and labs, personalized study roadmaps, unlimited career mentorship, mastermind and study groups, and a growing community of supportive cyber security professionals. 

Frequently Asked Questions

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Spencer Abel

    Spencer is part cyber security professional and part content writer. He specializes in helping those attempting to pivot into the vast and always-changing world of cyber security by making complex topics fun and palatable. Connect with him over at LinkedIn to stay up-to-date with his latest content.

>