Summer Sale Special - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: xmaspas7

Easiest Solution 2 Pass Your Certification Exams

CS0-003 CompTIA CyberSecurity Analyst CySA+ Certification Exam Free Practice Exam Questions (2026 Updated)

Prepare effectively for your CompTIA CS0-003 CompTIA CyberSecurity Analyst CySA+ Certification Exam certification with our extensive collection of free, high-quality practice questions. Each question is designed to mirror the actual exam format and objectives, complete with comprehensive answers and detailed explanations. Our materials are regularly updated for 2026, ensuring you have the most current resources to build confidence and succeed on your first attempt.

Page: 6 / 8
Total 487 questions

During a routine review of DNS logs, a security analyst observes that Host X has been making frequent DNS requests to domains with random alphanumeric strings, such as ajd8ekthj.xyz. IPS anomaly rules are blocking these domains. This behavior started shortly after a new software installation on the host. Which of the following should the analyst do first to determine whether Host X has been compromised?

A.

Allow the domains because the DNS requests are part of a misconfigured software update.

B.

Check the software installation logs for errors and reinstall the software.

C.

Block all outbound connections from the host to prevent further DNS queries.

D.

Use threat intelligence to check whether the queried domains are associated with legitimate sites.

During the log analysis phase, the following suspicious command is detected-

Which of the following is being attempted?

A.

Buffer overflow

B.

RCE

C.

ICMP tunneling

D.

Smurf attack

A user downloads software that contains malware onto a computer that eventually infects numerous other systems. Which of the following has the user become?

A.

Hacklivist

B.

Advanced persistent threat

C.

Insider threat

D.

Script kiddie

A security analyst is responding to an indent that involves a malicious attack on a network. Data closet. Which of the following best explains how are analyst should properly document the incident?

A.

Back up the configuration file for alt network devices

B.

Record and validate each connection

C.

Create a full diagram of the network infrastructure

D.

Take photos of the impacted items

An incident response analyst notices multiple emails traversing the network that target only the administrators of the company. The email contains a concealed URL that leads to an unknown website in another country. Which of the following best describes what is happening? (Choose two.)

A.

Beaconinq

B.

Domain Name System hijacking

C.

Social engineering attack

D.

On-path attack

E.

Obfuscated links

F.

Address Resolution Protocol poisoning

A vulnerability scan of a web server that is exposed to the internet was recently completed. A security analyst is reviewing the resulting vector strings:

Vulnerability 1: CVSS: 3.0/AV:N/AC: L/PR: N/UI : N/S: U/C: H/I : L/A:L

Vulnerability 2: CVSS: 3.0/AV: L/AC: H/PR:N/UI : N/S: U/C: L/I : L/A: H

Vulnerability 3: CVSS: 3.0/AV:A/AC: H/PR: L/UI : R/S: U/C: L/I : H/A:L

Vulnerability 4: CVSS: 3.0/AV: P/AC: L/PR: H/UI : N/S: U/C: H/I:N/A:L

Which of the following vulnerabilities should be patched first?

A.

Vulnerability 1

B.

Vulnerability 2

C.

Vulnerability 3

D.

Vulnerability 4

An organization has tracked several incidents that are listed in the following table:

Which of the following is the organization ' s MTTD?

A.

140

B.

150

C.

160

D.

180

A vulnerability analyst is writing a report documenting the newest, most critical vulnerabilities identified in the past month. Which of the following public MITRE repositories would be best to review?

A.

Cyber Threat Intelligence

B.

Common Vulnerabilities and Exposures

C.

Cyber Analytics Repository

D.

ATT & CK

A threat hunter seeks to identify new persistence mechanisms installed in an organization ' s environment. In collecting scheduled tasks from all enterprise workstations, the following host details are aggregated:

Which of the following actions should the hunter perform first based on the details above?

A.

Acquire a copy of taskhw.exe from the impacted host

B.

Scan the enterprise to identify other systems with taskhw.exe present

C.

Perform a public search for malware reports on taskhw.exe.

D.

Change the account that runs the -caskhw. exe scheduled task

After an upgrade to a new EDR, a security analyst received reports that several endpoints were not communicating with the SaaS provider to receive critical threat signatures. To comply with the incident response playbook, the security analyst was required to validate connectivity to ensure communications. The security analyst ran a command that provided the following output:

    ComputerName: comptia007

    RemotePort: 443

    InterfaceAlias: Ethernet 3

    TcpTestSucceeded: False

Which of the following did the analyst use to ensure connectivity?

A.

nmap

B.

tnc

C.

ping

D.

tracert

A security analyst runs the following command:

# nmap -T4 -F 192.168.30.30

Starting nmap 7.6

Host is up (0.13s latency)

PORT STATE SERVICE

23/tcp open telnet

443/tcp open https

636/tcp open ldaps

Which of the following should the analyst recommend first to harden the system?

A.

Disable all protocols that do not use encryption.

B.

Configure client certificates for domain services.

C.

Ensure that this system is behind a NGFW.

D.

Deploy a publicly trusted root CA for secure websites.

Which of the following is a reason why proper handling and reporting of existing evidence are important for the investigation and reporting phases of an incident response?

A.

TO ensure the report is legally acceptable in case it needs to be presented in court

B.

To present a lessons-learned analysis for the incident response team

C.

To ensure the evidence can be used in a postmortem analysis

D.

To prevent the possible loss of a data source for further root cause analysis

A security analyst discovers an ongoing ransomware attack while investigating a phishing email. The analyst downloads a copy of the file from the email and isolates the affected workstation from the network. Which of the following activities should the analyst perform next?

A.

Wipe the computer and reinstall software

B.

Shut down the email server and quarantine it from the network.

C.

Acquire a bit-level image of the affected workstation.

D.

Search for other mail users who have received the same file.

Which of the following is a commonly used four-component framework to communicate threat actor behavior?

A.

STRIDE

B.

Diamond Model of Intrusion Analysis

C.

Cyber Kill Chain

D.

MITRE ATT & CK

An analyst is investigating a phishing incident and has retrieved the following as part of the investigation:

cmd.exe /c c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -EncodedCommand < VERY LONG STRING >

Which of the following should the analyst use to gather more information about the purpose of this command?

A.

Echo the command payload content into ' base64 -d ' .

B.

Execute the command from a Windows VM.

C.

Use a command console with administrator privileges to execute the code.

D.

Run the command as an unprivileged user from the analyst workstation.

Which of the following would a security analyst most likely use to compare TTPs between different known adversaries of an organization?

A.

MITRE ATTACK

B.

Cyber Kill Cham

C.

OWASP

D.

STIXTAXII

Which of the following best explains the importance of communicating with staff regarding the official public communication plan related to incidents impacting the organization?

A.

To establish what information is allowed to be released by designated employees

B.

To designate an external public relations firm to represent the organization

C.

To ensure that all news media outlets are informed at the same time

D.

To define how each employee will be contacted after an event occurs

A security analyst would like to integrate two different SaaS-based security tools so that one tool can notify the other in the event a threat is detected. Which of the following should the analyst utilize to best accomplish this goal?

A.

SMB share

B.

API endpoint

C.

SMTP notification

D.

SNMP trap

An analyst receives threat intelligence regarding potential attacks from an actor with seemingly unlimited time and resources. Which of the following best describes the threat actor attributed to the malicious activity?

A.

Insider threat

B.

Ransomware group

C.

Nation-state

D.

Organized crime

Which of the following is an important aspect that should be included in the lessons-learned step after an incident?

A.

Identify any improvements or changes in the incident response plan or procedures

B.

Determine if an internal mistake was made and who did it so they do not repeat the error

C.

Present all legal evidence collected and turn it over to iaw enforcement

D.

Discuss the financial impact of the incident to determine if security controls are well spent

Page: 6 / 8
Total 487 questions
Copyright © 2014-2026 Solution2Pass. All Rights Reserved