Skills you'll learn
- Build skills with CompTIA training and validate them with CySA+ certification.
CompTIA Exam Syllabus
CS0-003 syllabus, skills measured, and exam topics
CompTIA CySA+ is an intermediate high-stakes cybersecurity analyst certification. Learn about the certification, available training and the exam.
Skills measured by domain
Use the weighting table to decide where to spend the most study time.
| Domain | Weight |
|---|---|
| Security o peration s | 33% |
| Vulnerability management | 30% |
| Incident response management | 20% |
| Reporting and communication | 17% |
What to know before you study
These sections explain the role, audience, and exam framing behind the outline.
Advance with confidence
- Get updates, insights, and exclusive offers to support your learning journey and career growth.
Detailed outline
Scan each section as a working study checklist instead of one long wall of text.
Security o peration s (33%)
- System and network architecture: explaining log ingestion, operating system (OS) concepts, infrastructure, network architecture, identity and access management (IAM), encryption, and sensitive data protection.
- Malicious activity indicators: analyzing network anomalies like bandwidth spikes and rogue devices, host issues like unauthorized software and data exfiltration, application irregularities like unexpected communication and service interruptions, and threats like social engineering attacks.
- Tools and techniques: detecting malicious activity using tools like Wireshark, security information and event management (SIEM), and VirusTotal, along with techniques like pattern recognition and email analysis, supported by scripting languages like Python and PowerShell.
- Threat intelligence and hunting: comparing threat actors, tactics, techniques, and procedures (TTP); confidence levels; collection methods; intelligence sharing; and hunting techniques.
- Process improvement: standardizing processes, streamlining operations, integrating tools, and using a single pane of glass.
Vulnerability management (30%)
- Vulnerability scanning: implementing asset discovery, internal vs. external scanning, agent vs. agentless, credentialed vs. non-credentialed, passive vs. active, static vs. dynamic, and critical infrastructure scanning.
- Assessment tool output: analyzing network scanning, web application scanners, vulnerability scanners, debuggers, multipurpose tools, and cloud infrastructure assessments.
- Vulnerability prioritization: interpreting common vulnerability scoring system (CVSS), validating findings, assessing exploitability, and considering asset value and zero-day vulnerabilities.
- Mitigation controls: recommending controls for cross-site scripting (XSS), overflow vulnerabilities, and data poisoning.
- Vulnerability response: explaining compensating controls, patching, configuration management, maintenance windows, exceptions, governance, service-level objectives (SLOs), secure software development life cycle (SDLC), and threat modeling.
Incident response management (20%)
- Attack methodology frameworks: explaining cyber kill chains, diamond model of intrusion analysis, MITRE ATT&CK, Open Source Security Testing Methodology Manual (OSSTMM), and OWASP testing guide.
- Incident response activities: performing detection, analysis, containment, eradication, and recovery.
- Incident management life cycle: explaining incident response plans, tools, playbooks, tabletop exercises, training, business continuity (BC), disaster recovery (DR), forensic analysis, and root cause analysis.
Reporting and communication (17%)
- Vulnerability management reporting: explaining compliance reports, action plans, inhibitors to remediation, metrics, key performance indicators (KPIs), and stakeholder communication.
- Incident response reporting: explaining incident declaration, escalation, reporting, communication, root cause analysis, lessons learned, and metrics and KPIs.