CyberCorps

CySA+ (v3) Cheat Sheet

4 domains

Exam snapshot

Exam code: CS0-003
Duration: 165 minutes
Questions: up to 85
Passing score: 750/900

Security Operations

33% Exam Weight

System and network architecture

System hardening: Tools and defensive practices used to improve asset security.
Cloud deployment models: Public cloud: off-premises infrastructure owned by a provider.
Hybrid cloud: mixed on-premises and cloud services.
Private/on-premises cloud: dedicated internal infrastructure.
Zero trust: No implicit trust; every identity and action is continuously verified.
Virtualization: Splits hardware resources into multiple virtual machines (VMs).
Containerization: Bundles code, runtime, and dependencies for portable application deployment.
PKI: Public key infrastructure for certificate-based trust and encryption.
SSO: Single sign-on for centralized authentication.
MFA: Multi-factor authentication with at least two independent factors.
Federation: Cross-organization identity trust to allow external sign-in.
DLP: Data loss prevention controls for sensitive data.
PII: Personally identifiable information handling.

Tools and techniques

Packet and network analysis tools: Wireshark
tcpdump
Security operations platforms: SIEM
SOAR
EDR
Malware and file reputation: VirusTotal for file and URL triage.
Email analysis: Header analysis
Sender impersonation checks
DKIM validation
SPF validation
Scripting and data formats: JSON
Python
PowerShell
Shell scripting
XML
Sandboxing: Runs untrusted code in an isolated environment for safe testing.

Threat intelligence and hunting

Threat actors: Advanced persistent threats (APT)
Hacktivists
Organized crime
Nation-state actors
Script kiddies
Insider threats
TTPs: Tactics, techniques, and procedures.
Confidence levels: Timeliness
Relevancy
Accuracy
Collection methods: Open-source intelligence (OSINT)
Closed-source intelligence
Threat intelligence sharing: Incident response coordination
Vulnerability management
Risk management
Security engineering
Detection and monitoring
Threat hunting techniques: Indicators of compromise (IOC)
Honeypots
Active defense
Configuration and misconfiguration analysis

Vulnerability Management

30% Exam Weight

Vulnerability scanning and assessment

Asset discovery: Map scans and fingerprinting to inventory systems and services.
Internal and external scanning: Internal: identifies vulnerabilities inside the trusted environment.
External: evaluates internet-facing exposure.
Credentialed and non-credentialed scans: Credentialed: deeper checks with privileged access.
Non-credentialed: attacker-view scanning without credentials.
Passive and active scanning: Passive: lower-noise observation of network traffic.
Active: targeted probing of ports and services.
Critical infrastructure scope: Operational technology (OT)
ICS
SCADA
Framework context: PCI DSS
CIS Benchmarks
OWASP
ISO standards

Assessment tool output and analysis

Network scanning and mapping: Angry IP Scanner
Maltego
Web application scanners: Burp Suite
ZAP
Arachni
Nikto
Vulnerability scanners: Nessus
OpenVAS
Debuggers: Immunity Debugger
GNU Debugger
Multipurpose tools: Nmap
Metasploit Framework
Recon-ng
Cloud assessment tools: Scout Suite
Prowler
Pacu

Vulnerability prioritization

CVSS interpretation: Attack vector
Attack complexity
Privileges required
User interaction
Scope
Impact analysis: Confidentiality
Integrity
Availability
Validation: True positive and false positive review
False negative analysis
Context awareness: Internal
External
Isolated
Exploitability and weaponization: Evaluate whether public or private exploit paths are available.
Asset value and zero-days: Prioritize by business value, maintenance cost, and blast radius.
Zero-day vulnerabilities carry elevated uncertainty and urgency.

Software vulnerabilities and controls

Cross-site scripting (XSS): Injected scripts execute in a victim browser context.
Overflow vulnerabilities: Buffer overflow
Integer overflow
Heap overflow
Stack overflow
Data poisoning: Maliciously altered training or decision data.
Cross-site request forgery (CSRF): Forces authenticated users to submit attacker-chosen actions.
Directory traversal: Accesses restricted files and directories through path manipulation.
Insecure design: Weak architecture patterns create systemic risk.
End-of-life components: Legacy components without security updates increase exploit exposure.
Privilege escalation: Gain higher-level permissions than originally granted.
Local file inclusion (LFI): Unsafe file inclusion allows execution or disclosure of local files.

Vulnerability response and process governance

Compensating controls: Alternative safeguards used when direct remediation is not feasible.
Control types: Managerial
Operational
Technical
Preventive
Detective
Responsive
Corrective
Patching and configuration lifecycle: Testing
Implementation
Rollback planning
Validation
Risk treatment: Accept
Transfer
Avoid
Mitigate
SLOs: Service level objectives for security outcomes.
Attack surface management: Edge discovery
Passive discovery
Control testing
Penetration testing and adversary emulation
Bug bounty programs
Attack surface reduction
Secure coding best practices: Input validation
Output encoding
Session management
Authentication
Data protection
Parameterized queries
Secure SDLC: Security embedded across software delivery phases.
Threat modeling: Structured identification of threats, controls, and residual risk.

Incident Response Management

20% Exam Weight

Attack methodology frameworks

Cyber Kill Chain: Framework used to map and disrupt intrusion stages.
Diamond Model of Intrusion Analysis: Relates adversary, infrastructure, capabilities, and victim.
MITRE ATT&CK: Knowledge base of real-world adversary behavior and techniques.
OSSTMM: Methodology for structured security testing and measurement.
OWASP Testing Guide: Hands-on web application security testing guidance.

Incident response activities

Indicators of compromise: IOC triage and validation.
Evidence acquisition: Chain of custody
Integrity validation
Preservation
Legal hold
Data and log analysis: Use SIEM telemetry to scope, correlate, and verify incident activity.
Containment, eradication, and recovery: Scope and impact assessment
Isolation
Remediation
Re-imaging when necessary
Compensating controls

Preparation and post-incident handling

Incident response plan: Documented and tested procedures for coordinated response.
Playbooks: Standardized response workflows by incident type.
Tabletop exercises: Scenario-based drills to validate readiness and communication paths.
Business continuity: Recovery planning to maintain essential services during disruption.
Post-incident activity: Forensic analysis
Root cause analysis
Lessons learned reporting

Reporting and Communication

17% Exam Weight

Vulnerability management reporting

Core report fields: Vulnerabilities
Affected hosts
Risk score
Mitigation status
Recurrence
Prioritization
Action plans: Configuration changes
Patching
Compensating controls
Awareness and training
Business requirement updates
Inhibitors to remediation: MOU and SLA constraints
Governance blockers
Business interruption risk
Functionality degradation concerns
Legacy or proprietary systems
Metrics and KPIs: Trend analysis
Top 10 risk tracking
Critical vulnerabilities and zero-days
SLO performance

Incident response reporting

Stakeholder communication: Identify required audiences and tailor communications by role.
Incident declaration and escalation: Declare severity and escalate through agreed governance paths.
Incident report structure: Executive summary
Who, what, when, where, and why
Recommendations
Timeline
Impact and scope
Evidence summary
External communication channels: Legal
Public relations
Media
Regulatory reporting
Law enforcement
Operational metrics: Root cause analysis outputs
Mean time to detect (MTTD)
Mean time to respond (MTTR)
Mean time to remediate
Alert volume