1. Home
Feeling StupidKeyboard Layout

CySA+ (v3)

Security Operations

Explaining system and network architecture, malicious activity indicators, tools and techniques, threat intelligence and hunting, and process improvement.

33% Exam Weight

Exam focus areas

  • Objective summary: Explaining system and network architecture, malicious activity indicators, tools and techniques, threat intelligence and hunting, and process improvement.
  • System and network architecture: Explaining log ingestion, operating system concepts, infrastructure, network architecture, IAM, encryption, and sensitive data protection.
  • Malicious activity indicators: Analyzing network anomalies, host issues, application irregularities, and social engineering threats.
  • Tools and techniques: Using Wireshark, SIEM, VirusTotal, pattern recognition, email analysis, and scripting with Python and PowerShell.
  • Threat intelligence and hunting: Comparing threat actors, TTPs, confidence levels, collection methods, intelligence sharing, and hunting techniques.
  • Process improvement: Standardizing processes, streamlining operations, integrating tools, and using a single pane of glass.

Domain deep dive

Expanded domain guidance for building, operating, and continuously improving detection and response workflows.

CS0-003 Coverage Checklist (1.1-1.5)

Direct objective coverage from the CompTIA CS0-003 security operations domain.

  • 1.1 System and network architecture: log ingestion (time synchronization, logging levels), OS concepts (Windows Registry, hardening, file structures/config locations, processes, hardware architecture), infrastructure (serverless, virtualization, containerization), network architecture (on-prem, cloud, hybrid, segmentation, zero trust, SASE, SDN), IAM (MFA, SSO, federation, PAM, passwordless, CASB), encryption (PKI, SSL inspection), and sensitive data protection (DLP, PII, CHD).
  • 1.2 Indicators of malicious activity: network indicators (bandwidth, beaconing, irregular peer-to-peer, rogue devices, scans/sweeps, traffic spikes, unexpected ports), host indicators (CPU/memory/storage anomalies, unauthorized software/processes/changes/privileges, exfiltration, abnormal OS behavior, file/registry anomalies, unauthorized scheduled tasks), application indicators (anomalous activity, new accounts, unexpected output/outbound communication, service interruption, log anomalies), and social engineering or obfuscated links.
  • 1.3 Tools and techniques: packet capture (Wireshark, tcpdump), SIEM/SOAR correlation, EDR telemetry, DNS/IP reputation (WHOIS, AbuseIPDB), file analysis (strings, VirusTotal), sandboxing (Joe Sandbox, Cuckoo), pattern recognition/C2 analysis, suspicious command interpretation, email analysis (header, impersonation, DKIM, DMARC, SPF, embedded links), file hashing, and user behavior analytics including impossible travel.
  • 1.3 Programming and scripting support: JSON, XML, Python, PowerShell, shell scripting, and regular expressions.
  • 1.4 Threat intelligence and hunting: threat actors (APT, hacktivist, organized crime, nation-state, script kiddie, insider intentional/unintentional, supply chain), TTPs, confidence (timeliness, relevancy, accuracy), collection methods (open and closed source), intelligence sharing (IR, vulnerability management, risk management, security engineering, detection/monitoring), and threat hunting (IoC collection/analysis/application, focus areas, active defense, honeypot).
  • 1.5 Efficiency and process improvement: standardization and automation candidate identification, team coordination, streamlining with SOAR orchestration and enrichment, minimizing manual effort, tool integration via APIs/webhooks/plugins, and single pane of glass operations.

1.1 System and Network Architecture

Understand enterprise components and data flows that enable security monitoring.

  • Log ingestion with SIEM, SOAR, and log aggregation; parse, normalize, and index syslog, Windows Event Logs, and cloud audit trails.
  • Network architecture with segmentation, NAC, bastion hosts, proxy tiers, east-west and north-south traffic design, and zero trust controls.
  • Identity and access management including SSO, MFA, PAM, and federation protocols such as SAML, OIDC, and RADIUS.
  • Encryption and sensitive data protection through TLS and mTLS, disk encryption, tokenization, DLP policy, and data classification.
  • Cloud and hybrid infrastructure patterns including shared responsibility, CASB, CSPM, workload protection, and VPC flow logs.

1.2 Indicators of Malicious Activity

Recognize compromise indicators across network, host, and application layers.

  • Network indicators such as anomalous DNS activity, beaconing cadence, lateral movement patterns, and traffic to known bad destinations.
  • Host indicators including unsigned binaries, suspicious scheduled tasks, unusual process lineage, and memory injection artifacts.
  • Application indicators such as authentication anomalies, privilege escalation patterns, abnormal API usage, and credential stuffing behavior.
  • Lateral movement signs including pass-the-hash, pass-the-ticket, remote service abuse, and anomalous RDP or SSH sessions.
  • Data exfiltration patterns such as large outbound transfer spikes, encoding or encryption abuse, and unexpected cloud uploads.

1.3 Tools and Techniques

Apply tooling to detect, investigate, and respond to threats.

SIEM and Log Analysis

  • Use SPL, KQL, or Lucene style queries for correlation and dashboarding.
  • Tune alerts with threshold, anomaly, and threat-intelligence enrichment methods.
  • Maintain retention policies and legal hold readiness.

Network Monitoring

  • Use packet capture and PCAP analysis workflows with tcpdump and Wireshark.
  • Leverage NetFlow, sFlow, or IPFIX baselining for deviation detection.
  • Tune IDS and IPS signatures and author custom Snort or Suricata rules.

Endpoint Detection

  • Analyze EDR telemetry for process execution, file changes, registry changes, and outbound connections.
  • Use YARA signatures for targeted file and memory scanning.
  • Harden endpoint controls with firewall and application policy.

Email and Web Security

  • Inspect SPF, DKIM, and DMARC policy and authentication outcomes.
  • Use URL and attachment sandboxing for detonation and verdicting.
  • Correlate web proxy and content filter logs during triage.

1.4 Threat Intelligence and Hunting

Leverage intelligence and hypotheses to find adversary activity proactively.

  • Use open source, commercial, and sector sharing feeds including ISAC or ISAO channels.
  • Combine IoCs and IoAs with strategic, tactical, and operational intelligence levels.
  • Build hunt hypotheses using ATT&CK mapping and data source gap analysis.
  • Execute hunts with stack counting, frequency analysis, and outlier clustering.
  • Map adversary capabilities to enterprise risk using practical threat modeling methods.

1.5 Process Improvement

Drive measurable SOC improvements through automation and feedback loops.

  • Track MTTD, MTTR, false positive rate, and alert-to-incident conversion.
  • Automate enrichment, ticketing, containment, and triage actions in SOAR playbooks.
  • Run lessons learned and purple-team iterations to improve detections.
  • Maintain runbooks, SOPs, and structured shift handover processes.

Key concepts

  • SIEM correlation and alert tuning
  • EDR and XDR telemetry analysis
  • Traffic baselining and anomaly detection
  • Threat hunting methodology
  • SOAR playbook automation
  • MITRE ATT&CK mapping

Study tips

  • Practice SIEM query writing against realistic sample data.
  • Map common attack scenarios to ATT&CK techniques and data sources.
  • Build a small home lab SIEM pipeline and validate normalization quality.
  • Review public packet captures and identify indicators and hypotheses.