Question 10 - CompTIA (CYSA+) Analyst+ CS0-003 Real Exam Questions [March 2026 Update]

Q: 10

Which of the following is most appropriate to use with SOAR when the security team would like to automate actions across different vendor platforms?

Options

Discussion

Avery U. Feb 12, 2026 1:55 am

B . APIs are how SOAR actually connects and automates between different vendors. Not 100 percent but that's what I'd pick.

Sofia T. Feb 25, 2026 2:19 pm

B . APIs actually let SOAR automate stuff between lots of vendors, not just share data like threat feeds do.

Skyler R. Feb 28, 2026 2:04 am

Option B. saw a similar question in practice sets and APIs were always the right pick for automation.

Daniel P. Feb 23, 2026 5:42 am

Option B

Noah B. Feb 16, 2026 10:20 am

B here. APIs are what let SOAR actually carry out automated actions across all those different vendor tools, not just exchange info like STIX/TAXII. Pretty sure that's what CompTIA wants. Correct me if I missed something.

Olivia Feb 26, 2026 1:43 pm

B not A. APIs let SOAR actually automate actions, while STIX/TAXII is more about threat intel sharing, which trips people up. Seen this mix-up on other practice questions too.

Olivia B. Feb 11, 2026 6:15 pm

A looks right to me, since STIX/TAXII is used for exchanging info between vendors. I know APIs can automate tasks but STIX/TAXII is what I've always seen for cross-platform stuff. Pretty sure that's where they're going, unless I'm missing some nuance. Disagree?

LukeI Feb 21, 2026 8:19 am

Its B, APIs. That’s the main way SOAR platforms actually automate actions with different vendors, not just pull in threat intel. Seen similar stuff on official practice exams. If anyone’s got another take, let me know.

Mason U. Feb 15, 2026 9:55 pm

A , since if the platforms only support STIX/TAXII sharing then APIs aren't always enough.

Noah T. Feb 19, 2026 4:23 pm

B , APIs are what actually let SOAR automate things with multiple vendors, not threat feeds like D.

Be respectful. No spam.

Correct Answer:

Explanation

Security Orchestration, Automation, and Response (SOAR) platforms are designed to integrate disparate security tools and automate workflows. The primary mechanism for enabling a SOAR platform to communicate with, command, and control tools from different vendors is through Application Programming Interfaces (APIs). APIs provide a standardized programmatic interface that allows the SOAR solution to send instructions (e.g., "block this IP on the firewall," "isolate this endpoint with the EDR") and retrieve data from various security products, thereby orchestrating actions across the entire security stack.

Why Incorrect

A. STIX/TAXII: These are standards for formatting and transporting threat intelligence data, not for executing commands or actions on security platforms.

C. Data enrichment: This is a process where a SOAR platform augments initial alert data with more context; it is a function, not the technology used for cross-platform control.

D. Threat feed: A threat feed is a source of threat intelligence data that a SOAR platform consumes. It does not provide the mechanism to automate actions on other tools.

References

1. National Institute of Standards and Technology (NIST). (2022). Security Orchestration

Automation

and Response (SOAR) and the Security Operations Center (SOC) (NISTIR 8362). In Section 2.2

"SOAR Capabilities

" the document states

"SOAR platforms integrate with other security tools and systems through APIs... This integration allows the SOAR platform to collect data from and send commands to the other tools."

2. Carnegie Mellon University Software Engineering Institute (SEI). (2019). A Look at SOAR (Security Orchestration

Automation

and Response). The publication notes that a key feature of SOAR is its ability to "integrate with other security tools through application programming interfaces (APIs)." This integration is what enables the orchestration and automation of security tasks.

3. SANS Institute. (2019). SOAR: A Practitioner's Guide to Security Orchestration

Automation

and Response. This guide explains that the core of SOAR's integration capability relies on APIs

referring to them as the "connective tissue" that allows the SOAR platform to interact with and control a diverse set of security tools for automated response actions. (p. 5).

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE