View CS0-003 Exam Questions

Q: 1

A cybersecurity analyst is tasked with scanning a web application to understand where the scan will go and whether there are URIs that should be denied access prior to more in-depth scanning. Which of following best fits the type of scanning activity requested?

Options

Discussion

Anita Q. Feb 22, 2026 2:37 pm

Option B

Liam D. Feb 15, 2026 2:47 pm

C/D? But B actually makes more sense because it's all about figuring out the app structure first, not finding vulns yet. Just initial discovery so you know what to scan in detail later. Pretty sure that's what they're asking.

Nathan M. Feb 15, 2026 10:13 am

Pretty sure it's B since they're just trying to map out the URIs before doing anything in-depth. Discovery scans are for that initial enumeration step, not actual vuln analysis. Saw a similar question on a practice test and B was the match. Anyone see it worded differently?

AmeliaA Mar 2, 2026 12:19 am

B tbh, discovery scan is all about mapping out URIs and structure before you get into vulnerabilities. The question's highlighting that prep work, not the actual vuln checks. Seen similar phrasing in practice-think it's the safest pick unless I'm missing some trick in wording.

Adam J. Feb 12, 2026 1:34 pm

Not sure why so many pick C, isn't B (discovery scan) just about mapping out URIs before looking for vulns?

Daniel U. Feb 16, 2026 12:41 pm

Guessing C

Hannah H. Feb 12, 2026 5:10 pm

B tbh. The official study guide explains discovery scans as mapping endpoints before deeper assessment. Good to double check practice labs too.

Taylor G. Feb 23, 2026 1:28 pm

Probably B here. The question just wants to map out where the scan will go and see which URIs need to be blocked, that's typical for a discovery scan. Not actually looking for vulns yet. Pretty sure that's what they're asking but open to other takes.

Jordan Feb 11, 2026 8:01 am

Hard to say, B here. Since the analyst just wants to map out where the scan will go and see which URIs need blocking, that's classic discovery scan behavior. If it was about finding vulnerabilities right away, I'd lean C, so let me know if you disagree.

LaylaC Feb 24, 2026 1:30 am

Why is everyone picking C? Isn't the question just about mapping URIs, not actually scanning for vulns yet?

Be respectful. No spam.

Correct Answer:

Explanation

A discovery scan is a type of reconnaissance activity performed to map the structure and components of a target system or application. Its primary goal is to identify assets, enumerate directories, and understand the overall layout—precisely what the analyst is tasked with. This initial mapping allows the analyst to define the scope for a more focused vulnerability scan and to explicitly exclude sensitive URIs or directories from further, potentially disruptive, testing. This activity is a prerequisite to in-depth scanning, not the in-depth scan itself.

Why Incorrect

A. Uncredentialed scan: This describes the authentication context (scanning without login credentials), not the specific objective of mapping the application's structure.

C. Vulnerability scan: This is a more intensive scan that actively probes for known weaknesses, which the scenario states will occur after this initial mapping phase.

D. Credentialed scan: This describes scanning with authenticated user privileges to assess the internal attack surface, which is not the stated goal of the initial reconnaissance.

References

1. National Institute of Standards and Technology (NIST). (2008). Technical Guide to Information Security Testing and Assessment (Special Publication 800-115).

Section 3.2

"Discovery

" describes this phase as the start of testing

used to "identify systems and the information on them" and to "develop a map of the network." This directly supports the concept of scanning to understand where the scan will go.

2. CompTIA. (2022). CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives CS0-003.

Exam Objective 2.1

"Explain the importance of vulnerability management

" lists "Discovery" as a specific type of scan. This confirms its relevance and distinction from other scan types within the official exam curriculum.

3. Kruegel

& Vigna

G. (2003). Anomalous Payload-Based Network Intrusion Detection. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID '02).

The paper

in its discussion of web application analysis

implicitly supports the concept of a discovery/crawling phase. Section 3

"Web Application Analysis

" describes the initial step as crawling the web application to "build a model of the application

" which is synonymous with a discovery scan's purpose of mapping URIs before deeper analysis. (Available via Springer or university libraries).

Q: 2

Which of the following is the most important reason for an incident response team to develop a formal incident declaration?

Options

Discussion

Neha K. Feb 18, 2026 11:16 pm

Option B Official guide and incident response frameworks are pretty clear this is the main reason.

Olivia Feb 14, 2026 11:09 am

Option B. seen advice like this in official study guides too.

Olivia Feb 23, 2026 4:33 am

Probably B. The main thing with a formal incident declaration is to make sure only the right people can actually trigger the process, otherwise it gets chaotic fast. That authority makes or breaks a good IR plan. Pretty confident, but let me know if you see it differently.

Robin P. Feb 22, 2026 12:53 pm

Why is identifying authority more critical here than just choosing who responds? Department assignment (D) feels secondary if no one has clear power to declare in the first place.

Sam N. Feb 14, 2026 9:55 pm

Had something like this in a mock, B was the right answer. The whole point of the formal declaration is to make it clear who has authority to escalate so things don't get messy. Pretty confident it's B, but let me know if you see it differently.

Sofia G. Feb 27, 2026 8:58 am

Its B, aligns with most official study guides and practice tests. Formal declaration mainly sets who can actually call an incident, not just which department acts. Pretty sure that’s the core concept here.

Luna E. Mar 2, 2026 2:52 pm

I don’t think it’s D. B fits better since the main issue is knowing exactly who’s got the authority to declare an incident, that’s what actually triggers the whole IR process. D trips people up but it’s kinda secondary. Seen similar logic on other CompTIA practice sets.

Taylor G. Feb 19, 2026 9:04 am

C/D? I know some pick D but B is actually the key here, since authority to declare is what triggers everything else in IR. D sounds tempting but feels more like a next step after you know who can officially say it’s an incident. Seen similar logic in practice tests. Open if you see another angle.

Jordan O. Feb 17, 2026 7:00 pm

Similar question popped up on my last practice exam and B was flagged as correct. Authority to declare is key for proper IR steps, not just department roles. Pretty sure it's B, but open if I'm missing something.

Owen Feb 22, 2026 5:44 am

Nah, I think D is right here. The real focus should be which department responds first, that's usually where confusion happens. D.

Be respectful. No spam.

Correct Answer:

Explanation

A formal incident declaration process is a critical component of an Incident Response Plan (IRP). Its most important function is to establish a clear, unambiguous line of authority. This ensures that only designated and qualified personnel can officially classify a security event as an incident, thereby triggering the allocation of significant organizational resources and initiating the formal response protocol. Without this documented authority, organizations risk delayed responses, confusion, premature or unnecessary escalations, and a general lack of control over the incident management lifecycle. This formal designation of authority is the cornerstone of an orderly and effective response.

Why Incorrect

A. To require that an incident be reported through the proper channels

This is incorrect because reporting channels are part of the initial detection and analysis phase, which precedes the formal declaration. The declaration process is what happens after an event has been reported.

C. To allow for public disclosure of a security event impacting the organization

This is incorrect because public disclosure is a communication task that occurs much later in the incident response process, if at all. The initial declaration is an internal trigger for the response team.

D. To establish the department that is responsible for responding to an incident

This is incorrect because the responsible department (e.g., CSIRT) and its roles are defined in the overarching Incident Response Plan, not within the specific procedure for declaration.

---

References

1. NIST Special Publication 800-61 Rev. 2

Computer Security Incident Handling Guide.

Section 2.3.2

"Policy

Plan

and Procedure Creation": This section emphasizes the need for a formal incident response policy that defines roles

responsibilities

and levels of authority. It states

"The incident response policy should also state which individuals have the authority to... declare an incident." This directly supports that identifying authority is a primary goal of formalizing the process.

2. Carnegie Mellon University

Software Engineering Institute (SEI)

Defining Incident Management Processes

CERT/CC

October 2018.

Section 3.2

"Declare an Incident": This document outlines the incident management process and states

"The goal of this step is to make a decision about whether the event should be declared an incident... This decision is usually made by an incident response team leader or manager." This highlights that the declaration is a formal decision point made by an authorized individual.

3. ISO/IEC 27035-1:2023

Information technology — Information security incident management — Part 1: Principles and process.

Section 7.3

"Decision and declaration": This international standard specifies that the incident management process must include a formal decision step. It states that criteria for declaring an incident should be established and that "the decision to declare an information security incident should be taken by a competent and authorized person or team." This reinforces the centrality of designated authority in the declaration process.

Q: 3

Which of the following will most likely ensure that mission-critical services are available in the event of an incident?

Options

Discussion

Ethan K. Feb 16, 2026 9:08 pm

C . DRP is what brings mission-critical services back quick after incidents.

Aaron R. Feb 21, 2026 11:12 am

Its C

Olivia C. Feb 13, 2026 5:26 am

C. Question is super clear and matches what I've seen in similar practice sets.

Avery P. Feb 22, 2026 4:59 pm

C, not A

Neha G. Mar 2, 2026 5:54 pm

I was thinking A for business continuity plan, since it covers overall business ops during incidents. BCP seems more comprehensive if you want to ensure services stay available, not just recover after. Pretty sure I'm missing something but anyone else see it that way?

Ethan J. Feb 23, 2026 5:22 am

C , saw something really similar on a practice exam and disaster recovery plan was the answer there too.

JasonK Mar 2, 2026 11:01 am

Probably C

MorganX Feb 12, 2026 3:57 pm

C vs A for me, but leaning C since disaster recovery plans are more about getting critical services back online after something goes sideways. BCP sounds right but might be a trap because it's higher level. Anyone see it differently?

Jason H. Feb 25, 2026 4:33 am

Not B. C is correct here, asset management is a distractor since it doesn't guarantee service availability during incidents.

Vikram X. Feb 13, 2026 4:43 pm

Anyone use the official guide or labs to practice BCP vs DRP concepts for this type?

Be respectful. No spam.

Q: 4

A security analyst reviews the latest vulnerability scans and observes there are vulnerabilities with similar CVSSv3 scores but different base score metrics. Which of the following attack vectors should the analyst remediate first?

Options

Discussion

Logan U. Mar 1, 2026 1:33 pm

C . Network attack vector is always top priority since anyone can hit it remotely. Correct me if I'm missing something.

Emma G. Feb 12, 2026 5:10 pm

Not C, B. AV:A can be a problem if your network has lots of adjacent segments, kinda tricky sometimes.

CuriousTester6800 Mar 1, 2026 10:51 am

Option C makes sense to hit first since AV:N means remote exploit from anywhere, way more exposure than adjacent (B). I think that's standard triage for network vulnerabilities. Not 100% but C looks most critical.

Rowan M. Feb 26, 2026 1:34 pm

Option B AV:A (adjacent network) still could be higher risk if VLAN hopping is in play.

Parker Feb 20, 2026 10:49 pm

B , saw a similar one on a practice test.

Mason C. Feb 22, 2026 11:39 am

B tbh

Chris Feb 19, 2026 10:41 pm

B . AV:A means adjacent network, so it's riskier than local vectors (like D). Pretty sure C is more urgent but I sometimes mix up AV syntax, so let me know if I'm off.

Rowan Feb 24, 2026 12:29 pm

Yeah, I agree with C here.

Nina Feb 15, 2026 8:27 am

C imo, network vector (AV:N) is riskier since attackers can reach it from anywhere without local or physical access. Unless there's something unique about your environment, I'd always prioritize network-exploitable vulns first. Disagree if you see a niche case.

GraceB Feb 14, 2026 9:04 pm

My pick: it's C, saw a similar question on a practice test and network vector (AV:N) always comes first.

Be respectful. No spam.

Correct Answer:

Explanation

The primary differentiator for prioritization among the given options is the Attack Vector (AV) metric within the CVSSv3 string. The AV:N (Network) vector indicates that the vulnerability is exploitable remotely from the internet. This represents the broadest attack surface and the highest immediate risk, as an attacker requires no prior access to the local or adjacent network. When other metrics like Attack Complexity (AC:L), Privileges Required (PR:L), and Impact (C:H/I:H/A:H) are identical, the vulnerability that can be exploited from anywhere on the network should always be remediated first.

Why Incorrect

A. AV:P (Physical) requires physical access to the target system, representing the lowest level of risk and therefore the lowest priority for remediation.

B. AV:A (Adjacent) requires the attacker to be on the same local network, which is a more limited attack surface than a network-exploitable vulnerability.

D. AV:L (Local) requires the attacker to have existing access to the system, making it a lower priority than a remotely exploitable vulnerability.

References

1. FIRST.org

Inc. (2019). Common Vulnerability Scoring System v3.1: Specification Document. Section 2.1.1

Attack Vector (AV). The document states

"The Base Score is highest for a vulnerability that can be exploited remotely (AV:N)... This is because the attacker does not require any local or physical access to the vulnerable component." This directly supports prioritizing AV:N.

2. Mell

& Scarfone

K. (2005). The Common Vulnerability Scoring System (CVSS) and Its Applicability to Federal Agency Systems (NISTIR 7435). National Institute of Standards and Technology. Section 3.1

"Base Metrics

" discusses how the Attack Vector metric captures the context by which vulnerability exploitation is possible

with Network being the most critical.

3. Purdue University. CS 42600: Computer Security

Lecture 18 - Vulnerabilities. Course materials discuss vulnerability analysis and CVSS. The lectures emphasize that the Attack Vector is a critical component for prioritization

with network-based vectors (AV:N) posing a significantly higher risk than local

adjacent

or physical vectors due to the vast number of potential remote attackers.

Q: 5

An incident response team is working with law enforcement to investigate an active web server compromise. The decision has been made to keep the server running and to implement compensating controls for a period of time. The web service must be accessible from the internet via the reverse proxy and must connect to a database server. Which of the following compensating controls will help contain the adversary while meeting the other requirements? (Select two).

Options

Discussion

SeasonedConsultant9029 Feb 27, 2026 5:24 am

Yeah, B and D are what I picked too. EDR helps monitor and disrupt attacker activity in real-time without killing service, and microsegmentation keeps the attack contained by only allowing required traffic. Pretty sure that's what CompTIA wants here, but can see why E looks tempting.

Parker O. Feb 23, 2026 4:04 am

Looks like B and D make the most sense but I could see some folks picking E. Not 100 percent confident though.

Adam Z. Feb 16, 2026 10:32 am

Every CompTIA exam finds a way to overcomplicate with controls you’d never actually deploy mid-response, lol. B and D.

Sara Feb 25, 2026 6:06 am

B/D tbh. Deploying EDR gives visibility and can slow down or block attacker actions without shutting things down, which fits since the service has to stay live. Microsegmentation limits what the adversary can access from the web server, helping contain lateral movement. Not totally sure if B is always safe in a live compromise but this matches what I saw on practice sets. Anyone disagree?

Morgan J. Feb 25, 2026 6:43 pm

D imo. If the DB and web server are already segmented but the reverse proxy is allowed any-to-any, microsegmentation only helps if you can enforce strict rules. B also makes sense for active containment, but only if agents can be deployed safely. Seen similar exam questions trip people up on these edge conditions.

Morgan Feb 27, 2026 4:25 am

C/D? I don’t think C helps here, B is more of a real compensating control and D stops lateral movement. F just exposes things more so that’s a trap. Anyone else see it differently on practice exams?

Zoe O. Feb 22, 2026 11:44 am

B and F. Deploying EDR should help with detection, and moving the database onto the web server sounds like it could make containment easier (less attack surface spread). Not 100% though, maybe I'm missing a risk with F?

FriendlyMentor8084 Feb 24, 2026 12:22 am

B and D tbh. A and C would kill access, which the question says to avoid.

Logan M. Feb 18, 2026 10:53 pm

I’d say B and D. EDR lets you monitor and react to what the attacker does without killing service, which is key since the web server needs to stay online. Microsegmentation restricts network access so even if they're inside, they can't move laterally. I think this lines up with how you'd contain an active threat while keeping things running, but happy to hear other takes.

NoraF Mar 2, 2026 7:06 am

B/E. Lots of practice tests suggest EDR and account hardening, so I'd check the official guide on compensating controls for web compromises.

Be respectful. No spam.

Correct Answer:

B, D

Explanation

The primary objective is to implement compensating controls to contain an active adversary on a live system while maintaining critical functionality. Deploying an Endpoint Detection and Response (EDR) solution provides deep visibility into system activities and allows responders to actively block or disrupt malicious processes, thereby reducing the adversary's capabilities without taking the server offline. Concurrently, using microsegmentation allows for the creation of granular, stateful firewall policies that restrict network connectivity to only what is explicitly required—in this case, the connection from the web server to the database server on a specific port. This network-level control effectively contains the adversary, preventing lateral movement to other parts of the network while preserving the necessary service connections.

Why Incorrect

A. Dropping the tables on the database server is a destructive action that violates the requirement to keep the service functional and results in data loss.

C. Stopping the httpd service would make the web application inaccessible, directly contradicting the requirement to keep the web service running and accessible.

E. Commenting out the HTTP account in /etc/passwd would disable the service account, causing the web server process to fail and violating the accessibility requirement.

F. Moving the database to the already compromised web server would be a major architectural change that increases risk by consolidating assets on a compromised host.

References

1. National Institute of Standards and Technology (NIST). (2012). Special Publication 800-61 Rev. 2

Computer Security Incident Handling Guide.

Section 3.3.3

Containment

p. 27: This section outlines containment strategies

which include isolating affected hosts or network segments. Microsegmentation is a modern implementation of network segmentation that creates "secure zones in data centers and cloud deployments that allow companies to isolate workloads from one another and secure them individually." This directly supports option D as a containment strategy.

2. Souppaya

& Scarfone

K. (2013). NIST Special Publication 800-128

Guide for Security-Focused Configuration Management of Information Systems.

Section 4.3

Isolate

p. 21: Discusses isolation as a security technique. "Isolation may be implemented through physical or logical separation... Logical separation can be accomplished through a variety of mechanisms

such as access control lists (ACLs) on routers and firewalls..." Microsegmentation is an advanced form of logical separation

aligning with this principle for containment (Option D).

3. Al-Shaer

& Wei

J. (2021). Modeling and Verification of Micro-segmentation for Zero-Trust Security. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (pp. 3215–3217).

Abstract & Section 1: The paper describes microsegmentation as a key enabler for a Zero-Trust security model

which "enforces strict access control and network segmentation to prevent lateral movement." This directly supports the use of microsegmentation (Option D) to contain an adversary.

DOI: https://doi.org/10.1145/3460120.3485373

4. Boicea

et al. (2018). EDR

EPP

and NGAV: The new triple-threat in endpoint security. 2018 10th International Conference on Electronics

Computers and Artificial Intelligence (ECAI).

Section II.A

Endpoint Detection and Response (EDR): This section describes EDR as a solution that "records system activities and events taking place on endpoints... and provides forensic analysis and remediation capabilities to identify and stop attacks." This capability to actively reduce an adversary's actions supports Option B.

DOI: https://doi.org/10.1109/ECAI.2018.8679018

Q: 6

During an incident, analysts need to rapidly investigate by the investigation and leadership teams. Which of the following best describes how PII should be safeguarded during an incident?

Options

Discussion

AishaC Feb 20, 2026 11:15 am

B . Most exam guides and official practice tests stress using a mix of encryption and strict permissions for handling PII during incidents. Limiting access is classic least privilege, so B covers it. Anyone see issues here?

Sanjay Feb 18, 2026 4:13 am

B. Had something like this in a mock exam, and the combo of restricting team permissions plus encryption covers both technical and procedural controls. Limits who can access PII while also protecting data at rest. Pretty sure that's what they're going for here.

Aaron Feb 23, 2026 1:12 pm

B not A. A skips least privilege, which CompTIA loves for PII. Anyone see this asked a different way?

Riley N. Feb 23, 2026 7:46 pm

Its B, combining encryption and least privilege matches best practices for PII during incidents. The others only do part of the job. Pretty sure that's what CySA+ expects, but open to debate if there's a twist I missed.

Daniel W. Feb 20, 2026 11:29 am

Honestly feels like B fits best since it covers both limiting permissions (least privilege) and encryption during the investigation. Not 100 percent sure if C could make sense for data lifecycle, but here B looks right.

Neha Y. Feb 20, 2026 1:01 pm

B is the right pick here. Limiting permissions plus encryption covers both admin and technical controls for PII, which lines up with least privilege practices during an incident. Not fully sure if anyone disagrees but that's how I've seen it on similar practice sets.

Jason X. Mar 2, 2026 10:31 am

B, seen similar Q on practice tests and it's always about least privilege plus encryption for PII.

Mason Feb 21, 2026 6:17 am

Its B, official guide and practice questions both emphasize limiting permissions and encryption for PII during incidents.

Sean Y. Feb 23, 2026 11:08 pm

Amelia S. Feb 27, 2026 4:03 am

B . Option A misses least privilege, and C is more about lifecycle than incident response access control.

Be respectful. No spam.

Correct Answer:

Explanation

The most effective method for safeguarding Personally Identifiable Information (PII) during an incident investigation is to combine technical controls with administrative controls. Encrypting the data (a technical control) protects it from unauthorized access if the storage medium is compromised. Simultaneously, limiting permissions within the investigation team (an administrative control) adheres to the principle of least privilege, ensuring that only authorized personnel with a direct need-to-know can access the sensitive data. This dual approach minimizes the risk of accidental exposure or insider threats while still enabling the investigation to proceed.

Why Incorrect

A. "Close the data so only the company has access" is overly broad and insecure, as it does not implement the principle of least privilege within the organization.

C. Creating a data deletion procedure is a crucial part of data lifecycle management but is not the most immediate or primary action for safeguarding data during an active incident.

D. "Permissions are open only to the company" is not a security control; it implies a lack of internal access controls and violates the principle of least privilege.

---

References

1. National Institute of Standards and Technology (NIST) Special Publication 800-122

Guide to Protecting the Confidentiality of Personally Identifiable Information (PII).

Section 4.4

"Restrict PII Access

" states

"Organizations should restrict access to PII to only those individuals who have a need to know... This is often referred to as the principle of least privilege." (Page 29).

Section 4.5

"Protect PII at Rest and in Transit

" recommends

"Organizations should consider using encryption to protect the confidentiality of PII... PII should be encrypted when it is stored (at rest)..." (Page 30). This directly supports combining limited permissions and encryption.

2. National Institute of Standards and Technology (NIST) Special Publication 800-61 Rev. 2

Computer Security Incident Handling Guide.

Section 3.2.5

"Handling

" discusses the importance of protecting evidence and sensitive data during an investigation. It states

"Handling of data should be performed according to the policies and procedures that were established in the preparation phase... This includes... protecting sensitive information." (Page 31). This implies that pre-defined controls like access limitation and encryption should be applied.

3. MIT OpenCourseWare

6.858 Computer Systems Security

Fall 2014.

Lecture 1

"Introduction; Threat models

" introduces the core security principles of confidentiality

integrity

and availability. The lecture materials emphasize that confidentiality is often enforced through a combination of access control mechanisms and encryption

which aligns directly with the correct answer. (Available at ocw.mit.edu).

Q: 7

Using open-source intelligence gathered from technical forums, a threat actor compiles and tests a malicious downloader to ensure it will not be detected by the victim organization's endpoint security protections. Which of the following stages of the Cyber Kill Chain best aligns with the threat actor's actions?

Options

Discussion

Ben F. Feb 14, 2026 5:23 pm

Option D, It's Weaponization, not B-compiling and testing the payload is past recon stage. Trap here is thinking OSINT always means B.

Piya N. Feb 19, 2026 3:26 pm

C/D? Pretty sure D is correct, compiling and testing points to Weaponization, but OSINT mention could trip people up into picking B.

Maya K. Mar 1, 2026 7:52 pm

B tbh, saw a similar question in a practice set once and picked Reconnaissance because of the OSINT mention.

Mason A. Feb 17, 2026 10:13 pm

D , official guide and some practice tests cover these kill chain phases well.

Arjun F. Feb 22, 2026 9:46 pm

Nah, I think B here. OSINT gathering feels like the trap choice in this scenario.

AishaJ Mar 3, 2026 6:11 am

Avery V. Feb 24, 2026 12:47 am

D . The compiling and testing part puts it squarely in Weaponization, since they're creating the malware with evasion in mind. B is tempting because of the OSINT from forums, but that's just prep data, not the main action. Saw a similar question on a practice set. Anyone disagree?

Chris L. Feb 23, 2026 5:54 am

D or B depending on how you read it. The compiling and testing part is clearly Weaponization (D), but if the focus was just on gathering info using OSINT, then it'd fall under Reconnaissance (B). Here though, since they're building malware based on what they learned, I think D makes more sense. But it's one of those edge Kill Chain cases where wording really matters. Anyone see it different?

QuietEngineer19 Feb 15, 2026 11:53 am

C. not D

Skyler Feb 18, 2026 5:42 am

C , since they're testing the downloader, feels like they're checking if it can exploit something. I know weaponization is close here but exploitation also covers where malware tries to beat defenses. Not totally sure though.

Be respectful. No spam.

Correct Answer:

Explanation

The threat actor's actions of compiling, testing, and modifying a malicious downloader to evade specific security controls fall directly into the Weaponization stage of the Cyber Kill Chain. This stage is defined by the creation or modification of a malicious payload (the "weapon") that is tailored to the target environment. The actor is using intelligence gathered during reconnaissance to build an effective tool for the subsequent stages of the attack. The primary activity described is the creation of the malicious artifact, not its delivery or execution.

Why Incorrect

A. Delivery: This stage involves transmitting the weapon to the target (e.g., via a phishing email or a malicious website), which has not yet occurred in the scenario.

B. Reconnaissance: This stage focuses on gathering information about the target. While the actor used intelligence, the core action described is building the tool, not gathering the data.

C. Exploitation: This stage involves triggering the malicious code on the victim's system to gain access. The actor is still in the preparation phase on their own systems.

References

1. Hutchins

E. M.

Cloppert

M. J.

& Amin

R. M. (2011). Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. Lockheed Martin Corporation. In Section 3

"Stage 2: Weaponization

" the authors state

"Weaponization...couples a remote access trojan with an exploit into a deliverable payload." This directly aligns with creating a malicious downloader.

2. NIST. (2016). NIST Special Publication 800-150: Guide to Cyber Threat Information Sharing. National Institute of Standards and Technology. Section 2.3.1 describes the Cyber Kill Chain

where Weaponization is the stage for creating the malicious payload before the Delivery stage.

3. SANS Institute. (2015). The Sliding Scale of Cyber Security. SANS Technology Institute. Page 5 describes the kill chain stages

defining Weaponization as the point where an attacker "chooses a weapon...and packages it for delivery." The act of compiling and testing fits this definition.

Q: 8

Which of the following risk management principles is accomplished by purchasing cyber insurance?

Options

Discussion

CuriousReviewer386 Feb 22, 2026 2:56 am

D . Buying cyber insurance doesn't stop or reduce the risk, it just hands the financial hit to someone else. C is a classic trap here since mitigation is about actually reducing impact, not just shifting it.

Jamie S. Feb 24, 2026 7:01 pm

If the policy is just about shifting who covers the loss, that's risk transfer. So I'd pick D here. Only flips if you actually reduce chance or impact directly.

Anita P. Feb 24, 2026 7:55 am

Option D seen this in multiple official guides and practice exams.

Sanjay D. Feb 25, 2026 4:08 am

D imo, since with cyber insurance you're moving the risk (financial responsibility) to the insurer. You aren't actually lowering the chance or effect of the threat itself-just who pays. Pretty sure that's what transfer means, right?

Sofia Feb 23, 2026 1:09 pm

Maybe C, since insurance helps lessen the financial impact after a breach. Not 100% sure.

Jamie D. Feb 26, 2026 6:40 pm

Option D. Avoid the C trap, insurance just shifts liability, doesn't lower actual risk.

Leo D. Feb 24, 2026 9:49 am

Why not C in any scenario here? Insurance doesn't actually reduce the actual risk event or its likelihood, right?

Sean E. Mar 3, 2026 4:28 pm

D here-buying insurance doesn't stop the risk, it just hands off the $ impact if something happens. If we wanted to actually lower the chance of something bad, that'd be C. But for this wording, pretty sure it's D. Agree?

Sam J. Mar 2, 2026 4:59 am

Hmm I'd probably say C for this, since buying insurance feels like it's helping mitigate the risk. C

Vikram K. Feb 20, 2026 5:54 am

I went with C because insurance helps reduce the financial impact, which feels like mitigation to me. In practice, isn't lowering the blow part of mitigation? I've seen a similar question pop up on practice tests, so maybe that's why I'm stuck on this. Not 100% sure though, open to other takes.

Be respectful. No spam.

Correct Answer:

Explanation

Risk transfer is a risk management strategy that involves shifting the financial consequences of a potential loss to a third party. Purchasing cyber insurance is a classic example of this principle. The organization pays a premium to an insurance company, which in turn agrees to cover the financial damages resulting from a specified cyber incident (e.g., data breach, ransomware attack). This action does not eliminate or reduce the likelihood of the risk itself but transfers the associated financial burden from the organization to the insurer.

Why Incorrect

A. Accept: Risk acceptance involves acknowledging a risk and making a deliberate decision to take no action, bearing any potential losses. Purchasing insurance is an active response, not acceptance.

B. Avoid: Risk avoidance means eliminating the risk by ceasing the activity that creates it (e.g., disconnecting a system from the internet). Insurance manages the consequences, it does not avoid the activity.

C. Mitigate: Mitigation involves implementing controls (e.g., firewalls, encryption, training) to reduce the likelihood or impact of a risk. Insurance is a financial tool, not a technical or procedural control.

References

1. National Institute of Standards and Technology (NIST). (2011). Special Publication (SP) 800-39

Managing Information Security Risk: Organization

Mission

and Information System View.

Section 2.3

Page 10: This document outlines the four fundamental risk response strategies. It explicitly defines risk sharing/transfer as a method "to shift risk from one group or individual to another (e.g.

by using insurance)."

2. National Institute of Standards and Technology (NIST). (2020). NISTIR 8286

Integrating Cybersecurity and Enterprise Risk Management (ERM).

Section 2.3.2

Page 13: In the discussion on Risk Response

this publication lists "Transferring (or sharing) risk to another party

such as through insurance" as a primary risk response option.

3. Peyton

E. (2006). Lecture 15: Risk Management. 1.040/1.401 Project Management

Fall 2006. Massachusetts Institute of Technology: MIT OpenCourseWare.

Slide 14

"Risk Response Planning": This university course material identifies four strategies for negative risks. It defines "Transfer" as shifting the risk and its consequences to a third party and lists "Insurance" as the prime example of this strategy.

Q: 9

A security analyst needs to ensure that systems across the organization are protected based on the sensitivity of the content each system hosts. The analyst is working with the respective system owners to help determine the best methodology that seeks to promote confidentiality, availability, and integrity of the data being hosted. Which of the following should the security analyst perform first to categorize and prioritize the respective systems?

Options

Discussion

Meera A. Feb 15, 2026 6:01 am

Option D makes sense here, since you can't really categorize or prioritize protection if you don't know the value or criticality of each system. A is tempting but that comes after asset valuation. Pretty sure that's how CYSA+ expects you to approach it, but let me know if you see it differently.

Hannah O. Feb 19, 2026 6:29 am

Option D is what I'd pick. Determining asset value always comes first since you can't really prioritize protection or choose controls without knowing what's most important to the business. Pretty standard risk management step, I think. If anyone has seen a question twist where A makes more sense, let me know.

Chris Y. Feb 19, 2026 6:10 am

D makes sense since you need a baseline for asset value before you can apply the right controls or prioritize. Can't really rank systems by sensitivity if you don't know their importance. Pretty sure that's the intent here but happy if someone thinks otherwise.

Luke Feb 27, 2026 3:47 pm

Probably D, seen exam guides and official practice refer to determining asset value as the first thing in prioritizing systems.

AnitaZ Feb 20, 2026 4:34 am

D , saw similar in practice sets and it's always asset value first for prioritization.

Quinn N. Feb 24, 2026 4:39 pm

C or D

I was thinking C at first since alerts help with new threats, but now I'm realizing D makes more sense for prioritizing. Still, pretty sure some exam reports mention C in a similar scenario so not 100% sure.

Vikram H. Feb 26, 2026 3:15 am

A or maybe B, not convinced D is first without knowing user needs.

Ryan V. Feb 22, 2026 4:04 am

D that's the first step for risk-based prioritization. You can't rank protection without knowing asset value. Anyone see it another way?

Sofia U. Feb 15, 2026 2:21 pm

Had something like this in a mock, it's D.

SamJ Feb 12, 2026 4:50 pm

I don't think it's D right away. Option A is tempting since interviewing users might give you real context first.

Be respectful. No spam.

Correct Answer:

Explanation

The foundational step in a risk-based approach to cybersecurity is asset management, which begins with identifying and valuing assets. To categorize and prioritize systems for protection based on the sensitivity of their content (confidentiality, integrity, and availability), a security analyst must first determine the value of each asset. This valuation dictates the level of security controls required and guides all subsequent risk management activities, such as vulnerability scanning and control implementation. Without understanding the asset's value, it is impossible to appropriately prioritize security efforts or justify the cost of protective measures.

Why Incorrect

A. Interviewing users is a useful data-gathering step, but it does not establish the authoritative business value or impact, which is necessary for formal categorization.

B. Scanning for vulnerabilities is a subsequent step in risk assessment. The criticality of a vulnerability is determined by its potential impact on a valued asset.

C. Configuring alerts is a proactive security control. This action is typically performed after systems have been categorized and appropriate security baselines have been established.

References

1. National Institute of Standards and Technology (NIST) Special Publication 800-30

Revision 1

Guide for Conducting Risk Assessments. Section 2.2

"Conduct Assessment

" outlines the process which begins with identifying assets and their value to determine the impact of a loss of confidentiality

integrity

or availability. Specifically

Task 2-3

"Determine impact

" relies on the value of the system and data.

2. Federal Information Processing Standards (FIPS) Publication 199

Standards for Security Categorization of Federal Information and Information Systems. Section 3

"Security Categorization

" states

"The first step in the security categorization process is to identify the information types processed

stored

or transmitted by the information system." This process is directly tied to determining the value and sensitivity of the information asset to establish a security category.

3. Purdue University

Information Security Risk Management (CS 52600) Courseware. The risk management lifecycle taught in this program begins with "Asset Identification and Valuation

" establishing it as the prerequisite step before threat analysis or vulnerability assessment. This is a standard model in academic cybersecurity curricula.

Q: 10

Which of the following is most appropriate to use with SOAR when the security team would like to automate actions across different vendor platforms?

Options

Discussion

Avery U. Feb 11, 2026 8:19 pm

B . APIs are how SOAR actually connects and automates between different vendors. Not 100 percent but that's what I'd pick.

Sofia T. Feb 25, 2026 8:43 am

B . APIs actually let SOAR automate stuff between lots of vendors, not just share data like threat feeds do.

Skyler R. Feb 27, 2026 8:28 pm

Option B. saw a similar question in practice sets and APIs were always the right pick for automation.

Daniel P. Feb 23, 2026 12:06 am

Option B

Noah B. Feb 16, 2026 4:44 am

B here. APIs are what let SOAR actually carry out automated actions across all those different vendor tools, not just exchange info like STIX/TAXII. Pretty sure that's what CompTIA wants. Correct me if I missed something.

Olivia Feb 26, 2026 8:07 am

B not A. APIs let SOAR actually automate actions, while STIX/TAXII is more about threat intel sharing, which trips people up. Seen this mix-up on other practice questions too.

Olivia B. Feb 11, 2026 12:39 pm

A looks right to me, since STIX/TAXII is used for exchanging info between vendors. I know APIs can automate tasks but STIX/TAXII is what I've always seen for cross-platform stuff. Pretty sure that's where they're going, unless I'm missing some nuance. Disagree?

LukeI Feb 21, 2026 2:43 am

Its B, APIs. That’s the main way SOAR platforms actually automate actions with different vendors, not just pull in threat intel. Seen similar stuff on official practice exams. If anyone’s got another take, let me know.

Mason U. Feb 15, 2026 4:19 pm

A , since if the platforms only support STIX/TAXII sharing then APIs aren't always enough.

Noah T. Feb 19, 2026 10:47 am

B , APIs are what actually let SOAR automate things with multiple vendors, not threat feeds like D.

Be respectful. No spam.

Correct Answer:

Explanation

Security Orchestration, Automation, and Response (SOAR) platforms are designed to integrate disparate security tools and automate workflows. The primary mechanism for enabling a SOAR platform to communicate with, command, and control tools from different vendors is through Application Programming Interfaces (APIs). APIs provide a standardized programmatic interface that allows the SOAR solution to send instructions (e.g., "block this IP on the firewall," "isolate this endpoint with the EDR") and retrieve data from various security products, thereby orchestrating actions across the entire security stack.

Why Incorrect

A. STIX/TAXII: These are standards for formatting and transporting threat intelligence data, not for executing commands or actions on security platforms.

C. Data enrichment: This is a process where a SOAR platform augments initial alert data with more context; it is a function, not the technology used for cross-platform control.

D. Threat feed: A threat feed is a source of threat intelligence data that a SOAR platform consumes. It does not provide the mechanism to automate actions on other tools.

References

1. National Institute of Standards and Technology (NIST). (2022). Security Orchestration

Automation

and Response (SOAR) and the Security Operations Center (SOC) (NISTIR 8362). In Section 2.2

"SOAR Capabilities

" the document states

"SOAR platforms integrate with other security tools and systems through APIs... This integration allows the SOAR platform to collect data from and send commands to the other tools."

2. Carnegie Mellon University Software Engineering Institute (SEI). (2019). A Look at SOAR (Security Orchestration

Automation

and Response). The publication notes that a key feature of SOAR is its ability to "integrate with other security tools through application programming interfaces (APIs)." This integration is what enables the orchestration and automation of security tasks.

3. SANS Institute. (2019). SOAR: A Practitioner's Guide to Security Orchestration

Automation

and Response. This guide explains that the core of SOAR's integration capability relies on APIs

referring to them as the "connective tissue" that allows the SOAR platform to interact with and control a diverse set of security tools for automated response actions. (p. 5).

Question 1 of 20 · Page 1 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE