CompTIA CySA+ (CS0-003) Complete Course & Practice Exam

Identify security control types in vulnerability management and explore NIST SP 800-53 controls, roles of the security operations center, and methods to mitigate vulnerabilities while preserving confidentiality, integrity, and availability.

Explore the diverse roles in cybersecurity, from cybersecurity analyst to CISO, and how they defend networks, respond to incidents, and ensure regulatory compliance.

Learn how a security operations center serves as the single point of contact for security, monitoring, and incident response, monitoring networks, detecting indicators of compromise, and guiding threat intelligence.

Explore security control categories within a risk management framework, contrasting technical, operational, and managerial controls, and learn how defense in depth and NIST SP 800-53 guide control selection.

Select and combine security controls to cover confidentiality, integrity, and availability using a risk management framework, illustrated by encryption, digital signatures, and scalable cloud services.

Explore threat intelligence sharing in security operations, including the intelligence cycle steps, sources, and quality factors: timeliness, relevancy, accuracy, and confidence, and its dissemination to support risk management.

Explore how security intelligence and cyber threat intelligence combine to strengthen your defense. Learn to use narrative reports and data feeds to identify adversaries and indicators of compromise for protection.

Explore the five-phase security intelligence cycle—requirements, collection and processing, analysis, dissemination, and feedback—using use cases, siem data, and ai-driven analysis to detect threats and inform decisions.

Evaluate intelligence sources by timeliness, relevancy, accuracy, and confidence. Distinguish proprietary, closed-source, open-source, and OSINT for threat analysis.

Identify information sharing centers ISACs and CSIP as public-private networks that share sector-specific threat intelligence across critical infrastructure, government, healthcare, financial, and aviation sectors.

Explore threat intelligence sharing within your organization to inform risk management, security engineering, incident response, and vulnerability management, and to tune detection and monitoring.

Classify threats as benign, malicious, known, or unknown; examine threat actors and malware economics, and explore frameworks like the cyber kill chain, MITRE ATT&CK, Diamond Model, and STIX.

Identify known threats and unknown threats, including malware, documented exploits, zero-day exploits, obfuscated code, and signature-based and behavior-based detection, applying the Johari Window to classify and improve defenses.

Identify threat actors, from script kiddies to nation-state actors, and understand their motives, capabilities, and attack stages, including social profiling, phishing, network discovery, exploitation, and lateral movement.

Explore three malware types: commodity malware, zero-day malware, and command and control, while examining APTs, persistence, and target selection to assess incident severity.

Explore how reputational threat data, IOCs, and behavioral threat research enable threat detection and hunting. Identify IOCs, IOAs, and TTPs like C2, port hopping, fast flux DNS, and data exfiltration.

Explore the kill chain, MITRE ATT&CK, and the Diamond Model of intrusion analysis to map attacker stages—reconnaissance, weaponization, delivery, exploitation, installation, C2, and actions on objectives.

Learn how STIX, TAXII, OpenIOC, and MISP enable automated threat intelligence sharing, with STIX in JSON and SDOs like observed data, indicators, and campaigns.

Explore threat hunting across security operations and vulnerability management by evaluating adversary capability, total attack surface, attack vector, impact, and likelihood, plus open-source intelligence sources, abuseipdb, and bug bounties.

Perform threat modeling by evaluating adversary capability, attack surface, and attack vectors from inside-out and outside-in to assess likelihood and impact of risks and guide mitigations.

Threat hunting is a proactive cybersecurity technique that detects threats missed by normal monitoring. It analyzes data across hosts and siem, using threat intelligence to profile adversaries and improve detection.

Explore open source intelligence (OSINT) and its publicly available data, including social media, HTML code, and metadata. Understand how attackers use OSINT for reconnaissance and social engineering to gather information.

Explore Google hacking as an open source intelligence technique using Google search operators like quotes, not, and, or, scope, URL modifiers; learn GHDB dorks and Shodan for identifying vulnerable devices.

Explore profiling techniques that identify who works at a company through OSINT, email harvesting, and social media, revealing email formats and possible social engineering targets.

Explore DNS harvesting and web harvesting techniques, including whois data, DNS zone transfers, and website copying for reconnaissance and open-source intelligence gathering.

Utilize AbuseIPDB, a community-driven database of abusive IPs, to monitor threats, block malicious traffic, and reduce phishing and ddos risks. Combine it with other security measures.

Explore the deep web and the dark web, define their roles, and show how cybersecurity professionals use them for threat intelligence and monitoring of stolen data to protect enterprise networks.

Discover how bug bounty programs crowdsource security testing by offering financial rewards to ethical hackers who identify and report vulnerabilities within defined scope and guidelines.

Explore network forensics in Domain 1 security operations, using tcpdump and Wireshark to perform flow, IP, DNS, and URL analysis, and practice packet analysis to identify malicious activity.

Explore network forensic tools for monitoring indicators of compromise from packet captures, logs, alerts, and pcap data, and learn to use span ports, sniffers, tcpdump, and Wireshark.

Learn to use tcpdump to capture and filter packets, write to a pcap file, and read data for analysis, including its use with Wireshark.

Explore Wireshark to pull apart network traffic, examine frames and OSI layers, and follow streams from tcp and ip to http or ftp to understand client-server communication.

Explore flow analysis to monitor network traffic with a flow collector that records metadata rather than full packet data, enabling NetFlow, Zeek, and MRTG analytics for anomaly detection and visualization.

Analyze IP and DNS traffic to detect external hosts and C2 activity, block known-bad IPs with reputation feeds, and use DGAs, fast flux, and secure recursive DNS for mitigation.

Learn to perform URL analysis by examining HTTP methods, response codes, and percent encoding within sandboxed logs, identify malicious scripts, and assess redirections.

Analyze network traffic with Wireshark to capture malware beacons, correlate processes and timestamps, and identify IP addresses and indicators of compromise to block in the firewall.

Explore appliance monitoring and log analysis for security operations by reading, ingesting, and correlating logs from firewalls, proxies, and IDS/IPS to identify malicious activity and assess network threats.

Analyze firewall logs from iptables and Windows firewall formats to assess the network security posture. Practice log collection with PF Sense and learn retention strategies to avoid blinding attacks.

Explore how firewall configurations fit into a layered defense with host-based protections, implement ACLs and egress filtering, and use black holes or sinkholes for DDoS and malware mitigation.

Explore proxy logs, including forward and reverse proxies, non-transparent and transparent configurations, and common log formats, to analyze request details, status codes, and security insights.

Protect web servers and databases from sql injections, xml injections, and cross-site scripting with a web application firewall (waf). Log events—severity, url parameters, http methods, and rule context like Nikto.

Configure and differentiate ids and ips to detect, log, and block threats using sensors and rule sets. Explore Snort, Zeek, and Security Onion as examples of ids or ips.

Discover how ids and ips logs are generated, tuned to avoid over-logging, and output to syslog, csv, and pcap, with snort rule formats and real-time siem monitoring.

Block unauthorized ports on network appliances with port security, patch embedded systems, and use ssh via vpn for remote management; enforce ACLs, limited interfaces, and NAC to prevent rogue devices.

Explore how network access control uses 802.1X and EAP between supplicant and authenticator to enforce health policies with posture assessment, remediation, and pre- and post-admission controls.

Learn to use Security Onion, a SIEM with Snort, Suricata, and Zeek for real-time alerts, sguil tooling, sniffing configuration, and custom IDS rules to analyze network activity.

Explore endpoint monitoring within security operations, analyzing Windows registry, system processes, and file structures during malware attacks; apply sandboxing, EDR, allow and block lists, and perform malware analysis with tools.

Learn how endpoint analysis monitors devices—from desktops to mobile—using antivirus, host intrusion detection and prevention systems, EPP, EDR, and UEBA to detect malware techniques and anomalies.

Explore sandboxing as an isolated, secure environment in virtual machines, using tools like Flare VM, Cuckoo, and Joe Sandbox to monitor memory dumps and changes.

Reverse engineer malware via static analysis with disassemblers and decompilers to reveal code patterns and strings. Use sandboxing and unpacking techniques to safely analyze behavior and build robust signatures.

Examine modern malware exploitation techniques, from fileless attacks to stage-based droppers and downloaders. Learn about shell code, code injection, anti-forensic methods, and living off the land.

Analyze behavior with Sysinternals process analysis to establish a baseline and spot suspicious processes. Examine registry and file activity, launch context, persistence, and network connections to guide threat hunting.

Learn static and dynamic malware analysis using tools like floss, Auto Runs, and IDA, and identify indicators of compromise and beacon-like behavior.

Tune endpoint detection and response to reduce false positives, and share malware samples via VirusTotal to improve signatures with MAEC, STIX/TAXII, and Yara for threat intelligence.

Compare block lists and allow lists for incident response, discuss limitations, and cover configuration management, execution control, and application allowlisting with SRP, AppLocker, WDAC, Linux MAC, risk assessment.

Analyze email headers, content, and smtp logs to identify indicators of compromise, configure secure email servers, and apply s/mime and digital signatures to defend against phishing campaigns.

Identify and defend against email indicators of compromise by understanding spam, phishing, pretexts, spear phishing, impersonation, and business email compromise, plus how spoofing and forward chains reveal threats.

Explore how email headers trace delivery from a mail user agent through MDA and MTA over SMTP, exposing the display from, envelope from, and received from/by fields.

Analyze email content by examining mime payloads, distinguishing exploits and attachments, evaluating embedded links, and checking signature blocks to identify phishing indicators and malicious payloads.

Learn to implement SPF, DKIM, and DMARC on DNS records to prevent spoofing, and defend against cousin domains.

Analyze smtp logs in a request/response format, identify fields like time, recipient, and message size, and interpret status codes such as 220 and 250 to assess delivery and spot spam.

Explore S/MIME, digital certificates, and public key cryptography to secure email through encryption, digital signatures, certificate authorities, and trusted certificate stores.

Analyze email headers to examine return path, received routes, from and date fields, and content type, identifying spoofing risks and phishing indicators.

Explore how a security information and event management system (SIEM) enhances network monitoring and detection. Learn data collection use cases, data normalization, event logs, and syslogs in security monitoring activities.

Explore how siem provides real-time log analysis and event correlation to support threat hunting, incident responses, and a clear auditors' evidence trail.

Learn how to configure a SIEM to collect, process, and analyze real time security data, using use cases to focus on relevant events and reduce false positives and negatives.

Normalize data from hosts, networks, and sensors for SIEM analysis by parsing and standardizing formats with connectors, and synchronize time using UTC.

Learn how Windows event logs record user and software interactions, cover five categories (application, security, system, setup, forwarded events), severities, and event details with centralized forwarding to a SIEM.

Syslog transmits logs from Windows and non-Windows hosts to a server, enabling remote logging for pfSense and other devices; TLS encrypts messages, while MD-5 and SHA-1 provide authentication and integrity.

Configure a SIEM agent in Security Onion to collect and forward data to the SIEM, visualize with Kibana, and use Beats, Winlogbeat, OSSEC, and Syslog for host and network logs.