Skip to content

Tips and resources for passing CompTIA CySA+

Last week, despite numerous unplanned distractions, I successfully completed the CompTIA CySA+ CS0-002 exam and attained the certification.

This was by no means an easy exam – but it’s achievable with enough time spent on study and hands on prep.

CompTIA CySA+ sits in the Advanced category of the CompTIA IT certification roadmap and the only higher qualification is the expert CASP+.

The recommended prerequisites for CySA+ are Network+, Security+ or equivalent knowledge, with the minimum of 3-4 years of hands-on information security or related experience – this is not really the case though.

It all depends on how willing you are to self-study and how disciplined you can be. And how much of the subject matter you are already familiar with.

“Earners of the CompTIA CySA+ certification have the skills, knowledge, and ability to address security analytics, intrusion detection and response. CompTIA CySA+ analysts have demonstrated the ability to perform data analysis and interpret the results to identify vulnerabilities, threats and risks to an organization and the skills to secure and protect the systems.”

The learning resources I used:

Here are the exam objectives:

And here are my own notes I took while studying (not 100% complete due to a huge amount of content and time constraints, but perhaps 75% complete):

As mentioned above, I also went through the free Exam Topics tests. I attempted to answer the questions to the best of my knowledge and understanding, which was tricky at times.

Edit: I removed the file below to avoid ambiguity on whether CompTIA could view some of the example questions as objectionable or not. It’s better to err on the side of caution on this one.


If you want to be sure of the integrity of the above files, here are the MD5 hashes for each, in the same order:

  • da4ca9b60b98697cd827ec1556f23eaf
  • 10cc91c775368fbdd21287c87e0a2aa9
  • e20d45793b4675261f76312c07be9c02

Tips for the exam itself:

  1. The allocated time for the exam is 165 minutes – ample time to answer, correct and review every question.
  2. There will be at least 3 big practical simulation questions at the start. You will likely spend the most of your time on those. I left them until the end.
  3. The most important domains in my opinion are Security Operations & Monitoring and Threat & Vulnerability Management. This is what I spent the most time on preparing and this is what nearly 50% of all exam questions focused on.
  4. Use the fact that you can mark questions For Review and come back to them later. I began with answering questions I was absolutely sure I knew the answers to. Everything else was left for the second pass.
  5. Read the wording of the questions – over and over and over again. Many questions are several paragraphs long and are asked in a tricky way, in the context of a specific scenario – “what is NOT part of a particular model” or “what is the LEAST negative / positive consequence of event X”.
  6. Several questions addressed various aspects of reading incident logs, from firewalls and other tools. Know your stuff on reading logs.
  7. You will get some questions on utilities like nmap or anything that produces a command line output. Spend some time practising hands on with those. On both Windows and Linux.
  8. I came across some general questions about various tools and what they do (or don’t do) – from Wireshark to some less popular like Qualys or Prowler. Have at least a high level understanding of what these tools are for.
  9. Review the well known and the registered ports, even though this might seem like a Network+ domain. You will be asked indirectly about ports and services used by them.
  10. If in doubt about a particular question, fall back on the compliance / risk management mindset. The more general questions that don’t have an immediately obvious answer will most likely look for measures that minimise risk, attack surface and implied threats.

If you have any specific questions, happy to answer them by email or via Twitter DM.

5 thoughts on “Tips and resources for passing CompTIA CySA+”

  1. Is the CySA+ log / CVE heavy? Am I going to be staring at PCAP captures that are blurry or something(I see this A LOT in the sybex practice tests(It’s like they screen shot a page put it in paint gave it the worst compression available then cropped it oddly and uploaded it to the test))?

Leave a Reply

Your email address will not be published. Required fields are marked *