CompTIA CySA+ (CS0-003) Questions And
Correct Answers (Verified Answers) Plus
Rationales 2026 Q&A | Instant Download Pdf
1. Which of the following BEST describes the purpose of threat
hunting in a cybersecurity environment?
A. Automating vulnerability patching
B. Proactively searching for indicators of compromise
C. Performing routine system backups
D. Documenting security policies
Threat hunting involves proactively searching for threats or indicators
of compromise that may bypass traditional security measures. It is not
about patching, backups, or policy documentation.
2. A security analyst notices unusual outbound traffic on TCP port
3389. Which protocol is MOST likely being used?
A. FTP
B. SSH
C. RDP
D. DNS
,TCP port 3389 is used by the Remote Desktop Protocol (RDP). Unusual
activity on this port could indicate unauthorized remote access.
3. What is the PRIMARY purpose of implementing network
segmentation?
A. Increase network speed
B. Limit the lateral movement of attackers
C. Reduce hardware costs
D. Simplify network management
Network segmentation divides a network into separate zones to
contain breaches and limit lateral movement by attackers.
4. Which of the following is a common method for detecting
malware behavior in a sandbox environment?
A. Signature-based detection
B. Dynamic analysis
C. Manual code review
D. Firewall logging
Dynamic analysis observes how malware behaves in a controlled
sandbox, unlike signature-based detection or static code review.
5. A security analyst receives an alert that a user account is
attempting multiple failed logins. Which type of attack is MOST
likely occurring?
, A. Phishing
B. Brute force attack
C. Denial-of-service
D. Man-in-the-middle
Multiple failed login attempts are indicative of a brute force attack,
where an attacker tries many password combinations to gain access.
6. What BEST describes the purpose of a SIEM system?
A. Backing up sensitive data
B. Aggregating, analyzing, and correlating security logs
C. Enforcing endpoint security policies
D. Scanning for malware signatures
A Security Information and Event Management (SIEM) system
centralizes log data, correlates events, and generates alerts for
security incidents.
7. Which of the following is an example of a false positive in
intrusion detection?
A. An alert for a real malware infection
B. An alert triggered by legitimate traffic
C. A missed alert for a network attack
D. A corrupted log file
, A false positive occurs when a security system flags legitimate activity
as malicious, generating an unnecessary alert.
8. During an incident response, which phase involves identifying and
containing the threat?
A. Recovery
B. Containment
C. Lessons learned
D. Preparation
Containment focuses on stopping the threat from spreading and
minimizing the impact on systems.
9. A security team wants to monitor changes to critical files on
servers. Which tool is MOST appropriate?
A. Firewall
B. File integrity monitoring (FIM) software
C. Vulnerability scanner
D. Network sniffer
File integrity monitoring software tracks changes to critical files to
detect unauthorized modifications.
10. Which attack involves sending a large volume of traffic to
exhaust a system’s resources?
A. Phishing
Correct Answers (Verified Answers) Plus
Rationales 2026 Q&A | Instant Download Pdf
1. Which of the following BEST describes the purpose of threat
hunting in a cybersecurity environment?
A. Automating vulnerability patching
B. Proactively searching for indicators of compromise
C. Performing routine system backups
D. Documenting security policies
Threat hunting involves proactively searching for threats or indicators
of compromise that may bypass traditional security measures. It is not
about patching, backups, or policy documentation.
2. A security analyst notices unusual outbound traffic on TCP port
3389. Which protocol is MOST likely being used?
A. FTP
B. SSH
C. RDP
D. DNS
,TCP port 3389 is used by the Remote Desktop Protocol (RDP). Unusual
activity on this port could indicate unauthorized remote access.
3. What is the PRIMARY purpose of implementing network
segmentation?
A. Increase network speed
B. Limit the lateral movement of attackers
C. Reduce hardware costs
D. Simplify network management
Network segmentation divides a network into separate zones to
contain breaches and limit lateral movement by attackers.
4. Which of the following is a common method for detecting
malware behavior in a sandbox environment?
A. Signature-based detection
B. Dynamic analysis
C. Manual code review
D. Firewall logging
Dynamic analysis observes how malware behaves in a controlled
sandbox, unlike signature-based detection or static code review.
5. A security analyst receives an alert that a user account is
attempting multiple failed logins. Which type of attack is MOST
likely occurring?
, A. Phishing
B. Brute force attack
C. Denial-of-service
D. Man-in-the-middle
Multiple failed login attempts are indicative of a brute force attack,
where an attacker tries many password combinations to gain access.
6. What BEST describes the purpose of a SIEM system?
A. Backing up sensitive data
B. Aggregating, analyzing, and correlating security logs
C. Enforcing endpoint security policies
D. Scanning for malware signatures
A Security Information and Event Management (SIEM) system
centralizes log data, correlates events, and generates alerts for
security incidents.
7. Which of the following is an example of a false positive in
intrusion detection?
A. An alert for a real malware infection
B. An alert triggered by legitimate traffic
C. A missed alert for a network attack
D. A corrupted log file
, A false positive occurs when a security system flags legitimate activity
as malicious, generating an unnecessary alert.
8. During an incident response, which phase involves identifying and
containing the threat?
A. Recovery
B. Containment
C. Lessons learned
D. Preparation
Containment focuses on stopping the threat from spreading and
minimizing the impact on systems.
9. A security team wants to monitor changes to critical files on
servers. Which tool is MOST appropriate?
A. Firewall
B. File integrity monitoring (FIM) software
C. Vulnerability scanner
D. Network sniffer
File integrity monitoring software tracks changes to critical files to
detect unauthorized modifications.
10. Which attack involves sending a large volume of traffic to
exhaust a system’s resources?
A. Phishing
