COMPTIA CYSA+ – PRACTICE QUESTIONS AND CORRECT ANSWERS (VERIFIED ANSWERS) PLUS
RATIONALES 2026 Q&A | INSTANT DOWNLOAD PDF.
Core Domains
- Threat and Vulnerability Management
- Software and Systems Security
- Compliance and Assessment
- Security Operations and Monitoring
- Incident Response
- Identity and Access Management
- Network Security and Infrastructure
- Data Privacy and Protection
- Cloud and Hybrid Security
Introduction
The CompTIA CySA+ assessment is designed to validate the knowledge and technical skills required to
proactively monitor, detect, and respond to cybersecurity threats and vulnerabilities. This exam emphasizes the
application of behavioral analytics to networks and devices to identify and counter security risks before they
result in a breach. The structure consists of multiple-choice and complex scenario-based questions that
simulate real-world environments. Candidates are evaluated on their ability to perform data analysis, interpret
results, and implement effective security solutions. Success requires high-level critical thinking, ethical
judgment, and a deep understanding of regulatory compliance in a modern enterprise landscape.
1. An analyst is reviewing a vulnerability scan report and notices a high-severity vulnerability on a legacy
server that cannot be patched due to application compatibility issues. Which of the following is the best
course of action?
A. Accept the risk and document it in the risk register.
B. Implement a compensating control, such as an isolated VLAN.
,C. Ignore the vulnerability as the server is legacy.
D. Immediately decommission the server without notice.
🟢 B. Implement a compensating control, such as an isolated VLAN.
🔴 RATIONALE: Compensating controls allow for risk mitigation when a primary control, like patching, cannot
be applied due to technical constraints.
2. Which of the following best describes the "Diamond Model" of intrusion analysis?
A. A framework for calculating the financial impact of a breach.
B. A methodology for tracking the steps an attacker takes during an exploit.
C. A model relating adversary, infrastructure, capability, and victim.
D. A hierarchical structure for organizing a Security Operations Center.
🟢 C. A model relating adversary, infrastructure, capability, and victim.
🔴 RATIONALE: The Diamond Model focuses on the relationships between these four core features to
understand the context of an intrusion.
3. During an incident response, an analyst captures a suspicious file and wants to determine its behavior
without risking the host system. Which tool is most appropriate?
A. Wireshark
B. Nmap
C. Cuckoo Sandbox
D. Nessus
🟢 C. Cuckoo Sandbox
🔴 RATIONALE: A sandbox environment allows for the execution of suspicious files in an isolated environment
to observe their behavior safely.
, 4. A security analyst receives an alert regarding a spike in DNS traffic to a known malicious domain. Which
type of attack is most likely occurring?
A. SQL Injection
B. Command and Control (C2) communication
C. Cross-Site Scripting (XSS)
D. ARP Spoofing
🟢 B. Command and Control (C2) communication
🔴 RATIONALE: Malware often uses DNS to beacon out to a C2 server to receive instructions or exfiltrate
data.
5. Which regulatory framework is specifically focused on the protection of electronic protected health
information (ePHI) in the United States?
A. GDPR
B. PCI DSS
C. HIPAA
D. SOX
🟢 C. HIPAA
🔴 RATIONALE: The Health Insurance Portability and Accountability Act (HIPAA) mandates security and
privacy standards for health information.
6. An organization wants to move its infrastructure to the cloud but must ensure that data from different
customers is logically separated. Which concept describes this?
A. Multi-tenancy
B. Serverless computing
C. Infrastructure as Code
D. Resource pooling
, 🟢 A. Multi-tenancy
🔴 RATIONALE: Multi-tenancy involves serving multiple customers from the same infrastructure while ensuring
data isolation and privacy.
7. While reviewing logs, an analyst sees a series of failed login attempts for several different accounts from a
single IP address within a short timeframe. What is this an example of?
A. Brute-force attack
B. Password spraying
C. Credential stuffing
D. Rainbow table attack
🟢 B. Password spraying
🔴 RATIONALE: Password spraying involves trying a few common passwords against many different accounts
to avoid account lockout.
8. Which of the following is the most effective way to prevent Cross-Site Request Forgery (CSRF) attacks?
A. Input validation
B. Anti-CSRF tokens
C. Web Application Firewall (WAF)
D. HTTPS encryption
🟢 B. Anti-CSRF tokens
🔴 RATIONALE: Unique, unpredictable tokens for each session ensure that requests are intentional and come
from the authenticated user.
9. A company discovers that an employee has been exfiltrating sensitive data via an encrypted USB drive.
Which type of threat does this represent?
RATIONALES 2026 Q&A | INSTANT DOWNLOAD PDF.
Core Domains
- Threat and Vulnerability Management
- Software and Systems Security
- Compliance and Assessment
- Security Operations and Monitoring
- Incident Response
- Identity and Access Management
- Network Security and Infrastructure
- Data Privacy and Protection
- Cloud and Hybrid Security
Introduction
The CompTIA CySA+ assessment is designed to validate the knowledge and technical skills required to
proactively monitor, detect, and respond to cybersecurity threats and vulnerabilities. This exam emphasizes the
application of behavioral analytics to networks and devices to identify and counter security risks before they
result in a breach. The structure consists of multiple-choice and complex scenario-based questions that
simulate real-world environments. Candidates are evaluated on their ability to perform data analysis, interpret
results, and implement effective security solutions. Success requires high-level critical thinking, ethical
judgment, and a deep understanding of regulatory compliance in a modern enterprise landscape.
1. An analyst is reviewing a vulnerability scan report and notices a high-severity vulnerability on a legacy
server that cannot be patched due to application compatibility issues. Which of the following is the best
course of action?
A. Accept the risk and document it in the risk register.
B. Implement a compensating control, such as an isolated VLAN.
,C. Ignore the vulnerability as the server is legacy.
D. Immediately decommission the server without notice.
🟢 B. Implement a compensating control, such as an isolated VLAN.
🔴 RATIONALE: Compensating controls allow for risk mitigation when a primary control, like patching, cannot
be applied due to technical constraints.
2. Which of the following best describes the "Diamond Model" of intrusion analysis?
A. A framework for calculating the financial impact of a breach.
B. A methodology for tracking the steps an attacker takes during an exploit.
C. A model relating adversary, infrastructure, capability, and victim.
D. A hierarchical structure for organizing a Security Operations Center.
🟢 C. A model relating adversary, infrastructure, capability, and victim.
🔴 RATIONALE: The Diamond Model focuses on the relationships between these four core features to
understand the context of an intrusion.
3. During an incident response, an analyst captures a suspicious file and wants to determine its behavior
without risking the host system. Which tool is most appropriate?
A. Wireshark
B. Nmap
C. Cuckoo Sandbox
D. Nessus
🟢 C. Cuckoo Sandbox
🔴 RATIONALE: A sandbox environment allows for the execution of suspicious files in an isolated environment
to observe their behavior safely.
, 4. A security analyst receives an alert regarding a spike in DNS traffic to a known malicious domain. Which
type of attack is most likely occurring?
A. SQL Injection
B. Command and Control (C2) communication
C. Cross-Site Scripting (XSS)
D. ARP Spoofing
🟢 B. Command and Control (C2) communication
🔴 RATIONALE: Malware often uses DNS to beacon out to a C2 server to receive instructions or exfiltrate
data.
5. Which regulatory framework is specifically focused on the protection of electronic protected health
information (ePHI) in the United States?
A. GDPR
B. PCI DSS
C. HIPAA
D. SOX
🟢 C. HIPAA
🔴 RATIONALE: The Health Insurance Portability and Accountability Act (HIPAA) mandates security and
privacy standards for health information.
6. An organization wants to move its infrastructure to the cloud but must ensure that data from different
customers is logically separated. Which concept describes this?
A. Multi-tenancy
B. Serverless computing
C. Infrastructure as Code
D. Resource pooling
, 🟢 A. Multi-tenancy
🔴 RATIONALE: Multi-tenancy involves serving multiple customers from the same infrastructure while ensuring
data isolation and privacy.
7. While reviewing logs, an analyst sees a series of failed login attempts for several different accounts from a
single IP address within a short timeframe. What is this an example of?
A. Brute-force attack
B. Password spraying
C. Credential stuffing
D. Rainbow table attack
🟢 B. Password spraying
🔴 RATIONALE: Password spraying involves trying a few common passwords against many different accounts
to avoid account lockout.
8. Which of the following is the most effective way to prevent Cross-Site Request Forgery (CSRF) attacks?
A. Input validation
B. Anti-CSRF tokens
C. Web Application Firewall (WAF)
D. HTTPS encryption
🟢 B. Anti-CSRF tokens
🔴 RATIONALE: Unique, unpredictable tokens for each session ensure that requests are intentional and come
from the authenticated user.
9. A company discovers that an employee has been exfiltrating sensitive data via an encrypted USB drive.
Which type of threat does this represent?
