CS0-003 · Syllabus & Exam Outline 2026
CompTIA CySA+ (CS0-003)
In short
The CompTIA CySA+ (CS0-003) exam has up to 85 questions in 165 minutes and a fixed passing score of 750 out of 900. It covers security operations, vulnerability management, incident response and management, and reporting and communication. It costs $425. Free practice questions and a full study plan are below.
Practice deck · one-time $4.99
Unlock 1,000+ CompTIA CySA+ (CS0-003) active-recall practice cards
Lifetime access to the full deck, with free updates — on web and in the app. Make it yours: add your own sources and edit any card.
- Lifetime access
- Free updates
- Web + mobile app
- Fully editable
- Questions
- Maximum of 85
- Time limit
- 165 minutes
- Passing score
- 750 (on a scale of 100-900)
- Cost
- $425 USD
- Format
- Multiple-choice · performance-based
- Delivery
- Pearson VUE (in-person testing center or online testing)
- Prep time
- ~120 hours
Exam overview
The CompTIA Cybersecurity Analyst (CySA+) CS0-003 certification exam assesses a candidate's ability to proactively defend and continuously improve the security posture of an organization. This intermediate-level exam validates that you possess the hands-on skills necessary to capture, monitor, and respond to network traffic findings, understand software and operational vulnerabilities, and execute incident response, threat hunting, and IT regulatory compliance activities. Earning the CySA+ certification demonstrates to employers that you can leverage modern intelligence and threat detection techniques to identify vulnerabilities and mitigate risks before they result in catastrophic breaches. It covers four major domains: Security Operations, Vulnerability Management, Incident Response and Management, and Reporting and Communication. Preparing for the CS0-003 exam requires a structured approach to studying a vast amount of technical information. To make this manageable, Only Ever maps every domain to 15-minute study topics, allowing you to master complex concepts like CVSS scoring, SIEM queries, and attack methodology frameworks in short, focused learning sessions.
Exam domains & weighting
Each domain's share of the exam — study deepest where the weight is highest. Open one for how to study it and its objectives.
How to study this domain
This is the most heavily weighted domain, so dedicate significant time to understanding network and host-based malicious indicators. Practice analyzing packet captures using tools like Wireshark and TCPDump, and familiarize yourself with SIEM and SOAR platforms. Ensure you can differentiate between various threat actors and their tactics, techniques, and procedures (TTPs).
Key objectives
- Log Ingestion and OS Concepts
- Infrastructure and Network Architecture
- Identity, Access, Encryption, and Sensitive Data
- Network-Related Malicious Indicators
- Host, Application, and Other Indicators
- Tools for Malicious Activity Detection
- Detection Techniques and Scripting
- Threat Actors and TTPs
- Threat Intelligence Collection and Sharing
- Threat Hunting Concepts
- Efficiency and Process Improvement
Readiness self-check
Tick off everything you can confidently explain. Anything left unchecked is your study list — tap “Review” to jump straight into that domain.
Quick reference
Essential Cybersecurity Acronyms
Common acronyms drawn directly from the official CompTIA CySA+ CS0-003 exam objectives.
- APT
- Advanced Persistent ThreatA stealthy threat actor, typically a nation-state or state-sponsored group, which gains unauthorized access to a network.
- CASB
- Cloud Access Security BrokerSoftware or hardware that sits between cloud service users and cloud applications.
- CVSS
- Common Vulnerability Scoring SystemAn industry standard for assessing the severity of computer system security vulnerabilities.
- EDR
- Endpoint Detection and ResponseCybersecurity technology that continually monitors an endpoint to mitigate malicious threats.
- IoC
- Indicators of CompromiseEvidence on a computer or network that indicates a security breach.
- SIEM
- Security Information and Event ManagementSoftware products and services combining security information management and security event management.
- SOAR
- Security Orchestration, Automation, and ResponseTechnologies that enable organizations to collect inputs monitored by the security operations team.
- TTP
- Tactics, Techniques, and ProceduresThe behavior of a threat actor, utilized heavily in threat intelligence frameworks.
Recommended Lab Hardware & Software
Sample tools and environments suggested by CompTIA to practice CySA+ concepts.
Kali Linux
A Linux-based OS designed for digital forensics and penetration testing.
Commando VM
A fully customizable Windows-based penetration testing virtual machine environment.
Metasploitable
An intentionally vulnerable Linux virtual machine used to practice exploiting security flaws.
Wireshark & TCPDump
Packet capture and protocol analysis tools critical for spotting malicious network traffic.
OpenVAS & Nessus
Vulnerability scanners used to map asset exposures across environments.
Frequently asked questions
Good to know
- The exam includes performance-based questions (PBQs) that require candidates to solve problems in simulated environments.
- The exam emphasizes 4 years of recommended hands-on experience as an incident response analyst or SOC analyst.
- CompTIA frequently reviews exam content; bulleted examples in the syllabus are not exhaustive, meaning related technologies may appear on the actual test.
- Use of unauthorized third-party training sites ('brain dumps') is strictly prohibited and can result in certification revocation.
Reading isn’t remembering.
Preparing for the CySA+ exam requires mastering complex incident response processes, threat hunting, and continuous security monitoring, which can be overwhelming to synthesize.
Only Ever breaks down the official CompTIA CySA+ syllabus into 15-minute, highly focused study sessions. Our content maps directly to the CS0-003 exam objectives to ensure maximum retention and test readiness.