dc dotCreds
CompTIA Cybersecurity Analyst

CySA+ Practice Test

Start today's 10-question CySA+ set with source-backed explanations, local progress, and a fresh rotation every morning.

10 Free Daily Questions Source-backed Explanations 150 Verified Questions

Questions updated at Jul 10, 2026, 12:01 AM CDT

Guided Course Included Learn CySA+ step by step. Structured lessons, progress tracking, practice questions, and per-exam Course Notes covering every section in this bank.
Step-by-step lessons Per-exam Course Notes All sections included Practice tied to the same bank
CySA+ icon

CySA+

CompTIA Cybersecurity Analyst

Why this page works

  • Daily exam-aligned questions
  • Source links on every explanation
  • Local progress saved automatically
  • Email sync path ready for later
  • Apps provide deeper drills when available
One-time unlock

Unlock the full CS0-003 bank

150 verified exam-style questions $4.99 one-time No subscription Secure checkout Instant unlock

Get the complete source-backed bank with correct-answer explanations, distractor breakdowns, saved review, full Course Mode, and per-exam Course Notes.

Instant unlock • Secure checkout • No subscription

Exam Mode Practice Mode Course Mode Course Notes Weak-area review Previous scores Source links Every choice explained No ads
See bundle and PDF options Already Pro? Open dashboard

Includes full Course Mode and Course Notes. We will confirm your site email in one quick checkout step.

Why DotCreds?

Practice with explanations that teach.

Source links for every answer Every wrong answer explained Guided Course included Practice and Exam Mode Weak-area tracking Same verified bank across web practice
Today's 10 CySA+ questions

Use this CySA+ practice test to review CompTIA Cybersecurity Analyst. Questions rotate daily and each explanation links to the source used to validate the answer.

Today’s Set
10 questions
Rotates at 10:00 AM local time
Progress
0/10
Answered on this page
Accuracy
0%
Loading countdown…

150 verified questions are in the live bank. Free daily questions are selected from a rotating sample set. Unlock Pro to access the full question bank.

Question 1 of 10
Objective 1.7 Security Operations

A packet capture reveals an attacker exfiltrating archived files from a compromised host to an external server using a protocol distinct from Command and Control. The data is transmitted in cleartext. Which MITRE ATT&CK technique best describes this activity?

Concept tested: Security Operations (1.7)
Question 2 of 10
Objective 1.2 Security Operations

Following a suspected security breach, an analyst needs to trace the attacker's actions across multiple systems. Why are comprehensive security logs essential for this investigation?

Concept tested: Security Operations (1.2)
Question 3 of 10
Objective 1.15 Security Operations

A security team is implementing protective controls to mitigate risks to critical business applications. To limit access to authorized users and approved actions, what activity should they prioritize?

Concept tested: Security Operations (1.15)
Question 4 of 10
Objective 1.8 Security Operations

A threat report says an adversary attempted to make services unavailable and interfere with normal business operations after gaining access. Which MITRE ATT&CK tactic describes this phase of activity?

Concept tested: Security Operations (1.8)
Question 5 of 10
Objective 1.11 Security Operations

A SOC analyst is parsing authentication logs with Python and needs each regular-expression match returned as a match object with position details. Which re module function should the analyst use?

Concept tested: Security Operations (1.11)
Question 6 of 10
Objective 1.6 Security Operations

A security analyst is tracking upcoming changes to cryptographic guidance and wants to review proposed NIST publications before their final release. Which publication category should the analyst monitor?

Concept tested: Security Operations (1.6)
Question 7 of 10
Objective 1.10 Security Operations

An analyst opens a packet capture after a suspected compromise and needs to review traffic details that may explain a security event. What is a security-focused use of Wireshark in this situation?

Concept tested: Security Operations (1.10)
Question 8 of 10
Objective 1.17 Security Operations

An analyst is triaging endpoint alerts, DNS queries, and authentication events after users report suspicious pop-ups and account lockouts. What should the analyst focus on first?

Concept tested: Security Operations (1.17)
Question 9 of 10
Objective 1.13 Security Operations

A Security Operations Center (SOC) requires threat intelligence feeds that security tools can consume quickly and efficiently without manual intervention. The team also needs the feeds to include recommended protective actions associated with each indicator. Which capability best supports this requirement?

Concept tested: Security Operations (1.13)
Question 10 of 10
Objective 1.16 Security Operations

A SOC is adding a capability that lets analysts search for suspicious behavior before an alert fires and enrich detections with external indicators and adversary tradecraft. What operational benefit should the team expect?

Concept tested: Security Operations (1.16)
Locked preview

You are viewing today’s free 10. Unlock 140 more questions.

Unlock full bank
Daily sample Rotating practice Free daily questions are selected from a rotating sample set.
Pro bank Full access Unlock Pro to access the full question bank, Exam Mode, Practice Mode, and random tests.
CS0-003 Pro $4.99 one-time

Pro mode for this exam includes the full bank, Practice Mode, Exam Mode, full Course Mode, and Course Notes.

50 Exam Practice Test $1.99 one-time

A 50-question CS0-003 PDF for short review sessions. Questions come first, then the answer review and explanations later in the file.

Cybersecurity Access Bundle $6.99/month

Unlock Pro mode across security, defensive analysis, and network security practice.

Pro mode forSecurity+, CySA+, Certified Ethical Hacker, CCNA

Choose an unlock option to continue. We will confirm your site email in one quick checkout step.

Secure checkout powered by Stripe. Source-backed questions. Not brain dumps. Checkout stays on this page and unlocks the same Pro builder on this practice page.

Purchase options

Unlock the full CS0-003 bank. No ads.

Get the full bank, Exam Mode, Practice Mode, question sets, random tests, readiness tracking, saved box scores, and review tools for this exam.

The PDF versions keep questions first and move the answer review, explanations, and distractor notes to the back of the file.

150 verified exam-style questions Every choice explained Exam Mode and Practice Mode Question sets and random tests Readiness score and trends Previous test box scores

You've answered 0/10 questions in today's set.

Locked: 140 more questions in the full bank.

Locked: exam simulation mode, practice mode, readiness tracking, and saved review history.

Checkout stays on this page, so you can keep practicing, unlock the full bank, and start Exam Mode or Practice Mode when you are ready.

No ads

7-day score keeper

Answer questions today and this will become a rolling 7-day scorecard.

Local history
Optional progress sync

Keep today’s practice moving

Guest progress saves automatically on this device. Add an email later when you want a magic link that keeps your daily CS0-003 practice in sync across browsers.

Guest progress saves on this device automatically

Guest progress is available without an account.

Official exam resources

Use these official CompTIA resources alongside the daily practice set. They cover the provider's own exam page, study guide, or prep material.

Need adjacent CompTIA practice pages too? CompTIA practice hub.

Source-backed answer review

The free daily CySA+ set includes crawlable question text, answer choices, correct answer labels, objective mapping, and source links. Only the first SEO card includes answer explanations. Pro-only bank questions stay locked; this section mirrors only the 10 free daily questions already shown on this page.

Question 1 A packet capture reveals an attacker exfiltrating archived files from a compromised host to an external server using a protocol distinct from Command and Control. The data is transmitted in cleartext. Which MITRE ATT&CK technique best describes this activity?

Answer choices

  1. A. Exfiltration Over Unencrypted Non-C2 Protocol
  2. B. Encrypted Data Transfer for Security Purposes
  3. C. Symmetric Encryption in Network Communication
  4. D. Asymmetric Key Exchange Mechanism

Correct answer

Exfiltration Over Unencrypted Non-C2 Protocol

Exfiltration Over Unencrypted Non-C2 Protocol describes data leaving the victim environment through a non-C2 protocol without encryption. The scenario identifies outbound file transfer, separation from C2, and cleartext content, which point to that exfiltration technique.

Wrong-answer review

  • B. Encrypted Data Transfer for Security Purposes: Encrypted data transfer contradicts the cleartext packet capture described in the scenario.
  • C. Symmetric Encryption in Network Communication: Symmetric encryption is a shared-key protection method, but the traffic is readable in cleartext.
  • D. Asymmetric Key Exchange Mechanism: Asymmetric key exchange relates to public-key cryptography, not an unencrypted data theft channel.

Objective/domain: Security Operations (1.7)

Source: MITRE ATT&CK Exfiltration tactic

Question 2 Following a suspected security breach, an analyst needs to trace the attacker's actions across multiple systems. Why are comprehensive security logs essential for this investigation?

Answer choices

  1. A. They provide detailed records for forensic analysis
  2. B. They automatically rewrite security policies after each event
  3. C. They optimize database query performance
  4. D. They grant users the access needed for remediation

Correct answer

They provide detailed records for forensic analysis

Objective/domain: Security Operations (1.2)

Source: NIST SP 800-92: Guide to Computer Security Log Management

Question 3 A security team is implementing protective controls to mitigate risks to critical business applications. To limit access to authorized users and approved actions, what activity should they prioritize?

Answer choices

  1. A. Governance and risk management practices
  2. B. Identifying potential vulnerabilities only
  3. C. Implementing strict access controls
  4. D. Monitoring systems without intervention

Correct answer

Implementing strict access controls

Objective/domain: Security Operations (1.15)

Source: NIST Cybersecurity Framework

Question 4 A threat report says an adversary attempted to make services unavailable and interfere with normal business operations after gaining access. Which MITRE ATT&CK tactic describes this phase of activity?

Answer choices

  1. A. Techniques used only for initial reconnaissance before any access occurs
  2. B. Techniques that define employee security awareness training schedules
  3. C. Techniques limited to vendor contract reviews and purchasing approvals
  4. D. Techniques that adversaries use to disrupt availability or manipulate business and operational processes

Correct answer

Techniques that adversaries use to disrupt availability or manipulate business and operational processes

Objective/domain: Security Operations (1.8)

Source: MITRE ATT&CK Impact tactic

Question 5 A SOC analyst is parsing authentication logs with Python and needs each regular-expression match returned as a match object with position details. Which re module function should the analyst use?

Answer choices

  1. A. re.match()
  2. B. re.finditer()
  3. C. re.compile()
  4. D. re.cache_patterns()

Correct answer

re.finditer()

Objective/domain: Security Operations (1.11)

Source: Python regular expression operations

Question 6 A security analyst is tracking upcoming changes to cryptographic guidance and wants to review proposed NIST publications before their final release. Which publication category should the analyst monitor?

Answer choices

  1. A. FIPS
  2. B. CSWP
  3. C. ITL Bulletins
  4. D. Drafts for Public Comment

Correct answer

Drafts for Public Comment

Objective/domain: Security Operations (1.6)

Source: NIST cryptographic standards and guidelines

Question 7 An analyst opens a packet capture after a suspected compromise and needs to review traffic details that may explain a security event. What is a security-focused use of Wireshark in this situation?

Answer choices

  1. A. To troubleshoot network problems
  2. B. To debug protocol implementations
  3. C. To verify network applications
  4. D. To examine security problems

Correct answer

To examine security problems

Objective/domain: Security Operations (1.10)

Source: Wireshark User's Guide: Introduction

Question 8 An analyst is triaging endpoint alerts, DNS queries, and authentication events after users report suspicious pop-ups and account lockouts. What should the analyst focus on first?

Answer choices

  1. A. Replace stakeholder reporting with raw screenshots
  2. B. Ignore security operations after the system is deployed
  3. C. Identify malicious activity using appropriate tools
  4. D. Assign identical business impact to every affected asset

Correct answer

Identify malicious activity using appropriate tools

Objective/domain: Security Operations (1.17)

Source: CompTIA CySA+ certification

Question 9 A Security Operations Center (SOC) requires threat intelligence feeds that security tools can consume quickly and efficiently without manual intervention. The team also needs the feeds to include recommended protective actions associated with each indicator. Which capability best supports this requirement?

Answer choices

  1. A. Providing detailed training on incident response procedures
  2. B. Enabling real-time sharing of machine-readable cyber threat indicators and defensive measures
  3. C. Implementing advanced encryption standards across all devices
  4. D. Conducting regular penetration testing to identify vulnerabilities

Correct answer

Enabling real-time sharing of machine-readable cyber threat indicators and defensive measures

Objective/domain: Security Operations (1.13)

Source: CISA Automated Indicator Sharing

Question 10 A SOC is adding a capability that lets analysts search for suspicious behavior before an alert fires and enrich detections with external indicators and adversary tradecraft. What operational benefit should the team expect?

Answer choices

  1. A. Reduced need for incident response training
  2. B. Enhanced threat intelligence and hunting capabilities
  3. C. Increased complexity in vulnerability management
  4. D. Decreased effectiveness of analyst communication

Correct answer

Enhanced threat intelligence and hunting capabilities

Objective/domain: Security Operations (1.16)

Source: CompTIA CySA+ certification

Where to go after the daily web set

How are CySA+ questions generated?

dotCreds builds CySA+ practice questions from public exam objectives and CompTIA exam objectives and source-backed references. The questions are written for realistic study practice, not copied from exam dumps.

How are explanations sourced?

Each question includes an explanation and, when available, a source link back to the provider documentation or reference used to validate the answer. That keeps the practice tied to study material you can actually review.

What score do I get?

The page tracks today's answered count and accuracy for the 10-question daily set, then saves a 7-day score history on this device so you can see your recent practice trend.

Why use this site?

The site is the fastest way to start CySA+ practice without installing anything. It is built for daily recall, quick weak-topic discovery, and source-backed explanations you can review immediately.

Why use the app when available?

The web page is the quick daily practice layer. If a dotCreds app is available for CySA+, the app is better for larger banks, focused weak-domain drills, longer review sessions, and mobile study routines.