Find a practice exam
Flexible search understands AI-901, ai901, ai 901, 901, ai, network plus, and saa c03.
No matching practice exams yet.
CySA+ Practice Test
Start a free 30-question CySA+ daily set with source-backed explanations, local progress, and a fresh rotation every morning.
CySA+
CompTIA Cybersecurity Analyst
Why this page works
- Thirty focused questions every day
- Source links on every explanation
- Local progress saved automatically
- Email sync path ready for later
- Apps provide deeper drills when available
Use this CySA+ practice test to review CompTIA Cybersecurity Analyst. Questions rotate daily and each explanation links to the source used to validate the answer.
7-day score keeper
Answer questions today and this will become a rolling 7-day scorecard.
Keep today’s practice moving
Guest progress saves automatically on this device. Add an email later when you want a magic link that keeps your daily CS0-003 practice in sync across browsers.
Guest progress saves on this device automatically
150 verified questions are currently in the live bank. Questions updated at Apr 13, 2026, 4:07 PM CDT. The daily set rotates at 10:00 AM local time, and each explanation links back to the source used to write it. Use the web set for quick practice, then switch to the app when available for larger banks and deeper review.
Use these official CompTIA resources alongside the daily practice set. They cover the provider's own exam page, study guide, or prep material.
Need adjacent CompTIA practice pages too? CompTIA practice hub.
During an incident response, what is the importance of preserving evidence?
A. Incorrect: To prevent further attacks is incorrect because it does not answer this stem as directly as To support legal actions and investigations.
B. Incorrect: To reduce system downtime is incorrect because it does not answer this stem as directly as To support legal actions and investigations.
C. Incorrect: To improve user awareness is incorrect because it does not answer this stem as directly as To support legal actions and investigations.
D. Correct: To support legal actions and investigations is the correct answer because preserving evidence ensures that it can be used to reconstruct events, identify perpetrators, and support legal proceedings.
Which of the following is a consequence of data destruction on network availability?
A. Incorrect: Increased storage capacity is incorrect because it does not answer this stem as directly as Decreased system uptime.
B. Incorrect: Enhanced user experience is incorrect because it does not answer this stem as directly as Decreased system uptime.
C. Correct: Decreased system uptime is the correct answer because data destruction can interrupt availability to systems, services, and network resources.
D. Incorrect: Improved security posture is incorrect because it does not answer this stem as directly as Decreased system uptime.
Which OWASP project is the primary cybersecurity testing resource for web application developers?
A. Correct: OWASP Web Security Testing Guide is the correct answer because the OWASP Web Security Testing Guide (WSTG) is described as the premier cybersecurity testing resource for web application developers and security professionals.
B. Incorrect: OWASP Dependency Check is incorrect because it does not answer this stem as directly as OWASP Web Security Testing Guide.
C. Incorrect: OWASP ZAP is incorrect because it does not answer this stem as directly as OWASP Web Security Testing Guide.
D. Incorrect: OWASP Juice Shop is incorrect because it does not answer this stem as directly as OWASP Web Security Testing Guide.
When preparing a cybersecurity report for governance purposes, which NIST CSF function should be emphasized to ensure compliance with organizational policies?
A. Incorrect: Detect is incorrect because it does not answer this stem as directly as Govern.
B. Incorrect: Protect is incorrect because it does not answer this stem as directly as Govern.
C. Incorrect: Identify is incorrect because it does not answer this stem as directly as Govern.
D. Correct: Govern is the correct answer because the Govern function in the NIST Cybersecurity Framework is focused on establishing and communicating the organization's cybersecurity policy and ensuring that it aligns with its risk management strategy.
According to NIST SP 800-61 Rev. 2, what is a key component of an effective incident response capability?
A. Incorrect: Regular risk assessments is incorrect because it does not answer this stem as directly as Substantial planning and resources.
B. Correct: Substantial planning and resources is the correct answer because this is correct because performing incident response effectively requires substantial planning and resources.
C. Incorrect: Continuous vulnerability management is incorrect because it does not answer this stem as directly as Substantial planning and resources.
D. Incorrect: Immediate ransomware recovery is incorrect because it does not answer this stem as directly as Substantial planning and resources.
Which control family in NIST SP 800-53 Rev. 5 is responsible for ensuring that users have the minimum necessary permissions to perform their tasks?
A. Incorrect: Awareness and Training is incorrect because it does not answer this stem as directly as Access Control.
B. Correct: Access Control is the correct answer because the Access Control family ensures that users have the minimum necessary permissions, aligning with least privilege principles.
C. Incorrect: Audit and Accountability is incorrect because it does not answer this stem as directly as Access Control.
D. Incorrect: Privacy Controls is incorrect because it does not answer this stem as directly as Access Control.
What defensive control can help prevent buffer overflow attacks?
A. Incorrect: Antivirus software is incorrect because it does not answer this stem as directly as Bounds checking.
B. Incorrect: Firewall rules is incorrect because it does not answer this stem as directly as Bounds checking.
C. Correct: Bounds checking is the correct answer because implementing bounds checking ensures that the size of input data does not exceed the capacity of the destination buffer, preventing overflows.
D. Incorrect: Two-factor authentication is incorrect because it does not answer this stem as directly as Bounds checking.
Which element of a compliance report is essential for identifying inhibitors to remediation?
A. Incorrect: Action plans is incorrect because it does not answer this stem as directly as Remediation inhibitors.
B. Correct: Remediation inhibitors is the correct answer because inhibitors to remediation are critical elements in understanding the barriers that prevent effective remediation actions.
C. Incorrect: Metrics is incorrect because it does not answer this stem as directly as Remediation inhibitors.
D. Incorrect: Key performance indicators (KPIs) is incorrect because it does not answer this stem as directly as Remediation inhibitors.
Which OWASP project produces the premier cybersecurity testing resource for web application developers and security professionals?
A. Incorrect: OWASP Dependency Check is incorrect because it does not answer this stem as directly as OWASP Web Security Testing Guide.
B. Correct: OWASP Web Security Testing Guide is the correct answer because the OWASP Web Security Testing Guide is the premier cybersecurity testing resource for web application developers and security professionals.
C. Incorrect: OWASP ZAP is incorrect because it does not answer this stem as directly as OWASP Web Security Testing Guide.
D. Incorrect: OWASP Juice Shop is incorrect because it does not answer this stem as directly as OWASP Web Security Testing Guide.
What is the primary focus of a cybersecurity analyst as defined by the CompTIA Cybersecurity Analyst (CySA+) certification?
A. Incorrect: Database administration is incorrect because it does not answer this stem as directly as Incident detection and prevention.
B. Incorrect: Software development lifecycle management is incorrect because it does not answer this stem as directly as Incident detection and prevention.
C. Correct: Incident detection and prevention is the correct answer because the CySA+ certification is designed for professionals tasked with incident detection, prevention, and response through continuous monitoring.
D. Incorrect: Network security auditing is incorrect because it does not answer this stem as directly as Incident detection and prevention.
What is a key strategy to mitigate the risk of SQL injection attacks?
A. Incorrect: Disabling database logging and auditing features is incorrect because it does not answer this stem as directly as Implementing strict input validation techniques.
B. Incorrect: Using client-side JavaScript for form validation is incorrect because it does not answer this stem as directly as Implementing strict input validation techniques.
C. Correct: Implementing strict input validation techniques is the correct answer because strict input validation is crucial to mitigate SQL injection risks by ensuring that only safe values are accepted from users.
D. Incorrect: Allowing all characters in user inputs is incorrect because it does not answer this stem as directly as Implementing strict input validation techniques.
When documenting risk acceptance for a cybersecurity incident involving potential vulnerabilities, what should be included to ensure business stakeholders understand the need for compensating controls?
A. Incorrect: A detailed list of all vulnerabilities identified in the network is incorrect because it does not answer this stem as directly as An explanation of why certain risks are accepted and how compensating controls will mitigate them..
B. Incorrect: A report on the current state of compliance with industry standards is incorrect because it does not answer this stem as directly as An explanation of why certain risks are accepted and how compensating controls will mitigate them..
C. Incorrect: The technical specifications of the security tools used during incident response is incorrect because it does not answer this stem as directly as An explanation of why certain risks are accepted and how compensating controls will mitigate them..
D. Correct: An explanation of why certain risks are accepted and how compensating controls will mitigate them is the correct answer because an explanation of why certain risks are accepted and how compensating controls will mitigate them. Business stakeholders need to understand both the rationale for accepting certain risks and the measures in place, such as compensating controls, to manage those risks effectively.
Which of the following best describes the purpose of the Cyber Kill Chain® framework developed by Lockheed Martin?
A. Correct: To enhance visibility into an attack and enrich understanding of adversary tactics is the correct answer because the Cyber Kill Chain® framework is designed to enhance visibility into an attack and enrich an analyst’s understanding of an adversary's tactics, techniques, and procedures.
B. Incorrect: To provide a detailed playbook for attackers to follow is incorrect because it does not answer this stem as directly as To enhance visibility into an attack and enrich understanding of adversary tactics.
C. Incorrect: To serve as a legal document for cyber warfare is incorrect because it does not answer this stem as directly as To enhance visibility into an attack and enrich understanding of adversary tactics.
D. Incorrect: To replace traditional network security measures is incorrect because it does not answer this stem as directly as To enhance visibility into an attack and enrich understanding of adversary tactics.
Which data source would provide visibility into network traffic controlled by a firewall running on an endpoint or in the cloud?
A. Correct: DS0018 Firewall Enterprise is the correct answer because the DS0018 data source specifically refers to a firewall that monitors and controls network traffic based on predefined rules, which is relevant for visibility into controlled network traffic.
B. Incorrect: DS0001 Firmware ICS Enterprise is incorrect because it does not answer this stem as directly as DS0018 Firewall Enterprise.
C. Incorrect: DS0036 Group Enterprise is incorrect because it does not answer this stem as directly as DS0018 Firewall Enterprise.
D. Incorrect: DS0042 Network Traffic Monitoring is incorrect because it does not answer this stem as directly as DS0018 Firewall Enterprise.
Which assessment method involves examining a network from the outside without credentials to identify vulnerabilities?
A. Correct: External probing without credentials is the correct answer because an external assessment involves examining a network from the outside perspective, often without using any system credentials.
B. Incorrect: Passive monitoring of internal traffic is incorrect because it does not answer this stem as directly as External probing without credentials.
C. Incorrect: Active scanning with credentials is incorrect because it does not answer this stem as directly as External probing without credentials.
D. Incorrect: Credentialed testing of external systems is incorrect because it does not answer this stem as directly as External probing without credentials.
According to the FIRST CVSS v4.0 specification document, which committee's responsibilities include defining standards that impact how vulnerabilities are prioritized based on exploitability?
A. Incorrect: Compensation Committee is incorrect because it does not answer this stem as directly as Rules Committee.
B. Correct: Rules Committee is the correct answer because the Rules Committee plays a key role in setting the standards for vulnerability assessment, including criteria related to exploitability.
C. Incorrect: Conference Program Committee is incorrect because it does not answer this stem as directly as Rules Committee.
D. Incorrect: Membership Committee is incorrect because it does not answer this stem as directly as Rules Committee.
Which of the following is a recommended action during the containment phase of an incident response?
A. Correct: Removing affected systems from the network is the correct answer because during the containment phase, it is recommended to isolate affected systems to prevent further damage.
B. Incorrect: Implementing long-term security controls is incorrect because it does not answer this stem as directly as Removing affected systems from the network.
C. Incorrect: Conducting a risk assessment is incorrect because it does not answer this stem as directly as Removing affected systems from the network.
D. Incorrect: Updating software patches is incorrect because it does not answer this stem as directly as Removing affected systems from the network.
What is the significance of maintaining audit trails in a secure log management system?
A. Correct: To provide detailed records for forensic analysis is the correct answer because maintaining audit trails provides detailed records that are essential for forensic analysis and incident response.
B. Incorrect: To track changes made to security policies is incorrect because it does not answer this stem as directly as To provide detailed records for forensic analysis.
C. Incorrect: To optimize database performance is incorrect because it does not answer this stem as directly as To provide detailed records for forensic analysis.
D. Incorrect: To facilitate user access control is incorrect because it does not answer this stem as directly as To provide detailed records for forensic analysis.
Which of the following metrics is used in CVSS to assess the severity of a vulnerability?
A. Incorrect: Temporal Metrics is incorrect because it does not answer this stem as directly as Base Metrics.
B. Correct: Base Metrics is the correct answer because the base metrics are used to assess the inherent characteristics of a vulnerability.
C. Incorrect: Environmental Metrics is incorrect because it does not answer this stem as directly as Base Metrics.
D. Incorrect: Impact Metrics is incorrect because it does not answer this stem as directly as Base Metrics.
When preparing a vulnerability management report for compliance stakeholders, which of the following should be prioritized?
A. Correct: Risk assessment and impact analysis is the correct answer because compliance stakeholders require a clear understanding of the risk and potential impact associated with vulnerabilities.
B. Incorrect: Technical detail on remediation steps is incorrect because it does not answer this stem as directly as Risk assessment and impact analysis.
C. Incorrect: Metrics and key performance indicators (KPIs) is incorrect because it does not answer this stem as directly as Risk assessment and impact analysis.
D. Incorrect: Action plans with inhibitors to remediation is incorrect because it does not answer this stem as directly as Risk assessment and impact analysis.
According to NIST SP 800-34 Rev. 1, which of the following is essential for ensuring business continuity during a disaster?
A. Correct: Disaster recovery plan is the correct answer because this is correct because the importance of having a disaster recovery plan as part of contingency planning.
B. Incorrect: Business impact analysis is incorrect because it does not answer this stem as directly as Disaster recovery plan.
C. Incorrect: Incident response training is incorrect because it does not answer this stem as directly as Disaster recovery plan.
D. Incorrect: Security and privacy policies is incorrect because it does not answer this stem as directly as Disaster recovery plan.
An analyst is triaging an alert from a critical environment. Which CySA+ skill area best supports deciding whether the alert matters?
A. Correct: Continuous security monitoring for incident detection, prevention, and response is the correct answer because cySA+ emphasizes incident detection, prevention, and response through continuous security monitoring.
B. Incorrect: Publishing unrelated marketing metrics for a product launch is incorrect because it does not answer this stem as directly as Continuous security monitoring for incident detection, prevention, and response.
C. Incorrect: Choosing a device wallpaper for user workstations is incorrect because it does not answer this stem as directly as Continuous security monitoring for incident detection, prevention, and response.
D. Incorrect: Skipping event review because vulnerability scans already ran is incorrect because it does not answer this stem as directly as Continuous security monitoring for incident detection, prevention, and response.
Which response best supports vulnerability management after findings are reviewed?
A. Incorrect: Ignore all alerts to avoid investigation overhead is incorrect because it does not answer this stem as directly as Prioritize vulnerabilities and recommend effective mitigation strategies for vulnerability management.
B. Correct: Prioritize vulnerabilities and recommend effective mitigation strategies for vulnerability management is the correct answer because cySA+ vulnerability management includes prioritizing vulnerabilities and recommending effective mitigation strategies.
C. Incorrect: Remove the scanner from the network before reviewing results is incorrect because it does not answer this stem as directly as Prioritize vulnerabilities and recommend effective mitigation strategies for vulnerability management.
D. Incorrect: Rank findings only by the color of the dashboard widget is incorrect because it does not answer this stem as directly as Prioritize vulnerabilities and recommend effective mitigation strategies for vulnerability management.
What does NIST SP 800-61 Rev. 2 recommend for performing incident response effectively?
A. Incorrect: Immediate action without planning is incorrect because it does not answer this stem as directly as Substantial planning and resources.
B. Incorrect: Minimal documentation is incorrect because it does not answer this stem as directly as Substantial planning and resources.
C. Incorrect: Regular training sessions only is incorrect because it does not answer this stem as directly as Substantial planning and resources.
D. Correct: Substantial planning and resources is the correct answer because the guide stresses the need for substantial planning and resources to ensure effective incident response.
Which of the following is a topic covered in NIST SP 800-61 Rev. 2 related to incident response?
A. Incorrect: Product development lifecycle is incorrect because it does not answer this stem as directly as Security and Privacy incident response.
B. Incorrect: Marketing strategies is incorrect because it does not answer this stem as directly as Security and Privacy incident response.
C. Correct: Security and Privacy incident response is the correct answer because this is correct because Security and Privacy incident response is a topic covered in the guide.
D. Incorrect: Human resources management is incorrect because it does not answer this stem as directly as Security and Privacy incident response.
During a defensive investigation, why would an analyst open a saved capture file in Wireshark?
A. Correct: To inspect packet data for network troubleshooting and protocol analysis is the correct answer because wireshark is used to inspect packet data for network troubleshooting and protocol analysis.
B. Incorrect: To approve a vulnerability exception in a governance register is incorrect because it does not answer this stem as directly as To inspect packet data for network troubleshooting and protocol analysis.
C. Incorrect: To calculate a CVSS environmental score for an application flaw is incorrect because it does not answer this stem as directly as To inspect packet data for network troubleshooting and protocol analysis.
D. Incorrect: To publish a known exploited vulnerability catalog entry is incorrect because it does not answer this stem as directly as To inspect packet data for network troubleshooting and protocol analysis.
Which scan types can help determine if an unfiltered port is open?
A. Incorrect: NULL scan, TCP connect(), Xmas tree scan is incorrect because it does not answer this stem as directly as Window scan, SYN scan, FIN scan.
B. Incorrect: TCP connect(), UDP scan, ICMP echo is incorrect because it does not answer this stem as directly as Window scan, SYN scan, FIN scan.
C. Incorrect: ARP ping, ACK scan, Xmas tree scan is incorrect because it does not answer this stem as directly as Window scan, SYN scan, FIN scan.
D. Correct: Window scan, SYN scan, FIN scan is the correct answer because using Window scan, SYN scan, or FIN scan can help resolve whether an unfiltered port is actually open.
Why should a remediation report include metrics and KPIs?
A. Incorrect: They replace the need to analyze assessment tool output is incorrect because it does not answer this stem as directly as They support vulnerability management reporting and stakeholder communication.
B. Incorrect: They automatically patch every affected endpoint is incorrect because it does not answer this stem as directly as They support vulnerability management reporting and stakeholder communication.
C. Incorrect: They prevent all future vulnerabilities from being discovered is incorrect because it does not answer this stem as directly as They support vulnerability management reporting and stakeholder communication.
D. Correct: They support vulnerability management reporting and stakeholder communication is the correct answer because compTIA includes metrics, KPIs, and stakeholder communication in the CySA+ vulnerability management reporting objective.
Which of the following is a key component in coordinating incident response communication?
A. Correct: Explaining incident declaration is the correct answer because coordinating incident response communication includes explaining the process of incident declaration to stakeholders.
B. Incorrect: Scheduling team meetings is incorrect because it does not answer this stem as directly as Explaining incident declaration.
C. Incorrect: Updating social media profiles is incorrect because it does not answer this stem as directly as Explaining incident declaration.
D. Incorrect: Creating marketing materials is incorrect because it does not answer this stem as directly as Explaining incident declaration.
Which of the following best describes the role of a single pane of glass in security operations?
A. Incorrect: It reduces the need for threat hunting is incorrect because it does not answer this stem as directly as It consolidates multiple tools into one interface for better visibility.
B. Incorrect: It isolates different security processes to prevent interference is incorrect because it does not answer this stem as directly as It consolidates multiple tools into one interface for better visibility.
C. Incorrect: It increases the number of tools required for monitoring is incorrect because it does not answer this stem as directly as It consolidates multiple tools into one interface for better visibility.
D. Correct: It consolidates multiple tools into one interface for better visibility is the correct answer because a single pane of glass in security operations consolidates various tools and data into a unified interface, enhancing visibility.
How are CySA+ questions generated?
dotCreds builds CySA+ practice questions from public exam objectives and CompTIA exam objectives and source-backed references. The questions are written for realistic study practice, not copied from exam dumps.
How are explanations sourced?
Each question includes an explanation and, when available, a source link back to the provider documentation or reference used to validate the answer. That keeps the practice tied to study material you can actually review.
What score do I get?
The page tracks today's answered count and accuracy for the 30-question daily set, then saves a 7-day score history on this device so you can see your recent practice trend.
Why use this site?
The site is the fastest way to start CySA+ practice without installing anything. It is built for daily recall, quick weak-topic discovery, and source-backed explanations you can review immediately.
Why use the app when available?
The web page is the quick free sampler. If a dotCreds app is available for CySA+, the app is better for larger banks, focused weak-domain drills, longer review sessions, and mobile study routines.