CYSA-004 Practice Questions: Reporting and Communication Domain

Correct answer (B): AI-assisted summaries can be useful, but they must be validated before being shared because they can overstate scope, confidence, or impact. In this scenario, the draft materially misrepresents affected systems, duration, and exfiltration status. The analyst must correct it against the case evidence before external communication.

Why the other options are wrong:
- Option A: Noting that AI was used does not fix factual errors. Sending an inaccurate external statement can create trust, legal, and communication problems.
- Option C: This is an overreaction. The issue is lack of validation, not the existence of AI assistance itself.
- Option D: Inaccuracies matter to every audience. Executives also need correct scope and confidence, and unsupported claims should not be circulated internally or externally.

Correct answer (A): AI-generated reporting can speed drafting, but analysts must validate conclusions before distribution. Here, the tool makes unsupported claims about initial access, exfiltration, and scope that are not established by the evidence. The analyst should remove or rewrite those statements so the report clearly separates confirmed facts from unknowns.

Why the other options are wrong:
- Option B: A disclaimer does not fix inaccurate content. Executives may still act on false statements.
- Option C: Incorrect because more confident wording would make uncertain claims more dangerous, not more useful.
- Option D: Incorrect because extra raw detail does not validate unsupported conclusions and also makes the executive update less audience-appropriate.

Correct answer (A): Internal threat intelligence reporting is most valuable when it converts indicators and TTPs into concrete defensive actions. Option A gives immediate hunt targets, detection updates, and investigative direction, which makes the intelligence operationally useful.

Why the other options are wrong:
- Option B: Source material may add context, but it does not tell defenders what to do next.
- Option C: Unconfirmed attribution can mislead responders and does not improve defensive action.
- Option D: Waiting for more indicators delays useful hunts and tuning that can be performed now.

Correct answer (C): A good handover note lets the next analyst continue work without losing time. That requires current status, what has already been done, what still needs to be done, who owns it, and any deadlines. Option C adds the operational details missing from the note and is far more useful than raw log volume or speculation.

Why the other options are wrong:
- Option A: Raw logs may be valuable evidence, but they do not replace a concise handoff that explains status and next actions.
- Option B: Speculation about user behavior is not an appropriate substitute for actionable handoff information and can bias the investigation.
- Option D: This adds noise rather than helping the incoming analyst understand the active incident's current status and priorities.

Correct answer (B): Shift handover documentation should include pending actions, assigned owners, and where evidence or case artifacts are stored. Without those details, the next shift may duplicate work, miss deadlines, or fail to continue the investigation smoothly. Attribution guesses, helpdesk noise, and asset procurement details are not the priority here.

Why the other options are wrong:
- Option A: Threat attribution based only on IP geolocation is weak and does not help the day team continue confirmed investigative steps.
- Option C: This adds unrelated operational noise and does not improve the incident handoff.
- Option D: Asset lifecycle information is not the most important missing detail for an active high-severity investigation.

Correct answer (B): Strong vulnerability reporting uses more than CVSS alone. The payment API is internet-facing, tied to a critical business service, has very high exploit likelihood, has active exploitation reported in the wild, lacks compensating controls, and is already beyond SLA. That combination makes it the clearest top priority for leadership attention.

Why the other options are wrong:
- Option A: High CVSS alone does not make this the top reporting priority. The server is internal, newer, and has much lower exploit-likelihood context.
- Option C: Asset count matters, but the stem shows an EDR control already blocks the known exploit chain, reducing immediate urgency compared with the exposed payment API.
- Option D: This is a valid concern, but segmentation and reduced service availability are compensating controls, and the overall risk is lower than the exposed payment API.

Correct answer (C): Strong internal threat intelligence reporting includes relevance to the environment, confidence level, likely behaviors, and recommended detection or mitigation actions. Option C ties the threat to the organization's SAML exposure, preserves the medium-confidence assessment, and gives the SOC concrete monitoring actions. The other options are either too vague, too certain, or dismissive.

Why the other options are wrong:
- Option A: This is too generic to be useful. It does not explain why the intelligence matters to the environment or what defenders should monitor.
- Option B: This overstates the intelligence, claims high confidence when the source is only medium confidence, and recommends a broad action not justified by the stem.
- Option D: Threat intelligence can still be operationally relevant even when it does not specifically name the company, especially when the organization uses the targeted technology.

Correct answer (A): Good handovers preserve continuity. The next analyst needs to know the confirmed scope, what has already been done, what remains to be done, any deadlines or urgency, and who owns the next action. Ticket numbers alone do not provide enough operational context for a fast-moving incident.

Why the other options are wrong:
- Option B: Too much raw detail and not a replacement for a concise status handoff.
- Option C: Irrelevant to incident continuity and next-step execution.
- Option D: A queue screenshot does not explain scope, response status, or pending actions.

Correct answer (B): Executive updates should emphasize business impact, affected service, current containment status, and any pending leadership decisions rather than raw IOCs or forensic detail. Option B communicates the disruption, current action, and next update point without speculation.

Why the other options are wrong:
- Option A: Still too technical for an executive audience. Raw IOCs and hashes may help responders, but they do not center business impact or decision support.
- Option C: Appropriate for a technical team, not executive leadership. It emphasizes forensic detail instead of operational impact.
- Option D: Speculative attribution and impact inflation should be avoided in active incident communication.

Correct answer (B): AI-assisted drafting can improve speed, but analysts still own accuracy and handling of sensitive information. Here, the draft contains unsupported conclusions and potentially sensitive identifiers, so the analyst must validate claims against evidence, remove unsupported statements, and confirm recipient authorization before distribution.

Why the other options are wrong:
- Option A: Speed does not justify sending inaccurate or overconfident incident reporting.
- Option C: A model confidence score is not a substitute for analyst verification and does not fix the exposure of sensitive details.
- Option D: Broad automatic distribution increases the risk of unnecessary or unauthorized disclosure.