Free CompTIA CySA+ Practice Test 2026 — CS0-004 Exam Questions

Master the CompTIA CySA+ CS0-004 exam with free practice questions covering all 4 official CySA+ domains. Each question includes a detailed explanation written by cybersecurity analysts — no signup required.

CompTIA CySA+ CS0-004 Exam Overview

CS0-004: The Latest CompTIA CySA+ Version

CS0-004 is the current version of CompTIA CySA+, launched in 2026 to update and replace the previous CS0-003 exam. If you are scheduling your exam now, CS0-004 is the version to study — CompTIA is phasing out CS0-003, and every question on this page is written to the CS0-004 (V4) exam objectives.

CS0-004 vs CS0-003 — what changed

Practice by CompTIA CySA+ Domain

Domain 1: Security Operations (34%)

Free CySA+ practice questions on system and network architecture, threat intelligence, log and malicious activity analysis, SIEM, and threat hunting. Practice this domain →

Domain 2: Vulnerability Management (26%)

Free CySA+ practice questions on vulnerability scanning, CVSS scoring, asset prioritization, remediation, and attack surface management. Practice this domain →

Domain 3: Incident Response and Management (24%)

Free CySA+ practice questions on the incident response lifecycle, detection and analysis, containment, eradication, recovery, and digital forensics. Practice this domain →

Domain 4: Reporting and Communication (16%)

Free CySA+ practice questions on vulnerability and incident reporting, stakeholder communication, metrics and KPIs, compliance, and action plans. Practice this domain →

Free CompTIA CySA+ Sample Questions with Answers

Each question below includes 4 answer options, the correct answer, and a detailed explanation. These are real questions from the FlashGenius CompTIA CySA+ CS0-004 question bank.

Sample Question 1 — Incident Response and Management

Artifact: 08:14 EDR alert: Suspicious rundll32.exe launched from C:\Users\jnorris\AppData\Local\Temp\a.dll 08:14 Action: Host FIN-WS22 automatically isolated from the network 08:15 User session: jnorris still logged in 08:16 IR lead note: "Primary goal right now is preserve evidence for root cause analysis before any rebuild." What should the analyst do next?

  1. A. Capture memory and active process or network connection data from FIN-WS22 (Correct answer)
  2. B. Reimage FIN-WS22 immediately and return it to service after the rebuild
  3. C. Delete the suspicious DLL and remove the alert from the queue
  4. D. Reboot FIN-WS22 to stop any remaining malicious activity

Correct answer: A

Explanation: Correct answer (A): Because the endpoint is already isolated, the best next step is to preserve volatile evidence before the system state changes. Memory contents, running processes, active sessions, and network connections may be lost after a reboot or reimage. In CySA+ incident handling, containment generally comes before eradication, and evidence preservation comes before destructive actions when root cause analysis is a stated goal. Why the other options are wrong: - Option B: Reimaging may be appropriate later for eradication and recovery, but it is not the best next step when the explicit goal is to preserve evidence first. - Option C: Deleting artifacts changes the system state and can destroy evidence needed to determine scope, cause, and attacker actions. - Option D: Rebooting may interrupt activity, but it also risks losing memory-resident evidence and is unnecessary because the EDR has already isolated the host.

Sample Question 2 — Incident Response and Management

Artifact: Organization severity rubric: - P1: regulated data on a business-critical system or outage affecting more than 50 users - P2: limited operational impact or sensitive data with narrow scope - P3: isolated endpoint issue with no sensitive data exposure 08:40 SIEM alert: rapid file rename and encryption behavior on HR-FS01 08:43 Analyst note: payroll share unavailable to 230 users 08:44 Data owner note: share contains employee SSNs and tax records 08:45 No domain controller impact observed at this time Based on the stated rubric, how should this incident be classified?

  1. A. P1, because the event affects a critical service and regulated employee data (Correct answer)
  2. B. P2, because the activity is limited to one file server and not the entire domain
  3. C. P3, because encryption was detected before domain controllers were affected
  4. D. False positive, because no evidence shows the attacker reached other servers yet

Correct answer: A

Explanation: Correct answer (A): The rubric drives the answer. This incident qualifies as P1 because it causes an outage affecting more than 50 users and involves regulated employee data. CySA+ severity decisions should be based on stated impact, scope, and data sensitivity, not just on whether the issue has spread to other systems. Why the other options are wrong: - Option B: One affected server can still be P1 when it supports a critical business function and stores regulated data. - Option C: Lack of domain controller impact does not reduce severity when the stated P1 criteria are already met. - Option D: Observed encryption behavior and confirmed service unavailability indicate a real incident, not a false positive.

Sample Question 3 — Reporting and Communication

A SaaS storage bucket was accidentally exposed for 47 minutes. Customer Success asks for wording to send affected clients immediately. Artifact: Incident status excerpt - Data type: customer support attachments - Potential records exposed: approximately 11,000 - Confirmed exfiltration: No - Access logs preserved: Yes - Scope confidence: Low to medium - Legal review: Pending - Current containment: Public access removed What is the BEST next action for the analyst?

  1. A. Draft a customer notice stating that a breach is confirmed so the company appears transparent
  2. B. Provide a facts-only internal update and route any external messaging through legal and communications after scope validation (Correct answer)
  3. C. Wait to communicate anything internally until exfiltration is conclusively ruled out
  4. D. Post a public statement that no customer data was accessed because the exposure window was brief

Correct answer: B

Explanation: Correct answer (B): The best next step is to send a facts-only internal update and coordinate any external messaging through legal and communications after scope is validated. The scenario explicitly says exfiltration is not confirmed, scope confidence is still low to medium, logs have been preserved, and legal review is pending. In CySA+ reporting, analysts should separate confirmed facts from assumptions and avoid speculative customer or public statements. Why the other options are wrong: - Option A: This overstates the facts. Transparency does not justify declaring a confirmed breach when exfiltration has not been validated. - Option C: Internal stakeholders still need timely updates during an active investigation. Waiting for perfect certainty would delay decision-making and coordination. - Option D: A short exposure window does not prove no access occurred. This is speculative external communication and creates unnecessary legal and credibility risk.

Sample Question 4 — Reporting and Communication

A security manager asks for a summary of quarterly incident-response performance. Artifact: Quarterly metrics Month 1: MTTD 6.0h, MTTC 2.0h, MTTR 18.0h Month 2: MTTD 5.5h, MTTC 2.1h, MTTR 11.0h Month 3: MTTD 5.8h, MTTC 1.9h, MTTR 10.0h Definitions used by the team: - MTTD: time to detect - MTTC: time to initial containment - MTTR: time to remediate or restore service Which statement is MOST accurate for the report?

  1. A. Detection improved sharply, containment worsened sharply, and remediation stayed flat
  2. B. Containment performance stayed about the same, while remediation and restoration time improved materially (Correct answer)
  3. C. All three metrics improved at the same rate across the quarter
  4. D. The data shows a lower false-positive rate and better phishing resistance

Correct answer: B

Explanation: Correct answer (B): MTTC stays close to 2 hours across all three months, so containment performance is roughly steady. MTTR drops from 18 hours to 10 hours, which is a meaningful improvement in remediation or restoration time. MTTD improves only slightly overall and does not support a claim of sharp improvement. The key reporting skill here is to distinguish which phase of incident response each metric measures. Why the other options are wrong: - Option A: MTTD did not improve sharply, MTTC did not worsen sharply, and MTTR clearly did not stay flat. - Option C: The trends are not equal. MTTR improved much more than either MTTD or MTTC. - Option D: False-positive rate and phishing resistance are not shown in the artifact, so this conclusion is unsupported.

Sample Question 5 — Security Operations

A SOC analyst receives a sign-in alert for a remote user's laptop and needs to confirm whether suspicious processes started on that host. The analyst also wants the option to quarantine the laptop if malicious activity is confirmed. Which technology is the best fit for this requirement?

  1. A. SIEM
  2. B. EDR (Correct answer)
  3. C. SOAR
  4. D. UEBA

Correct answer: B

Explanation: Correct answer (B): EDR is the best fit because it provides host-level telemetry such as process execution, parent-child relationships, and command-line details, and it often supports containment actions like host isolation. A SIEM can correlate the sign-in alert, but it is not the primary tool for direct endpoint investigation and quarantine. On CySA+, the key distinction is that SIEM correlates, EDR investigates and responds on the endpoint, SOAR orchestrates workflows, and UEBA identifies behavioral anomalies. Why the other options are wrong: - Option A: A SIEM is useful for centralized log collection and correlation, but it is not the best platform when the analyst specifically needs host process detail and the ability to quarantine the endpoint. - Option C: SOAR can orchestrate actions across tools, but it depends on other security products for the underlying host telemetry and isolation capability. - Option D: UEBA highlights behavioral anomalies, but it does not provide the direct endpoint evidence or containment the analyst needs for this host-focused investigation.

Sample Question 6 — Security Operations

An EDR alert shows the following on FIN-LAP-14:\nParent: WINWORD.EXE\nChild: powershell.exe\nCommand line: powershell -nop -w hidden -enc SQBiAGUAdAAtAFAAcgBvAGMAZQBzAHMA...\nNetwork: outbound TLS connection to 198.51.100.24:443\nWhich activity is the most likely explanation?

  1. A. A normal Office add-in update using a signed background task
  2. B. A malicious document launching obfuscated PowerShell through a LOLBin (Correct answer)
  3. C. A routine certificate enrollment process for the workstation
  4. D. A scheduled administrative script started by a patch tool

Correct answer: B

Explanation: Correct answer (B): A document process spawning PowerShell with an encoded command line is a strong indicator of malicious execution or LOLBin abuse. The no-profile flag, hidden window, and immediate outbound connection all raise confidence that this is payload execution rather than a normal Office action. CySA+ expects analysts to weigh process ancestry and command-line context together, not just the tool name. Why the other options are wrong: - Option A: Office add-ins do not typically spawn hidden, encoded PowerShell directly from WINWORD.EXE. The process ancestry and obfuscation make this explanation unlikely. - Option C: Certificate enrollment would not normally originate from WINWORD.EXE with an encoded PowerShell command line and hidden execution. - Option D: Administrative scripts may use PowerShell, but the parent process and obfuscated command strongly point to malicious document-driven execution rather than a managed patch workflow.

Sample Question 7 — Vulnerability Management

During external attack surface review, the analyst receives the following scan excerpt for a public IP: Host: 203.0.113.25 22/tcp open ssh OpenSSH 8.4 443/tcp open https nginx 1.18.0 8080/tcp open http Jenkins 2.303 OS guess: Linux 5.x What is the BEST conclusion to document before escalating this host as a vulnerability finding?

  1. A. The host is definitely compromised because Jenkins is exposed on TCP 8080
  2. B. The scan confirms exploitable CVEs on nginx and Jenkins
  3. C. The results show reachable services that require vulnerability validation (Correct answer)
  4. D. The output proves the firewall policy is incorrect and incomplete

Correct answer: C

Explanation: Correct answer (C): This output is discovery and fingerprinting data. It shows externally reachable services, likely software banners, and an OS guess, which is valuable for attack surface management. However, it does not by itself prove compromise or confirm that specific CVEs are present and exploitable. A CySA+ analyst should document that the host has exposed services and then validate versions, configurations, and applicable vulnerabilities before escalating it as a confirmed vulnerability finding. Why the other options are wrong: - Option A: Exposure of Jenkins may increase risk, but exposure alone does not prove the host has already been compromised. - Option B: Service banners help guide follow-up analysis, but they do not automatically confirm exploitable CVEs without validation of the actual software build and configuration. - Option D: The scan shows what is reachable from the internet, but it does not prove the firewall is wrong. The exposure could be intentional.

Sample Question 8 — Vulnerability Management

A vulnerability analyst must choose one finding to remediate first during an emergency change window. The current prioritization matrix shows: A. HR-PORTAL01 - Apache Struts RCE - CVSS 8.1 - EPSS 0.94 - Internet-facing payroll portal - Threat intel shows active exploitation - No compensating control B. LAB-KIOSK12 - Browser sandbox escape - CVSS 9.8 - EPSS 0.02 - Internal lab kiosk - Segmented VLAN - No privileged data C. FIN-DB03 - Weak TLS certificate setting - CVSS 5.0 - EPSS N/A - Internal finance database - No internet exposure D. BAK-MGMT01 - Auth bypass - CVSS 8.8 - EPSS 0.12 - Management interface restricted to admin VLAN - VPN plus MFA required Which finding should be remediated FIRST?

  1. A. HR-PORTAL01 (Correct answer)
  2. B. LAB-KIOSK12
  3. C. FIN-DB03
  4. D. BAK-MGMT01

Correct answer: A

Explanation: Correct answer (A): HR-PORTAL01 is the highest operational priority because it combines several factors that matter more than CVSS alone: it is internet-facing, business-critical, has very high exploit likelihood, and threat intelligence indicates active exploitation, with no compensating control in place. CySA+ prioritization is risk-based, so a slightly lower CVSS finding on a public, actively targeted payroll system can outrank a higher CVSS issue on an isolated internal asset. Why the other options are wrong: - Option B: The CVSS score is higher, but the asset is segmented, internally scoped, and lower impact, with low exploit likelihood. - Option C: This finding is lower severity, internally scoped, and lacks evidence of urgent exploitability, so it should not be first in an emergency window. - Option D: An auth bypass is serious, but the restricted admin VLAN plus VPN and MFA are compensating controls that reduce immediate exposure compared with the public payroll portal.

Quick 10-Question CySA+ Practice Test

Take a free 10-question CompTIA CySA+ quick-start practice test covering all 4 CS0-004 domains. Get instant scoring with detailed explanations — perfect for a quick readiness check.

Why Choose FlashGenius for CompTIA CySA+?

Start your free CompTIA CySA+ practice test now | Get Premium Access | All Sample Tests