Free CompTIA CySA+ Quick Practice Test — 10 Questions Across All 4 Domains

This free CompTIA CySA+ quick-start practice test includes 10 mixed-domain questions sampled from the FlashGenius CS0-004 question bank. Perfect for a fast readiness check before committing to full-length mock exams.

What's on This CompTIA CySA+ Quick Test?

10 Free CompTIA CySA+ Quick Start Practice Questions

Each question below includes 4 answer options, the correct answer, and a detailed explanation drawn directly from the FlashGenius CompTIA CySA+ question bank.

Sample Question 1 — Incident Response and Management

Artifact: 08:14 EDR alert: Suspicious rundll32.exe launched from C:\Users\jnorris\AppData\Local\Temp\a.dll 08:14 Action: Host FIN-WS22 automatically isolated from the network 08:15 User session: jnorris still logged in 08:16 IR lead note: "Primary goal right now is preserve evidence for root cause analysis before any rebuild." What should the analyst do next?

  1. A. Capture memory and active process or network connection data from FIN-WS22 (Correct answer)
  2. B. Reimage FIN-WS22 immediately and return it to service after the rebuild
  3. C. Delete the suspicious DLL and remove the alert from the queue
  4. D. Reboot FIN-WS22 to stop any remaining malicious activity

Correct answer: A

Explanation: Correct answer (A): Because the endpoint is already isolated, the best next step is to preserve volatile evidence before the system state changes. Memory contents, running processes, active sessions, and network connections may be lost after a reboot or reimage. In CySA+ incident handling, containment generally comes before eradication, and evidence preservation comes before destructive actions when root cause analysis is a stated goal. Why the other options are wrong: - Option B: Reimaging may be appropriate later for eradication and recovery, but it is not the best next step when the explicit goal is to preserve evidence first. - Option C: Deleting artifacts changes the system state and can destroy evidence needed to determine scope, cause, and attacker actions. - Option D: Rebooting may interrupt activity, but it also risks losing memory-resident evidence and is unnecessary because the EDR has already isolated the host.

Sample Question 2 — Incident Response and Management

Artifact: Organization severity rubric: - P1: regulated data on a business-critical system or outage affecting more than 50 users - P2: limited operational impact or sensitive data with narrow scope - P3: isolated endpoint issue with no sensitive data exposure 08:40 SIEM alert: rapid file rename and encryption behavior on HR-FS01 08:43 Analyst note: payroll share unavailable to 230 users 08:44 Data owner note: share contains employee SSNs and tax records 08:45 No domain controller impact observed at this time Based on the stated rubric, how should this incident be classified?

  1. A. P1, because the event affects a critical service and regulated employee data (Correct answer)
  2. B. P2, because the activity is limited to one file server and not the entire domain
  3. C. P3, because encryption was detected before domain controllers were affected
  4. D. False positive, because no evidence shows the attacker reached other servers yet

Correct answer: A

Explanation: Correct answer (A): The rubric drives the answer. This incident qualifies as P1 because it causes an outage affecting more than 50 users and involves regulated employee data. CySA+ severity decisions should be based on stated impact, scope, and data sensitivity, not just on whether the issue has spread to other systems. Why the other options are wrong: - Option B: One affected server can still be P1 when it supports a critical business function and stores regulated data. - Option C: Lack of domain controller impact does not reduce severity when the stated P1 criteria are already met. - Option D: Observed encryption behavior and confirmed service unavailability indicate a real incident, not a false positive.

Sample Question 3 — Incident Response and Management

Artifact: 09:02 WAF alert: suspicious POST requests to WEB-PROD-03 09:05 EDR alert: webshell-like file written to /var/www/tmp 09:06 Network telemetry: outbound connection from WEB-PROD-03 to 198.51.100.44:443 09:07 Operations note: public customer portal must remain available; standby server WEB-DR-01 is ready for failover 09:08 IR objective: stop attacker activity quickly while preserving evidence from the compromised host What is the best next action?

  1. A. Isolate WEB-PROD-03, fail traffic to WEB-DR-01, and preserve forensic evidence from the compromised server (Correct answer)
  2. B. Patch WEB-PROD-03 in place and leave it serving traffic while monitoring for new alerts
  3. C. Reboot WEB-PROD-03 to clear the webshell and then place it back into production
  4. D. Delete the suspicious files from WEB-PROD-03 and continue investigating on the live server

Correct answer: A

Explanation: Correct answer (A): This scenario explicitly requires three things: stop attacker activity, preserve evidence, and keep the customer portal available. Isolating the compromised server provides containment, failing over to the standby preserves business continuity, and preserving evidence supports investigation before eradication. The other options either alter evidence or leave the compromised system serving production traffic. Why the other options are wrong: - Option B: Patching in place leaves a known-compromised system active and changes evidence before investigation is complete. - Option C: Rebooting can destroy volatile evidence and is not a controlled containment strategy for a compromised production server. - Option D: Deleting suspicious files alters evidence, may miss persistence, and does not reliably stop attacker access.

Sample Question 4 — Reporting and Communication

A SaaS storage bucket was accidentally exposed for 47 minutes. Customer Success asks for wording to send affected clients immediately. Artifact: Incident status excerpt - Data type: customer support attachments - Potential records exposed: approximately 11,000 - Confirmed exfiltration: No - Access logs preserved: Yes - Scope confidence: Low to medium - Legal review: Pending - Current containment: Public access removed What is the BEST next action for the analyst?

  1. A. Draft a customer notice stating that a breach is confirmed so the company appears transparent
  2. B. Provide a facts-only internal update and route any external messaging through legal and communications after scope validation (Correct answer)
  3. C. Wait to communicate anything internally until exfiltration is conclusively ruled out
  4. D. Post a public statement that no customer data was accessed because the exposure window was brief

Correct answer: B

Explanation: Correct answer (B): The best next step is to send a facts-only internal update and coordinate any external messaging through legal and communications after scope is validated. The scenario explicitly says exfiltration is not confirmed, scope confidence is still low to medium, logs have been preserved, and legal review is pending. In CySA+ reporting, analysts should separate confirmed facts from assumptions and avoid speculative customer or public statements. Why the other options are wrong: - Option A: This overstates the facts. Transparency does not justify declaring a confirmed breach when exfiltration has not been validated. - Option C: Internal stakeholders still need timely updates during an active investigation. Waiting for perfect certainty would delay decision-making and coordination. - Option D: A short exposure window does not prove no access occurred. This is speculative external communication and creates unnecessary legal and credibility risk.

Sample Question 5 — Reporting and Communication

A security manager asks for a summary of quarterly incident-response performance. Artifact: Quarterly metrics Month 1: MTTD 6.0h, MTTC 2.0h, MTTR 18.0h Month 2: MTTD 5.5h, MTTC 2.1h, MTTR 11.0h Month 3: MTTD 5.8h, MTTC 1.9h, MTTR 10.0h Definitions used by the team: - MTTD: time to detect - MTTC: time to initial containment - MTTR: time to remediate or restore service Which statement is MOST accurate for the report?

  1. A. Detection improved sharply, containment worsened sharply, and remediation stayed flat
  2. B. Containment performance stayed about the same, while remediation and restoration time improved materially (Correct answer)
  3. C. All three metrics improved at the same rate across the quarter
  4. D. The data shows a lower false-positive rate and better phishing resistance

Correct answer: B

Explanation: Correct answer (B): MTTC stays close to 2 hours across all three months, so containment performance is roughly steady. MTTR drops from 18 hours to 10 hours, which is a meaningful improvement in remediation or restoration time. MTTD improves only slightly overall and does not support a claim of sharp improvement. The key reporting skill here is to distinguish which phase of incident response each metric measures. Why the other options are wrong: - Option A: MTTD did not improve sharply, MTTC did not worsen sharply, and MTTR clearly did not stay flat. - Option C: The trends are not equal. MTTR improved much more than either MTTD or MTTC. - Option D: False-positive rate and phishing resistance are not shown in the artifact, so this conclusion is unsupported.

Sample Question 6 — Reporting and Communication

A draft post-incident report is being reviewed after an account compromise. Artifact: Incident facts - Contractor account accessed from a phishing link - MFA was bypassed because the account had an old temporary exemption that was never removed - Malicious inbox rules were created - The account has been disabled and the laptop reimaged Which statement BEST belongs in the report's root cause analysis section?

  1. A. Disable the contractor account, remove inbox rules, and reimage the endpoint
  2. B. The compromise succeeded because a legacy MFA exemption remained active and exception reviews were not enforced (Correct answer)
  3. C. Restore business access after the contractor receives a replacement laptop
  4. D. Block phishing domains and retrain users on suspicious email reporting

Correct answer: B

Explanation: Correct answer (B): Root cause analysis explains why the incident was possible and what control or process gap allowed it. In this case, the underlying failure was a legacy MFA exemption that remained active and a weak exception-review process that failed to remove it. That is distinct from containment, recovery, or future corrective actions. Why the other options are wrong: - Option A: These are containment and eradication actions already taken, not the underlying reason the compromise succeeded. - Option C: This is a recovery activity focused on restoring user operations, not root cause analysis. - Option D: These are preventive improvements or lessons-learned actions, not the root cause itself.

Sample Question 7 — Security Operations

A SOC analyst receives a sign-in alert for a remote user's laptop and needs to confirm whether suspicious processes started on that host. The analyst also wants the option to quarantine the laptop if malicious activity is confirmed. Which technology is the best fit for this requirement?

  1. A. SIEM
  2. B. EDR (Correct answer)
  3. C. SOAR
  4. D. UEBA

Correct answer: B

Explanation: Correct answer (B): EDR is the best fit because it provides host-level telemetry such as process execution, parent-child relationships, and command-line details, and it often supports containment actions like host isolation. A SIEM can correlate the sign-in alert, but it is not the primary tool for direct endpoint investigation and quarantine. On CySA+, the key distinction is that SIEM correlates, EDR investigates and responds on the endpoint, SOAR orchestrates workflows, and UEBA identifies behavioral anomalies. Why the other options are wrong: - Option A: A SIEM is useful for centralized log collection and correlation, but it is not the best platform when the analyst specifically needs host process detail and the ability to quarantine the endpoint. - Option C: SOAR can orchestrate actions across tools, but it depends on other security products for the underlying host telemetry and isolation capability. - Option D: UEBA highlights behavioral anomalies, but it does not provide the direct endpoint evidence or containment the analyst needs for this host-focused investigation.

Sample Question 8 — Security Operations

An EDR alert shows the following on FIN-LAP-14:\nParent: WINWORD.EXE\nChild: powershell.exe\nCommand line: powershell -nop -w hidden -enc SQBiAGUAdAAtAFAAcgBvAGMAZQBzAHMA...\nNetwork: outbound TLS connection to 198.51.100.24:443\nWhich activity is the most likely explanation?

  1. A. A normal Office add-in update using a signed background task
  2. B. A malicious document launching obfuscated PowerShell through a LOLBin (Correct answer)
  3. C. A routine certificate enrollment process for the workstation
  4. D. A scheduled administrative script started by a patch tool

Correct answer: B

Explanation: Correct answer (B): A document process spawning PowerShell with an encoded command line is a strong indicator of malicious execution or LOLBin abuse. The no-profile flag, hidden window, and immediate outbound connection all raise confidence that this is payload execution rather than a normal Office action. CySA+ expects analysts to weigh process ancestry and command-line context together, not just the tool name. Why the other options are wrong: - Option A: Office add-ins do not typically spawn hidden, encoded PowerShell directly from WINWORD.EXE. The process ancestry and obfuscation make this explanation unlikely. - Option C: Certificate enrollment would not normally originate from WINWORD.EXE with an encoded PowerShell command line and hidden execution. - Option D: Administrative scripts may use PowerShell, but the parent process and obfuscated command strongly point to malicious document-driven execution rather than a managed patch workflow.

Sample Question 9 — Security Operations

A UEBA alert flags account svc_backup for unusual activity because it authenticated to FILESRV-02 at 02:05, outside its normal daytime pattern. The change calendar shows an approved backup maintenance window from 01:00 to 03:00, and the destination server is part of the backup scope. What is the best analyst action?

  1. A. Disable the svc_backup account immediately because the behavior is anomalous
  2. B. Validate the maintenance activity with supporting logs before escalating (Correct answer)
  3. C. Reset all service account passwords because off-hours logins are suspicious
  4. D. Close the alert as a false positive without any additional review

Correct answer: B

Explanation: Correct answer (B): UEBA identifies deviations from baseline, not confirmed compromise. Because there is approved maintenance during the same window and the server is in scope for that task, the analyst should validate the activity with supporting logs before escalating. This reinforces an important CySA+ principle: anomaly does not automatically mean malicious, and business context matters. Why the other options are wrong: - Option A: Immediate disablement is too aggressive here because the anomaly already has plausible business context that should be checked first. - Option C: Resetting all service account passwords would create disruption without enough evidence of compromise. - Option D: Closing it without validation is also wrong. An approved window lowers suspicion, but the analyst still needs to confirm the activity matches the expected change.

Sample Question 10 — Vulnerability Management

During external attack surface review, the analyst receives the following scan excerpt for a public IP: Host: 203.0.113.25 22/tcp open ssh OpenSSH 8.4 443/tcp open https nginx 1.18.0 8080/tcp open http Jenkins 2.303 OS guess: Linux 5.x What is the BEST conclusion to document before escalating this host as a vulnerability finding?

  1. A. The host is definitely compromised because Jenkins is exposed on TCP 8080
  2. B. The scan confirms exploitable CVEs on nginx and Jenkins
  3. C. The results show reachable services that require vulnerability validation (Correct answer)
  4. D. The output proves the firewall policy is incorrect and incomplete

Correct answer: C

Explanation: Correct answer (C): This output is discovery and fingerprinting data. It shows externally reachable services, likely software banners, and an OS guess, which is valuable for attack surface management. However, it does not by itself prove compromise or confirm that specific CVEs are present and exploitable. A CySA+ analyst should document that the host has exposed services and then validate versions, configurations, and applicable vulnerabilities before escalating it as a confirmed vulnerability finding. Why the other options are wrong: - Option A: Exposure of Jenkins may increase risk, but exposure alone does not prove the host has already been compromised. - Option B: Service banners help guide follow-up analysis, but they do not automatically confirm exploitable CVEs without validation of the actual software build and configuration. - Option D: The scan shows what is reachable from the internet, but it does not prove the firewall is wrong. The exposure could be intentional.

How Should I Use This CySA+ Quick Test?

Use it as a fast diagnostic. If you score 80% or higher, you're close to exam-ready and should drill weak domains. If you score lower, build foundations with structured study (CompTIA CertMaster, Jason Dion) plus hands-on time with SIEM and analysis tools before attempting more practice tests.

Start the free CompTIA CySA+ quick practice test now | All CompTIA CySA+ domains | Get Premium Access