Free CompTIA CySA+ Security Operations Practice Test 2026 — CS0-004 Questions

This free CompTIA CySA+ Security Operations practice test covers system and network architecture, threat intelligence, log and malicious activity analysis, SIEM, threat hunting, and security operations automation. Each question includes a detailed explanation with cybersecurity analysis context — perfect for CS0-004 exam prep.

Key Topics in CompTIA CySA+ Security Operations

Free CompTIA CySA+ Security Operations Practice Questions with Answers

Each question below includes 4 answer options, the correct answer, and a detailed explanation. These are real questions from the FlashGenius CompTIA CySA+ CS0-004 question bank for the Security Operations domain (34% of the exam).

Sample Question 1 — Security Operations

A SOC analyst receives a sign-in alert for a remote user's laptop and needs to confirm whether suspicious processes started on that host. The analyst also wants the option to quarantine the laptop if malicious activity is confirmed. Which technology is the best fit for this requirement?

  1. A. SIEM
  2. B. EDR (Correct answer)
  3. C. SOAR
  4. D. UEBA

Correct answer: B

Explanation: Correct answer (B): EDR is the best fit because it provides host-level telemetry such as process execution, parent-child relationships, and command-line details, and it often supports containment actions like host isolation. A SIEM can correlate the sign-in alert, but it is not the primary tool for direct endpoint investigation and quarantine. On CySA+, the key distinction is that SIEM correlates, EDR investigates and responds on the endpoint, SOAR orchestrates workflows, and UEBA identifies behavioral anomalies. Why the other options are wrong: - Option A: A SIEM is useful for centralized log collection and correlation, but it is not the best platform when the analyst specifically needs host process detail and the ability to quarantine the endpoint. - Option C: SOAR can orchestrate actions across tools, but it depends on other security products for the underlying host telemetry and isolation capability. - Option D: UEBA highlights behavioral anomalies, but it does not provide the direct endpoint evidence or containment the analyst needs for this host-focused investigation.

Sample Question 2 — Security Operations

An EDR alert shows the following on FIN-LAP-14:\nParent: WINWORD.EXE\nChild: powershell.exe\nCommand line: powershell -nop -w hidden -enc SQBiAGUAdAAtAFAAcgBvAGMAZQBzAHMA...\nNetwork: outbound TLS connection to 198.51.100.24:443\nWhich activity is the most likely explanation?

  1. A. A normal Office add-in update using a signed background task
  2. B. A malicious document launching obfuscated PowerShell through a LOLBin (Correct answer)
  3. C. A routine certificate enrollment process for the workstation
  4. D. A scheduled administrative script started by a patch tool

Correct answer: B

Explanation: Correct answer (B): A document process spawning PowerShell with an encoded command line is a strong indicator of malicious execution or LOLBin abuse. The no-profile flag, hidden window, and immediate outbound connection all raise confidence that this is payload execution rather than a normal Office action. CySA+ expects analysts to weigh process ancestry and command-line context together, not just the tool name. Why the other options are wrong: - Option A: Office add-ins do not typically spawn hidden, encoded PowerShell directly from WINWORD.EXE. The process ancestry and obfuscation make this explanation unlikely. - Option C: Certificate enrollment would not normally originate from WINWORD.EXE with an encoded PowerShell command line and hidden execution. - Option D: Administrative scripts may use PowerShell, but the parent process and obfuscated command strongly point to malicious document-driven execution rather than a managed patch workflow.

Sample Question 3 — Security Operations

A UEBA alert flags account svc_backup for unusual activity because it authenticated to FILESRV-02 at 02:05, outside its normal daytime pattern. The change calendar shows an approved backup maintenance window from 01:00 to 03:00, and the destination server is part of the backup scope. What is the best analyst action?

  1. A. Disable the svc_backup account immediately because the behavior is anomalous
  2. B. Validate the maintenance activity with supporting logs before escalating (Correct answer)
  3. C. Reset all service account passwords because off-hours logins are suspicious
  4. D. Close the alert as a false positive without any additional review

Correct answer: B

Explanation: Correct answer (B): UEBA identifies deviations from baseline, not confirmed compromise. Because there is approved maintenance during the same window and the server is in scope for that task, the analyst should validate the activity with supporting logs before escalating. This reinforces an important CySA+ principle: anomaly does not automatically mean malicious, and business context matters. Why the other options are wrong: - Option A: Immediate disablement is too aggressive here because the anomaly already has plausible business context that should be checked first. - Option C: Resetting all service account passwords would create disruption without enough evidence of compromise. - Option D: Closing it without validation is also wrong. An approved window lowers suspicion, but the analyst still needs to confirm the activity matches the expected change.

Sample Question 4 — Security Operations

A network sensor reports the following from ENG-LAP-22 over 10 minutes:\n- 240 DNS TXT queries\n- Average subdomain length: 58 characters\n- Queries sent every 15 seconds\n- Destination domain not previously seen in the environment\nThe analyst's goal is to determine whether this is actual DNS tunneling rather than just an odd application behavior. What is the best next step?

  1. A. Declare confirmed data exfiltration because TXT records are present
  2. B. Correlate the DNS activity to the source process and review the destination context (Correct answer)
  3. C. Reset the user's password because DNS anomalies usually mean account theft
  4. D. Ignore the activity because encrypted DNS prevents meaningful analysis

Correct answer: B

Explanation: Correct answer (B): Long subdomains, frequent TXT queries, and regular intervals make DNS tunneling suspicious, but they do not prove exfiltration by themselves. The strongest next step is to correlate the DNS activity to the generating host process and review the destination's reputation or expected business use. CySA+ emphasizes corroboration across network and host telemetry before declaring a finding exploitable or malicious. Why the other options are wrong: - Option A: The pattern is suspicious, but declaring confirmed exfiltration without host or process correlation is premature. - Option C: Password reset does not address the immediate question and assumes identity theft without supporting evidence. - Option D: Even if some DNS activity is protected in other scenarios, the provided telemetry is still useful. The analyst should investigate further rather than dismiss it.

Sample Question 5 — Security Operations

During a confirmed phishing incident, analysts found one endpoint where OUTLOOK.EXE spawned rundll32.exe with a command line pointing to a DLL in a user Temp folder. The SOC now wants to hunt for similar activity across the environment. Which is the best initial pivot?

  1. A. Search EDR telemetry for OUTLOOK.EXE spawning rundll32.exe with user-writable path references (Correct answer)
  2. B. Search firewall logs for all outbound TCP 443 connections from employee laptops
  3. C. Search vulnerability scan results for systems with missing browser patches
  4. D. Search the help desk queue for users who reported suspicious email

Correct answer: A

Explanation: Correct answer (A): Threat hunting should start with a hypothesis and a precise pivot tied to known malicious behavior. Here, the strongest pivot is the exact process ancestry and suspicious command-line pattern already observed: OUTLOOK.EXE spawning rundll32.exe from a user-writable Temp location. Broader searches such as all 443 traffic generate noise and are less likely to efficiently surface related activity. Why the other options are wrong: - Option B: Outbound 443 traffic is far too broad and not closely tied to the hypothesis. It would create noise without focusing on the suspicious execution pattern. - Option C: Missing browser patches may matter for prevention, but they are not the best hunting pivot for the specific malicious behavior already identified. - Option D: User reports may help with case intake, but they are not a strong technical pivot for an environment-wide threat hunt.

Sample Question 6 — Security Operations

A SOC uses SOAR for phishing response. A new invoice-themed email triggered a medium-confidence sandbox verdict, and one user clicked the link. The user's endpoint shows only a browser process opening the URL; there are no malicious child processes, no credential prompt captured, and no follow-on alerts. The security manager wants faster response without disrupting users unnecessarily. What is the best playbook design?

  1. A. Automatically isolate the endpoint and disable the user account for every phishing click
  2. B. Automate enrichment and ticketing, but require analyst approval before isolation or account disablement (Correct answer)
  3. C. Close the event automatically because no malware payload executed on the endpoint
  4. D. Send the alert to the help desk because phishing triage does not belong in the SOC

Correct answer: B

Explanation: Correct answer (B): SOAR is best used for repeatable, low-risk tasks such as enrichment, evidence collection, and ticket creation. In this case, the evidence is not strong enough to justify fully automated disruptive actions like host isolation or account disablement. The safest design is to automate enrichment immediately and require human approval for business-impacting actions when confidence is still moderate. Why the other options are wrong: - Option A: This is too aggressive for a medium-confidence case with limited supporting evidence. It increases the risk of unnecessary disruption. - Option C: No child process does not prove there was no harm. The event still needs investigation and enrichment rather than automatic closure. - Option D: Phishing investigation is a core SOC task, especially when there is a user click and a possible follow-on compromise path.

How to Study CompTIA CySA+ Security Operations

Combine these CompTIA CySA+ Security Operations practice questions with hands-on work in SIEM platforms, vulnerability scanners, and analysis tools. The CS0-004 exam emphasizes applied analyst skills, so practice interpreting real telemetry and alerts to build the judgment that separates passing and failing scores.

About the CompTIA CySA+ CS0-004 Exam

Other CompTIA CySA+ Domains

Start the free CompTIA CySA+ Security Operations practice test now | 10-question quick start | All CompTIA CySA+ domains | Get Premium Access