Free Practice Questions for CompTIA CS0-003 Exam

To decide what to address first, CySA+ expects a risk-based prioritization approach, combining factors like:

Asset criticality/value (business impact)

Exposure/architecture (internet-facing vs. isolated/internal)

Patch availability / ability to remediate quickly

Exploitability / likelihood of exploitation

1) Server5 (Critical + Patch Yes) — prioritize immediately

Server5 sits in the database network, is marked Critical, and a patch is available. That combination makes it one of the highest priorities because you can rapidly reduce risk on an asset with the greatest business impact.

Secbay explicitly states that prioritization should align to asset criticality and business impact, and also notes that patch availability accelerates remediation:Exact extract (Secbay Press): “Prioritize vulnerabilities based on their severity, exploitability, and potential impact… Asset Criticality: Identify and prioritize vulnerabilities based on the criticality of the assets they affect…” and “Patch Availability… Action: Prioritize vulnerabilities for which patches are readily available, as prompt remediation is possible.”

The All-in-One guide emphasizes asset value/criticality as a major driver of how fast you remediate:Exact extract (All-in-One Exam Guide): “Asset value is likely one of the most important factors in determining how quickly you should remediate vulnerabilities…”

2) Server3 (Perimeter + High) — address immediately (mitigate now, patch later)

Server3 is in the perimeter network and rated High, making it more exposed to attack paths than internal-only systems. Even though no patch is available, the analyst must still “address” it first via mitigation/compensating controls (segmentation, firewalling, disabling vulnerable services, WAF where relevant, tighter ACLs, etc.) because perimeter exposure increases likelihood of exploitation.

The All-in-One guide makes the architecture/exposure point very directly:Exact extract (All-in-One Exam Guide – Exam Tip): “The architecture of your infrastructure should be a factor… Internet-facing hosts with sensitive information will likely be your highest priority, while isolated systems… may be able to wait a bit longer for remediation.”

Secbay’s prioritization guidance also highlights focusing on critical/high impact risks first and using risk-based prioritization.

Why not the others (briefly):

Server4 (Internal, High, Patch Yes): This is a strong candidate, but when choosing only two, perimeter high exposure (Server3) plus critical database with patch (Server5) generally outranks an internal high system.

Server2 (Perimeter, Low, Patch Yes): Exposed, but Low criticality.

Server1 / Server6 (Medium, No patch): Lower criticality and no patch—typically handled after higher-risk items, or mitigated as feasible.

References (CompTIA CySA+ CS0-003 documents / study guides used):

Mya Heath et al., CompTIA CySA+ All-in-One Exam Guide (CS0-003): infrastructure architecture affects remediation priority; internet-facing hosts are typically highest priority; asset value drives remediation urgency

Secbay Press, CompTIA CySA+ Exam Prep Guide (CS0-003): vulnerability prioritization factors include asset criticality and patch availability; prioritize items with readily available patches for prompt remediation

Comprehensive and Detailed Explanation From Exact Extract:

Because the system is mission critical and there is no patch and no vendor support, the best risk-reduction approach is to implement compensating controls. Compensating controls are specifically recommended when immediate remediation is not possible, and for legacy systems where patches may not exist.

The Sybex CySA+ Study Guide states this directly:

Exact extract (Sybex Study Guide): “Legacy systems may not have patches available, meaning that compensating controls may be the only option available.”

Secbay Press also explains that legacy systems may lack vendor support/updates and that mitigation strategies like compensating controls or isolation are essential to reduce risk:

Exact extract (Secbay Press): “Legacy systems may lack vendor support and updates, making mitigation strategies essential… Implement specific mitigation strategies for legacy systems, such as compensating controls or isolation.”

And Secbay provides a legacy-system compensating control case study showing exactly the kinds of controls mentioned in option D—segmentation/isolation, access controls, and enhanced monitoring/continuous monitoring:

Exact extract (Secbay Press): “Selected compensating controls, such as network segmentation, intrusion detection systems, and enhanced monitoring, to mitigate the risks…”

Why the other options are not “best” given the constraints:

A (Decommission immediately): may be ideal long-term, but conflicts with “mission critical” (and “immediately” is often unrealistic for business operations).

B (Block inbound/allow outbound): helps somewhat but is incomplete and can still allow command-and-control or exfiltration outbound; also doesn’t address restricted admin access/monitoring comprehensively.

C (WAF): useful only if this is specifically a web application exposure; the scenario says “legacy system” broadly. Compensating controls are the most complete and universally applicable choice.

References (CompTIA CySA+ CS0-003 documents / study guides used):

Chapple/Seidl, CompTIA CySA+ Study Guide (CS0-003): legacy systems may have no patches; compensating controls may be the only option

Secbay Press, CompTIA CySA+ Exam Prep Guide (CS0-003): legacy systems lack support/updates; use compensating controls or isolation

Secbay Press, CompTIA CySA+ Exam Prep Guide (CS0-003): compensating controls for legacy systems include segmentation/isolation and enhanced/continuous monitoring

A distributed denial-of-service (DDoS) attack is a type of cyberattack that aims to overwhelm a target’s network or server with a large volume of traffic from multiple sources. A common technique for launching a DDoS attack is to compromise DNS servers, which are responsible for resolving domain names into IP addresses. By flooding DNS servers with malicious requests, attackers can disrupt the normal functioning of the internet and prevent users from accessing external SaaS resources. Official References: https://www.eccouncil.org/cybersecurity-exchange/threat-intelligence/cyber-kill-chain-seven-steps-cyberattack/

Deploying an additional layer of access controls to verify authorized individuals is the best compensating control for the authentication vulnerability that could bypass the primary control. A compensating control is a security measure that is implemented to mitigate the risk of a vulnerability ora threat when the primary control is not sufficient or feasible. A compensating control should provide a similar or greater level of protection as the primary control, and should be closely related to the vulnerability or the threat it is addressing1. In this case, the primary control is to restrict access to a sensitive database, and the vulnerability is an authentication bypass. Therefore, the best compensating control is to deploy an additional layer of access controls, such as multifactor authentication, role-based access control, or encryption, to verify the identity and the authorization of the individuals who are accessing the database. This way, the compensating control can prevent unauthorized access to the database, even if the primary control is bypassed23. Running regular penetration tests, conducting regular security awareness training, and implementing intrusion detection software are all good security practices, but they are not compensating controls for the authentication vulnerability, as they do not provide a similar or greater level of protection as the primary control, and they are not closely related to the vulnerability or the threat they are addressing. References: Compensating Controls: An Impermanent Solution to an IT … - Tripwire, What is Multifactor Authentication (MFA)? | Duo Security, Role-Based Access Control (RBAC) and Role-Based Security, [What is a Penetration Test and How Does It Work?]

An incident response plan (IRP) is a document that defines the roles and responsibilities, procedures, and guidelines for responding to a security incident. It helps the security team to act quickly and effectively, minimizing the impact and cost of the incident. An IRP should specify who should conduct the next steps following a security event, such as containment, eradication, recovery, and analysis12. References: CompTIA CySA+ CS0-003 Certification Study Guide, page 362; 6 Incident Response Steps to Take After a Security Event, section 2.

Using aregular expression (regex)to search email logs is the most efficient and scalable way to identify patterns in phishing URLs. Phishing campaigns often use consistent URL formats across different domains. Regex allows administrators to define flexible patterns to match these URLs even when the domains vary. This is significantly more effective than relying on user reports or less granular tools like firewall logs for such cases.

EDR stands for Endpoint Detection and Response, which is a layer of defense that monitors endpoints for malicious activity and provides automated or manual response capabilities. EDR can protect against external threats regardless of the device’s operating system, as it can detect and respond to attacks based on behavioral analysis and threat intelligence. EDR is also one of the tools that CompTIA CySA+ covers in its exam objectives. Official References:

https://www.comptia.org/certifications/cybersecurity-analyst

https://www.comptia.org/blog/the-new-comptia-cybersecurity-analyst-your-questions-answered

https://resources.infosecinstitute.com/certification/cysa-plus-ia-levels/

SIEM (Security Information and Event Management) technology aggregates and analyzes activity from many different resources across your IT infrastructure. The description of correlating information from various sources and triggering notifications aligns with the capabilities of a SIEM system.

This log shows multiple 404 errors being triggered from requests to different directories or paths, which strongly suggests adirectory brute-force attack. In this type of attack, an adversary uses automated tools to enumerate directory or file paths in an attempt to find hidden or misconfigured resources. The frequent 404 “Not Found” HTTP responses from a single IP address attempting to access different URL paths is the signature pattern for directory brute-forcing. This behavior is not consistent with XSS, SQLi, or RCE, which would involve payloads or specific encoded commands, not merely probing paths.