CS0-004 — CompTIA CySA+ V4 Exam Blueprint

Last revised: June 18, 2026

A practical CS0-004 exam blueprint for CompTIA CySA+ V4 readiness, covering security operations, vulnerability management, incident response, tooling, and reporting.

How to Use This Exam Blueprint

Use this independent checklist to prepare for the CompTIA CySA+ V4 (CS0-004) exam. It is organized around practical readiness areas rather than exact exam weights. The goal is to confirm that you can analyze security data, prioritize risk, choose response actions, and communicate findings under scenario pressure.

For each area, mark your status:

Score	Readiness meaning
0	Not reviewed yet
1	Recognize the terms but cannot apply them reliably
2	Can explain the topic with notes
3	Can solve scenario questions without notes
4	Can troubleshoot, prioritize, and justify the best action under time pressure

A topic is not “ready” just because you recognize the vocabulary. For CS0-004, ready means you can interpret evidence, choose the next best action, and explain tradeoffs.

CS0-004 Readiness Areas at a Glance

Readiness area	What to review	You are ready when you can…	Practice artifacts
Security operations	Monitoring, alert triage, SIEM workflows, endpoint/network telemetry	Decide whether an alert is true positive, false positive, benign, or needs escalation	SIEM alerts, firewall logs, EDR alerts, IDS events
Threat analysis	TTPs, indicators, threat intelligence, attacker behavior	Connect observed activity to likely tactics, techniques, and business impact	IOC lists, ATT&CK-style mappings, phishing headers, malware alerts
Vulnerability management	Scanning, prioritization, validation, remediation tracking	Prioritize findings using exploitability, exposure, asset value, and compensating controls	Vulnerability scan reports, CVE records, patch plans
Incident response	Triage, containment, eradication, recovery, lessons learned	Choose the next response step without destroying evidence or increasing impact	Timelines, case notes, endpoint snapshots, containment plans
Log and packet analysis	Authentication, DNS, web, proxy, firewall, cloud, endpoint logs	Extract who, what, when, where, how, and likely severity from evidence	Log excerpts, PCAP summaries, HTTP requests, DNS queries
Identity and access analysis	Privilege abuse, MFA, service accounts, tokens, account lifecycle	Detect suspicious identity activity and recommend appropriate controls	IAM audit logs, failed logins, privilege change events
Cloud and hybrid security	Cloud audit logs, storage exposure, security groups, keys, workload telemetry	Analyze cloud misconfigurations and compromise indicators without relying on vendor-specific trivia	Cloud activity logs, object access events, network rules
Automation and tooling	Command-line triage, scripting concepts, parsing, enrichment	Read simple commands/scripts and understand how automation supports security operations	PowerShell, Linux commands, JSON, CSV, API output
Reporting and communication	Risk reports, metrics, escalation, stakeholder updates	Tailor findings for technical, management, legal, and operational audiences	Executive summaries, remediation tickets, after-action reports

Core “Can You Do This?” Checklist

Before final review, you should be able to check most of these without notes.

Security Monitoring and Triage

Identify the difference between an event, alert, incident, vulnerability, threat, risk, and IOC.
Explain why a high-severity alert may not be the highest business priority.
Triage an alert using source, destination, user, process, time, action, result, and asset criticality.
Determine whether an alert is a false positive, true positive, benign positive, or requires more evidence.
Correlate multiple weak signals into a stronger incident hypothesis.
Recognize alert fatigue and recommend tuning, suppression, allowlisting, or enrichment when appropriate.
Distinguish detection engineering from incident response, vulnerability management, and threat hunting.
Choose escalation paths based on severity, scope, affected systems, and business impact.
Explain why time synchronization and time zone normalization matter in investigations.
Document assumptions, evidence, decisions, and next steps in a case record.

Log Source Readiness

Log source	Be able to identify	Common scenario cues
Authentication logs	Successful logins, failed logins, lockouts, privilege changes, MFA prompts	Brute force, password spraying, impossible travel, account takeover
Endpoint logs	Process creation, parent-child process relationships, command lines, file writes, persistence	Malware, suspicious PowerShell, credential dumping, lateral movement
Firewall logs	Allowed/denied traffic, direction, ports, zones, NAT context	Unauthorized access, blocked C2, misconfigured rule
IDS/IPS logs	Signatures, protocol anomalies, exploit attempts, severity	Web attack, scanning, exploit traffic, suspicious payload
DNS logs	Query name, response, NXDOMAIN, unusual volume, rare domains	DGA, DNS tunneling, malware beaconing
Web/proxy logs	URL, URI, method, status code, user-agent, bytes transferred	SQL injection, XSS, exfiltration, malware download
Email logs and headers	Sender path, SPF/DKIM/DMARC results, attachment names, links	Phishing, BEC, spoofing, malicious attachments
Cloud audit logs	Principal, API action, region, resource, source IP, result	Key abuse, public storage exposure, privilege escalation
Vulnerability scan logs	Finding, severity, affected asset, detection method, evidence	Patch prioritization, false positive validation
EDR/XDR alerts	Process tree, hash, reputation, network connection, containment status	Ransomware, persistence, suspicious script execution

Threat and Attack Analysis

Explain the difference between IOC and IOA.
Map observed behavior to likely attacker objectives such as initial access, persistence, privilege escalation, defense evasion, credential access, lateral movement, collection, exfiltration, or impact.
Interpret technical, tactical, operational, and strategic threat intelligence.
Evaluate intelligence based on source reliability, confidence, age, relevance, and context.
Identify when an IP, domain, hash, or file path is not enough to prove compromise.
Use TTPs to hunt for related activity beyond the first alert.
Recognize common malware behaviors: beaconing, persistence, process injection, suspicious child processes, encryption activity, and unusual outbound connections.
Distinguish commodity malware, targeted intrusion, insider misuse, credential theft, and misconfiguration.
Explain why attribution should be handled carefully and supported by evidence.
Recommend containment actions based on observed attacker stage.

Vulnerability Management Checklist

CS0-004 candidates should be comfortable moving from scan output to risk-based action. Do not stop at “critical equals patch first.” The exam can test whether you can prioritize based on context.

Scanning and Discovery

Distinguish authenticated from unauthenticated scanning.
Explain why credentialed scans usually provide better host-level evidence.
Identify false positives and false negatives in vulnerability reports.
Know when to validate a finding manually or with a compensating data source.
Consider scope, scan windows, network segments, fragile systems, and business impact.
Identify risks of scanning production, OT, IoT, medical, or legacy environments.
Explain the difference between vulnerability scanning, penetration testing, red teaming, and compliance assessment.
Recognize discovery methods such as network scanning, agent-based scanning, configuration review, and passive discovery.
Track asset ownership, criticality, exposure, and remediation status.

Prioritization Factors

Factor	Why it matters	Example decision cue
Asset criticality	Affects business impact	Internet-facing identity server outranks a lab workstation
Exploitability	Indicates likelihood of use by attackers	Known active exploitation raises urgency
Exposure	Determines attacker reachability	Public service usually outranks internal-only service
Data sensitivity	Raises confidentiality and compliance impact	Customer data system needs faster action
Compensating controls	May reduce immediate risk	WAF, segmentation, EDR, or ACL may lower exposure
Patch availability	Determines remediation path	No patch may require mitigation or isolation
Operational impact	Affects scheduling	Critical production system may require change window
Vulnerability age	Shows risk debt	Long-open high-risk findings need escalation
Threat intelligence	Adds current context	Active campaign targeting the product changes priority

A useful risk thinking model is:

\[ \text{Risk} \approx \text{Likelihood} \times \text{Impact} \]

For exam scenarios, likelihood is often influenced by exposure, exploit availability, attacker interest, and control gaps. Impact is often influenced by asset value, data sensitivity, business function, and blast radius.

Remediation and Mitigation

Choose between patching, configuration change, upgrade, isolation, rule change, compensating control, exception, or risk acceptance.
Explain remediation versus mitigation versus risk transfer versus risk acceptance.
Create a remediation plan that includes owner, action, priority, due date, validation, and rollback consideration.
Validate that a patch or configuration change actually resolved the finding.
Identify when a temporary control is acceptable and when permanent remediation is needed.
Recognize when emergency change handling may be justified.
Communicate residual risk clearly.
Avoid treating scanner severity as the only prioritization input.

Incident Response Readiness

You should be able to choose the best next step in an incident scenario. The correct answer often depends on the phase of response, the available evidence, and whether containment would destroy useful forensic data.

Response Phase Checklist

Phase	Readiness tasks	Common exam-style decisions
Preparation	Playbooks, logging, access, tools, contacts, training	What should have been in place before the incident?
Detection and analysis	Validate alert, scope impact, collect evidence, classify severity	Is this an incident? What evidence is missing?
Containment	Limit damage while preserving evidence	Isolate host, disable account, block IOC, revoke token, quarantine email
Eradication	Remove attacker access and root cause	Remove malware, patch vulnerability, reset credentials, close exposed service
Recovery	Restore service safely and monitor for recurrence	Reimage host, restore from clean backup, increase monitoring
Lessons learned	Improve controls and process	Update playbooks, rules, training, architecture, reporting

Incident Decision Workflow

    flowchart TD
	    A[Alert or report received] --> B{Is there enough evidence?}
	    B -- No --> C[Collect and enrich logs]
	    C --> B
	    B -- Yes --> D{Confirmed security impact?}
	    D -- No --> E[Close, tune, or monitor]
	    D -- Yes --> F[Classify severity and scope]
	    F --> G{Active threat?}
	    G -- Yes --> H[Contain quickly and preserve evidence]
	    G -- No --> I[Investigate root cause]
	    H --> I
	    I --> J[Eradicate cause]
	    J --> K[Recover and validate]
	    K --> L[Report lessons learned]

Incident Scenario Cues

Scenario	First questions to ask	Likely strong actions	Actions to be careful with
Ransomware alert	Is encryption active? What hosts are affected? Are backups safe?	Isolate affected hosts, preserve evidence, disable compromised accounts	Reconnecting systems too early; deleting evidence
Phishing campaign	Who received it? Who clicked? Were credentials entered?	Quarantine messages, block indicators, reset affected credentials, educate users	Assuming one mailbox means one victim
Compromised admin account	What actions did the account perform? Are tokens still valid?	Disable or restrict account, revoke sessions, review privilege changes	Resetting password only while active sessions persist
Web application attack	Was data accessed or changed? What endpoint was targeted?	Review web/proxy/WAF logs, patch or mitigate, preserve request evidence	Blocking a single IP when attack came through distributed sources
Cloud key exposure	What permissions did the key have? What API calls occurred?	Disable key, rotate secrets, review audit logs, tighten IAM	Rotating without understanding blast radius
Insider data access	Is access authorized? What data moved? What policy applies?	Preserve logs, involve proper stakeholders, maintain confidentiality	Publicly accusing user without evidence
Vulnerability under active exploitation	Is the asset exposed? Is exploit activity visible?	Prioritize mitigation, patch, block, monitor for compromise	Waiting for normal patch cycle when risk is urgent

Technical Artifact and Tooling Checklist

CS0-004 is not a tool memorization exam, but candidates should understand what common tools and artifacts reveal.

Command-Line and Triage Skills

Be able to interpret outputs from commands like these. Focus on what the command helps prove, not memorizing every flag.

## Network and Linux host triage examples
ss -tulpn
lsof -i
ps aux --sort=-%cpu | head
journalctl --since "today"
grep "Failed password" /var/log/auth.log
find /tmp -type f -mtime -1

## Windows host triage examples
Get-Process | Sort-Object CPU -Descending | Select-Object -First 10
Get-NetTCPConnection | Where-Object State -eq Established
Get-WinEvent -FilterHashtable @{LogName='Security'; StartTime=(Get-Date).AddDays(-1)}
Get-LocalGroupMember Administrators

## Network, DNS, and web investigation examples
dig example.com
nslookup example.com
whois example.com
curl -I https://example.com
nmap -sV target.example
tcpdump -nn host 192.0.2.10

What Tool Output Should Tell You

Tool or artifact	What to extract	Watch for
`nmap` output	Open ports, service versions, exposed management interfaces	Assuming open port alone proves compromise
`tcpdump` or packet view	Source/destination, protocol, handshake, DNS, HTTP metadata	Ignoring encrypted traffic metadata
Wireshark summary	Conversation pairs, unusual protocols, retransmissions, DNS/HTTP details	Chasing noise without a hypothesis
`netstat`, `ss`, `Get-NetTCPConnection`	Listening ports, established connections, local processes	Missing reverse shells or unusual ports
Process list	Suspicious names, parent-child relationships, resource spikes	Trusting a process name without path/hash context
File hash	Indicator matching, deduplication, integrity check	Treating a hash match as complete root cause
Email header	Sender path, authentication results, reply-to mismatch	Looking only at display name
Web access log	URI, method, status, user-agent, bytes, referrer	Missing encoded payloads or repeated probes
Cloud audit event	Principal, action, resource, source IP, success/failure	Ignoring service accounts and automation roles
Vulnerability report	Evidence, affected version, severity, remediation	Prioritizing without asset context

SIEM and Query Logic

You do not need to know one vendor’s syntax, but you should understand query logic: filter, aggregate, correlate, sort, threshold, and enrich.

where event.category == "authentication"
  and event.outcome == "failure"
| stats count by source_ip, user
| where count > context_specific_threshold
| sort count desc

where process.name in ("powershell.exe", "pwsh", "cmd.exe")
  and command_line contains suspicious_pattern
| join endpoint_inventory on host_id
| project timestamp, host, user, parent_process, command_line

where destination_port in (22, 3389, 445)
  and action == "allowed"
  and source_zone == "internet"
| summarize by destination_ip, destination_port, rule_name

Be ready to explain:

Which fields are needed to validate the detection.
What additional logs would confirm or refute the hypothesis.
Whether the query detects behavior, an indicator, or a policy violation.
How to reduce false positives without suppressing real attacks.
Why static thresholds can fail without baselines.

Detection Rule Literacy

You should recognize the purpose of common rule types even if syntax varies.

Rule type	What it usually detects	Readiness check
Signature rule	Known pattern, payload, hash, or protocol marker	Can explain why signatures miss variants
Behavioral rule	Suspicious sequence or action	Can identify needed event fields
Sigma-style rule	SIEM-portable detection logic	Can read selection, condition, and false-positive notes
YARA-style rule	File or malware pattern	Can interpret strings and conditions at a high level
IDS rule	Network pattern or protocol anomaly	Can identify source, destination, action, and alert reason
Correlation rule	Multiple events forming a pattern	Can explain why correlation improves confidence

Identity, Access, and Privilege Analysis

Identity is central to CySA+ scenarios. Be ready to analyze accounts, privileges, sessions, and abnormal behavior.

Identity Checklist

Identify signs of password spraying versus brute force.
Recognize impossible travel and unusual source locations as signals, not proof by themselves.
Distinguish user accounts, privileged accounts, service accounts, and machine identities.
Review account creation, privilege assignment, group membership changes, and role assumption.
Explain why MFA reduces risk but does not eliminate session hijacking, token theft, or social engineering.
Recommend least privilege, just-in-time access, conditional access, privileged access management, and periodic access review where appropriate.
Identify stale accounts, excessive permissions, shared accounts, orphaned accounts, and weak service account practices.
Know when to revoke tokens/sessions in addition to resetting passwords.
Correlate identity logs with endpoint, VPN, cloud, and application activity.

Common Identity Scenarios

Evidence	Likely concern	Strong next step
Many failures across many users from one IP	Password spraying	Block or rate-limit source, review successful logins, enforce MFA
One user with many failures then success	Brute force or guessed password	Confirm user activity, reset credential, review post-login actions
Admin role granted outside change window	Privilege abuse or compromise	Validate authorization, review grantor account, preserve logs
API key used from new geography	Key leakage or automation change	Confirm expected use, rotate key if suspicious, review permissions
Disabled MFA followed by successful login	Account takeover risk	Re-enable control, revoke sessions, investigate actor

Network, Endpoint, and Application Security Topics

Network Analysis

Identify common ports and protocols at a practical level.
Recognize lateral movement cues involving SMB, RDP, SSH, WinRM, remote admin tools, or unusual internal scanning.
Interpret firewall direction, source/destination zone, NAT effects, and allow/deny action.
Identify C2-like patterns such as periodic outbound connections, rare domains, unusual user-agents, or abnormal destinations.
Understand segmentation, ACLs, VPNs, proxies, IDS/IPS, NAC, and secure remote access.
Choose when to block an IP, domain, URL, hash, port, or account.
Explain why blocking a single indicator may not fully contain a threat.

Endpoint Analysis

Identify suspicious process ancestry, such as Office spawning script interpreters.
Recognize persistence locations conceptually: services, scheduled tasks, startup folders, registry run keys, launch agents, cron jobs.
Interpret EDR actions such as detect, block, quarantine, isolate, rollback, or allow.
Explain why reimaging may be appropriate for high-confidence compromise.
Know when to collect volatile data before shutting down a system.
Recognize common signs of credential dumping, ransomware, unauthorized remote access tools, and defense evasion.

Application and Web Analysis

Recognize SQL injection, XSS, command injection, path traversal, SSRF, authentication bypass, insecure direct object reference, and insecure file upload at a high level.
Interpret HTTP status codes and request methods in attack context.
Identify suspicious query strings, encoded payloads, unusual user-agents, high error rates, and abnormal response sizes.
Understand secure coding and deployment controls conceptually: input validation, output encoding, parameterized queries, authentication, authorization, secrets management, and dependency management.
Use WAF, patching, configuration hardening, and code fixes appropriately.
Distinguish temporary virtual patching from permanent remediation.

Cloud, Container, and Hybrid Environment Readiness

The CompTIA CySA+ V4 (CS0-004) exam can present cloud and hybrid scenarios in vendor-neutral terms. Focus on security analysis and control selection.

Cloud Security Checklist

Analyze cloud audit logs for principal, action, resource, region, source IP, user agent, and result.
Identify public exposure of storage, databases, management interfaces, and workloads.
Recognize overly permissive IAM policies, roles, groups, service accounts, and access keys.
Explain shared responsibility at a practical level: provider secures the platform; customer configures and monitors their workloads and data.
Recommend encryption, key rotation, secret storage, logging, monitoring, segmentation, and least privilege.
Investigate suspicious API calls, role assumptions, security group changes, and access key creation.
Understand container image scanning, runtime monitoring, secrets handling, and orchestration audit logs.
Recognize when infrastructure-as-code drift or misconfiguration creates risk.
Include cloud resources in incident scoping and vulnerability management.

Cloud Scenario Cues

Cue	Possible issue	Review action
Storage made public	Data exposure	Confirm data accessed, restrict access, review audit logs
New access key created by unusual principal	Credential compromise	Disable key, rotate secrets, review subsequent API activity
Security group opened to the internet	Misconfiguration or malicious change	Validate change, restrict rule, check exposure window
Container image has critical library issue	Vulnerable workload	Prioritize by exposure, runtime use, and exploitability
Logging disabled or altered	Defense evasion	Preserve available logs, investigate actor, restore monitoring

Security Automation and Data Handling

CySA+ candidates should be comfortable with basic automation concepts used in security operations.

Automation Checklist

Understand why SOAR playbooks are used for enrichment, ticket creation, containment, and notification.
Identify when automation should require human approval.
Read simple pseudocode, scripts, JSON, CSV, and command output.
Explain parsing, normalization, enrichment, deduplication, and correlation.
Identify risks of automation: blocking legitimate activity, exposing secrets, acting on bad data, or creating alert loops.
Recognize API-based integrations among SIEM, EDR, ticketing, email security, threat intelligence, and cloud platforms.
Protect automation credentials with least privilege and secure secret storage.
Validate output before using it for containment or reporting.

Data Quality Checks

Data issue	Why it hurts analysis	Candidate action
Missing timestamps	Breaks timelines	Find alternate logs or metadata
Unsynchronized clocks	Creates false sequence	Normalize time and document assumptions
Inconsistent hostnames	Breaks correlation	Map hostname, IP, asset ID, and user
NAT or proxy masking	Hides original source	Use proxy, VPN, or firewall correlation
Duplicate alerts	Inflates severity	Deduplicate and group by incident
Stale threat intel	Causes poor blocking	Check age, confidence, and relevance
Incomplete asset inventory	Weak prioritization	Enrich with ownership and criticality

Reporting, Metrics, and Communication

Technical analysis is not enough. CS0-004 readiness includes communicating risk and actions clearly.

Audience-Based Reporting

Audience	They need	Avoid
SOC analyst	Indicators, timeline, affected assets, detection logic	Vague business-only language
System owner	What to fix, priority, deadline, validation method	Raw logs without action
Manager	Business impact, risk, resources, status, blockers	Excessive tool detail
Executive	Material impact, decision needed, residual risk	Unexplained jargon
Legal/compliance/privacy	Facts, scope, evidence preservation, timelines	Speculation or unsupported attribution
End users	Clear guidance and required behavior	Blame or technical overload

Metrics to Understand

Metric	What it tells you	Watch for
MTTD	How long detection takes	Low value may hide missed detections
MTTA	How long acknowledgment takes	Measures queue and staffing issues
MTTR	How long response or recovery takes	Define what “resolved” means
Dwell time	How long adversary activity persisted	Requires good timeline data
Vulnerability aging	How long findings remain open	Needs severity and asset context
Patch compliance	Remediation progress	Can hide high-risk exceptions
False positive rate	Detection quality	Too low may indicate under-reporting
Incident volume	Workload trend	Needs normalization by environment size

For timestamp-based metrics, be comfortable with simple elapsed-time calculations. For example, MTTR is commonly reasoned as the average time between incident start or assignment and resolution, depending on how the organization defines it. In an exam scenario, use the definition provided in the prompt.

Report Writing Checklist

State the finding in one clear sentence.
Include affected assets, users, data, systems, and time range.
Separate confirmed facts from assumptions.
Describe business impact, not only technical severity.
Provide prioritized recommendations.
Include evidence references without dumping unnecessary raw logs.
Identify residual risk and validation steps.
Use severity language consistently.
Tailor detail level to the audience.
Capture lessons learned and control improvements.

Scenario and Decision-Point Review

Use this section for final readiness. For each row, ask: What is the best next action, and what evidence supports it?

Scenario prompt	Best decision focus	Weak answer pattern
A vulnerability scanner reports a critical issue on an isolated test host and a high issue on an internet-facing production server	Prioritize by risk context, not label alone	Always patching the highest scanner score first
A user reports clicking a phishing link but no malware alert fired	Investigate credentials, sessions, email scope, and web/proxy logs	Closing because EDR did not alert
Multiple failed logins followed by success from a foreign IP	Treat as potential account compromise and review post-login activity	Only resetting password without session/token review
EDR detects suspicious PowerShell spawned by a document reader	Examine process tree, command line, file origin, and network activity	Deleting the file before preserving evidence
A firewall blocks outbound traffic to a known malicious IP	Determine whether host is compromised despite blocked connection	Assuming block means no incident
A web server shows repeated 404 and 500 errors with encoded URLs	Review for scanning or exploit attempts	Ignoring because no successful 200 response appears
Cloud audit logs show logging disabled by a new admin account	Investigate privilege abuse and preserve remaining evidence	Re-enabling logs only and closing ticket
A business owner requests a vulnerability exception	Document risk, compensating controls, expiration, and approval	Granting permanent exception without review
IDS reports SQL injection attempts against a WAF-protected app	Confirm WAF action, application logs, and any successful payloads	Assuming WAF presence means no impact
A host is suspected of active exfiltration	Contain network path and preserve evidence quickly	Waiting for full root-cause analysis before containment

Common Weak Areas and Traps

Confusing vulnerability severity with business risk.
Treating an IOC match as complete proof without context.
Ignoring asset criticality, data sensitivity, and exposure.
Forgetting that containment, eradication, and recovery are different actions.
Resetting passwords but not revoking active sessions or tokens.
Blocking one IP when the threat uses multiple hosts, domains, or credentials.
Deleting malware before collecting needed evidence.
Assuming encrypted traffic cannot be analyzed at all; metadata still matters.
Missing time zone differences in timelines.
Reading firewall logs backward and confusing source/destination direction.
Overlooking service accounts and machine identities.
Treating uncredentialed scan results as complete.
Assuming a lack of alerts means a lack of compromise.
Overfitting to tool names instead of understanding what the tool does.
Reporting raw technical findings without business impact or recommended action.
Forgetting to validate remediation after a change.
Confusing hashing, encryption, encoding, and signing.
Ignoring change management, ownership, and operational impact.
Escalating without clear evidence, scope, or requested decision.
Choosing the most aggressive technical action when a safer investigative step is required.

Final-Week CS0-004 Review Checklist

Seven to Five Days Out

Review the current CompTIA CS0-004 exam objectives alongside this checklist.
Mark every topic area with a 0–4 readiness score.
Build a short list of weak areas, not a long list of everything.
Rework missed questions by explaining why each wrong answer is wrong.
Practice log interpretation daily: authentication, web, firewall, DNS, endpoint, and cloud.
Review vulnerability prioritization scenarios.
Review incident response phase decisions and containment tradeoffs.

Four to Two Days Out

Practice mixed scenarios instead of single-topic drills.
Time yourself on scenario sets to reduce over-analysis.
Review command outputs and what each command proves.
Practice writing a one-paragraph incident summary.
Practice explaining risk to both technical and nontechnical audiences.
Revisit identity, cloud audit, and privilege escalation scenarios.
Review metrics and basic elapsed-time calculations.
Create a one-page memory sheet of concepts you still confuse, then reduce it.

Final 24 Hours

Stop trying to learn entirely new tool ecosystems.
Review your weak-area sheet and common traps.
Reconfirm incident response order and evidence-preservation logic.
Review vulnerability prioritization factors.
Review log field meanings and correlation cues.
Sleep, hydrate, and avoid cramming deep syntax.
During the exam, read for business context before choosing a technical action.

Practical Next Step

Pick the three readiness areas where you scored lowest. For each one, complete a small practice cycle: review the concept, analyze two or three realistic artifacts, answer scenario questions, and write a short explanation of the best action. Repeat until you can justify your decisions without relying on memorized wording.

Study Plan

Scenario Guide