CS0-004 — CompTIA CySA+ V4 Quick Reference

Last revised: June 18, 2026

Compact, exam-focused reference for CompTIA CySA+ V4 (CS0-004) incident analysis, threat detection, vulnerability management, and security operations.

Exam Identity and Study Focus

This independent Quick Reference supports candidates preparing for the CompTIA CySA+ V4 (CS0-004) exam from CompTIA. Use it as a compact review sheet for analyst decisions, SOC workflows, evidence sources, vulnerability handling, detection logic, and incident response.

High-Yield Analyst Mindset

Exam situation	Best analyst instinct
Alert with incomplete evidence	Validate first; do not assume compromise from one indicator.
Active compromise suspected	Scope impact, preserve evidence, then contain based on business risk.
Vulnerability backlog	Prioritize by exploitability, exposure, asset criticality, and compensating controls.
Noisy SIEM rule	Tune with context, thresholds, allowlists, and better fields; do not disable blindly.
User reports phishing	Preserve headers, URLs, attachment hashes, sender details, and affected recipients.
Possible data breach	Escalate through incident process; involve legal/privacy/compliance as required by policy.
Malware on endpoint	Isolate or contain, collect volatile/evidence data if required, then eradicate.
Cloud alert	Check identity activity, resource changes, network exposure, keys/secrets, and audit logs.
Executive report	Summarize impact, risk, business actions, and timeline; avoid tool-only details.
Technical report	Include evidence, queries, hashes, IOCs, affected assets, timeline, and remediation.

SOC Triage Workflow

    flowchart TD
	    A[Alert or report] --> B[Validate signal]
	    B --> C{True positive?}
	    C -- No --> D[Close as false positive or benign true positive]
	    C -- Yes --> E[Classify severity]
	    E --> F[Scope users, hosts, data, and time window]
	    F --> G{Active threat?}
	    G -- Yes --> H[Contain according to playbook]
	    G -- No --> I[Preserve evidence and continue analysis]
	    H --> J[Eradicate root cause]
	    I --> J
	    J --> K[Recover and monitor]
	    K --> L[Lessons learned, tuning, report]

Triage Questions

Question	Why it matters	Evidence sources
What triggered the alert?	Identifies detection logic and possible blind spots.	SIEM rule, EDR alert, IDS signature, user report
Is the activity expected?	Separates malicious behavior from admin or business activity.	Change tickets, asset owner, maintenance windows
Who is involved?	Determines account risk and possible identity compromise.	IAM logs, VPN logs, SSO logs, directory logs
Which assets are involved?	Drives severity and containment priority.	CMDB, EDR inventory, vulnerability scanner
What is the earliest known activity?	Establishes timeline and dwell time.	SIEM searches, endpoint telemetry, logs
Is the threat still active?	Determines urgency of containment.	EDR process tree, network sessions, active logins
What data or systems are at risk?	Supports impact assessment and escalation.	DLP, database logs, file access, cloud storage logs
What changed recently?	Helps identify root cause.	Patch logs, deployment logs, IAM changes, firewall changes

Severity and Priority Decision Points

Factor	Raises severity	Lowers severity
Asset criticality	Domain controller, production database, identity provider, payment system	Test host, isolated lab, non-sensitive asset
Exposure	Internet-facing, remote access, public cloud resource	Internal-only with strong segmentation
Exploitability	Known exploited vulnerability, working exploit, active exploitation	Theoretical issue, strong compensating control
Privilege	Admin/root/service account involved	Low-privilege account with limited access
Scope	Multiple users, hosts, sites, tenants, or business units	Single contained endpoint
Data impact	Regulated, confidential, financial, customer, or credentials	Public data only
Persistence	New service, scheduled task, startup item, cloud access key	One failed attempt, blocked by control
Business impact	Outage, fraud, ransomware, data loss	Blocked scan or benign policy violation

Common Severity Trap

Trap	Better exam answer
Treating every malware alert as critical	Determine asset value, spread, privilege, and active behavior.
Prioritizing only by CVSS	Combine CVSS with exploitability, exposure, asset criticality, and threat intelligence.
Closing alert because user is an admin	Validate whether admin behavior matches expected source, time, and change record.
Ignoring failed logins	Look for patterns: password spraying, impossible travel, disabled accounts, distributed sources.
Assuming blocked equals harmless	Blocked attempts can indicate targeting and may require threat hunting or tuning.

Incident Response Phases

Phase	Analyst tasks	Outputs
Preparation	Playbooks, logging, baselines, contacts, access, lab tools	Runbooks, escalation matrix, collection procedures
Detection and analysis	Validate, classify, correlate, scope, preserve evidence	Timeline, indicators, impacted assets
Containment	Short-term and long-term containment based on risk	Isolated hosts, blocked IOCs, disabled accounts
Eradication	Remove malware, close vulnerability, rotate secrets, remove persistence	Clean systems, patched weakness, reset credentials
Recovery	Restore services, monitor for recurrence, validate integrity	Recovered systems, heightened monitoring
Post-incident activity	Lessons learned, metrics, control improvements, reporting	Final report, rule tuning, backlog actions

Containment Choices

Scenario	Likely containment	Watch for
Single infected workstation	Network isolate via EDR or VLAN quarantine	Do not destroy evidence before collection if forensics is required.
Compromised account	Disable account, revoke sessions/tokens, reset credentials	Check for MFA changes, forwarding rules, OAuth grants.
Web shell on server	Remove from load balancer or restrict access	Preserve web logs, file timestamps, process data.
Active ransomware spread	Isolate segments, disable lateral movement paths, block C2	Coordinate with business continuity and backups.
Leaked API key	Revoke/rotate key, review usage, search repositories	Rotation alone is not enough; determine abuse.
Malicious domain/IP	Block at DNS, proxy, firewall, EDR	Validate collateral impact and use time-bound blocks if needed.
Public cloud storage exposure	Remove public access, review object access logs	Identify downloaded data and misconfiguration source.

Evidence Preservation and Chain of Custody

Concept	Exam relevance
Integrity	Hash evidence and avoid modifying originals.
Chain of custody	Document who collected, handled, transferred, and stored evidence.
Volatile data	Memory, network connections, logged-in users, running processes; collect early if required.
Order of volatility	Prioritize data most likely to disappear first.
Time synchronization	Use consistent timestamps and time zones; NTP issues can distort timelines.
Forensic image	Bit-level copy for deeper analysis or legal preservation.
Write blocker	Prevents modification of source media during acquisition.
Evidence log	Records date/time, collector, system, method, hash, storage location, purpose.

Log and Telemetry Source Matrix

Source	Best for detecting	Key fields to inspect
SIEM	Cross-source correlation, timelines, rule alerts	Time, host, user, event type, source, destination
EDR/XDR	Malware, process chains, lateral movement, persistence	Process, parent process, command line, hash, user
Windows Security logs	Logons, privilege use, account changes	Event ID, logon type, SID, username, workstation
Sysmon	Process creation, network connections, file changes	Event ID, image, command line, hash, parent image
Linux auth logs	SSH access, sudo usage, authentication failures	User, source IP, TTY, command
Web server logs	Web attacks, scanning, exploitation attempts	URI, method, status, user agent, source IP
DNS logs	C2, tunneling, malware callbacks, DGA	Query, response, record type, entropy, NXDOMAIN rate
Proxy/SWG logs	Web access, downloads, blocked URLs	URL, category, action, user, bytes
Firewall logs	Network flows, denied traffic, policy hits	Source/destination, port, protocol, action
IDS/IPS	Exploit signatures, suspicious traffic	Signature, severity, packet metadata
NetFlow	Beaconing, exfiltration volume, lateral movement	5-tuple, bytes, packets, duration
VPN logs	Remote access, impossible travel, suspicious geolocation	User, IP, device, MFA result, duration
IAM/SSO logs	Account takeover, risky sign-ins, MFA events	User, app, result, IP, device, token events
Email gateway	Phishing, malware attachments, spoofing	Sender, SPF/DKIM/DMARC, URLs, attachment hash
DLP	Data movement and policy violations	User, file, data type, destination, action
Cloud audit logs	API actions, resource changes, identity misuse	Principal, action, resource, source IP, result
Container logs	Runtime behavior, image pulls, orchestration events	Image, namespace, pod/container, command
WAF logs	Web app attacks and blocked requests	Rule, URI, payload, source, action

Windows Event IDs Commonly Seen in Analysis

Event ID	Meaning	Analyst use
4624	Successful logon	Identify access time, account, logon type, source.
4625	Failed logon	Detect brute force, spraying, invalid account attempts.
4634	Logoff	Session timeline support.
4648	Explicit credentials used	Lateral movement or run-as behavior.
4672	Special privileges assigned	Admin-level logon clue.
4688	Process creation	Command execution and process lineage.
4697	Service installed	Persistence or admin software deployment.
4720	User account created	Unauthorized account creation.
4726	User account deleted	Anti-forensics or admin change.
4728 / 4732	User added to privileged group	Privilege escalation.
4740	Account locked out	Brute force or user issue.
4768 / 4769	Kerberos ticket activity	Kerberos authentication and service ticket analysis.
4776	NTLM authentication	Legacy auth and lateral movement clues.
1102	Audit log cleared	Strong anti-forensics indicator.

Sysmon Event IDs Commonly Seen in Analysis

Event ID	Meaning	Analyst use
1	Process creation	Command line, parent process, executable path.
3	Network connection	Process-to-network mapping.
7	Image loaded	DLL loading and suspicious libraries.
8	Create remote thread	Injection and lateral movement clue.
10	Process access	Credential dumping or process tampering.
11	File created	Dropped payloads or staged tools.
12-14	Registry object/value changes	Persistence and configuration changes.
15	File stream created	Alternate data streams.
22	DNS query	Process-level DNS investigation.

Linux and macOS Artifact Reference

Artifact	Platform	What it can show
`/var/log/auth.log` or `/var/log/secure`	Linux	SSH, sudo, authentication events
`~/.bash_history`	Linux	User command history, if not cleared
`/etc/passwd`, `/etc/shadow`, `/etc/sudoers`	Linux	Account and privilege changes
`crontab`, `/etc/cron*`	Linux	Scheduled persistence
`systemctl` service files	Linux	Service-based persistence
`journalctl`	Linux	Systemd logs and service events
`last`, `lastlog`, `who`	Linux	Login history and active users
LaunchAgents / LaunchDaemons	macOS	Persistence
Unified logs	macOS	System and application events
Keychain access events	macOS	Credential access clues

Network Analysis Quick Reference

Common Ports and Protocols

Port	Protocol	Analyst significance
20/21	FTP	Cleartext file transfer, credential exposure
22	SSH/SFTP	Remote administration, tunneling, brute force
23	Telnet	Insecure remote access
25	SMTP	Mail transfer, spam, phishing infrastructure
53	DNS	Resolution, tunneling, C2, exfiltration
67/68	DHCP	Address assignment, rogue DHCP clues
80	HTTP	Web traffic, exploit delivery
88	Kerberos	AD authentication
110/143	POP3/IMAP	Email retrieval
123	NTP	Time synchronization, amplification abuse
135/139/445	RPC/NetBIOS/SMB	Windows lateral movement, file sharing
389/636	LDAP/LDAPS	Directory queries and authentication
443	HTTPS	Encrypted web, C2, API traffic
514	Syslog	Centralized logging
587	SMTP submission	User mail submission
993/995	IMAPS/POP3S	Secure email retrieval
1433	MS SQL Server	Database access
1521	Oracle DB	Database access
3306	MySQL/MariaDB	Database access
3389	RDP	Remote desktop, brute force, lateral movement
5432	PostgreSQL	Database access
5900	VNC	Remote control
5985/5986	WinRM	Windows remote management
6379	Redis	Exposed cache/data store risk
8080/8443	Alternate HTTP/HTTPS	Proxies, admin panels, web apps

TCP Flags

Flag	Meaning	Analyst clue
SYN	Start connection	SYN flood or scanning if high volume.
SYN-ACK	Server response	Confirms open service.
ACK	Acknowledgment	Seen in established sessions.
FIN	Graceful close	FIN scans may evade simple detection.
RST	Reset	Closed port, refused connection, or interrupted session.
PSH	Push data	Data transfer clue.
URG	Urgent	Rare; suspicious in scans or evasive traffic.

Suspicious Network Patterns

Pattern	Possible meaning
Many ports on one host	Port scan
One port across many hosts	Service sweep
Regular outbound connections	Beaconing
High DNS query entropy	DGA or tunneling
Many NXDOMAIN responses	DGA, typo-squatting checks, misconfig
Large outbound upload to unusual location	Exfiltration
SMB/RDP from workstation to many peers	Lateral movement
New outbound traffic from server segment	Compromise or misconfiguration
TLS to rare domain with self-signed cert	Malware C2 or test system
HTTP POST bursts after archive creation	Possible staged exfiltration

Threat Intelligence Reference

Term	Meaning	Exam use
IOC	Observable indicator such as IP, domain, URL, hash	Fast blocking and matching; often short-lived.
IOA	Indicator of attack behavior	More durable than atomic IOCs.
TTP	Tactics, techniques, and procedures	Maps adversary behavior to detection and controls.
Campaign	Coordinated activity over time	Helps cluster related incidents.
Actor	Individual or group behind activity	Attribution is usually low confidence unless supported.
Enrichment	Adding context to raw indicator	Reputation, WHOIS, geolocation, passive DNS, sandbox.
Confidence	Degree of trust in intelligence	Prevents overreaction to weak indicators.
Relevance	Fit to your environment	High-confidence intel may still be irrelevant.
Timeliness	Freshness of intel	Old IP/domain IOCs may be stale.
STIX	Structured format for threat intelligence	Sharing and machine-readable context.
TAXII	Transport mechanism for threat intel sharing	Automated exchange of STIX data.

Intelligence Source Types

Source	Strength	Limitation
Internal telemetry	Highly relevant to environment	May lack external context.
ISAC/ISAO sharing	Sector-specific	Varies by sector and participation.
Vendor feeds	Operationally useful	Can be noisy or overlapping.
Open-source intelligence	Accessible and broad	Requires validation.
Government advisories	Authoritative for campaigns and critical issues	May be high level or delayed.
Dark web monitoring	Can reveal credential/data exposure	Requires careful validation and legal handling.
Honeypots	Useful attacker behavior data	May not represent production targeting.

Frameworks and Models

Framework/model	Use it for	Key exam distinction
MITRE ATT&CK	Mapping tactics and techniques	Behavior-oriented; useful for detection gaps.
Cyber Kill Chain	Attack lifecycle from recon to actions	Linear model; good for explaining progression.
Diamond Model	Adversary, capability, infrastructure, victim	Good for pivoting relationships.
Pyramid of Pain	Value of disrupting different indicators	Hashes are easy to change; TTPs are harder.
CVE	Unique vulnerability identifier	Names the weakness, not the risk by itself.
CVSS	Severity scoring framework	Useful input, not the only prioritization factor.
EPSS	Exploit likelihood estimate	Helps prioritize based on probability of exploitation.
KEV catalog concept	Known exploited vulnerabilities	Prioritize when relevant to your assets.
NIST CSF concept	Identify, Protect, Detect, Respond, Recover	High-level program framework.
CIS Controls concept	Prioritized safeguards	Control selection and maturity improvement.

Indicator Durability

Indicator type	Example	Durability	Best use
Hash	SHA-256 of malware	Low	Exact file detection
IP address	C2 IP	Low	Short-term blocking and scoping
Domain	Malicious domain	Low/medium	DNS/proxy detection
URL path	Exploit or payload URL	Medium	Web/proxy detection
File path	Suspicious executable path	Medium	Host hunting
Registry key	Run key persistence	Medium	Endpoint detection
Mutex	Malware family artifact	Medium	Malware clustering
Command line	LOLBin misuse pattern	High	Behavioral detection
Technique	Credential dumping via LSASS access	High	Durable detection engineering

Attack Pattern Reference

Attack	Common clues	Primary evidence	Defensive response
Phishing	Spoofed sender, urgent language, malicious URL/attachment	Email headers, gateway logs, URL sandbox, attachment hash	Quarantine, block indicators, user notification, credential reset if clicked
Business email compromise	Mailbox rules, unusual payment request, changed banking details	Mailbox audit, login history, forwarding rules	Disable forwarding, reset credentials, review financial process
Password spraying	Many usernames, few attempts each, common passwords	IAM, VPN, AD logs	Block source, enforce MFA, lockout tuning, user awareness
Credential stuffing	Known leaked credentials, many services attempted	WAF, IAM, proxy logs	MFA, bot controls, credential reset
Brute force	Repeated attempts against one/few accounts	Auth logs	Rate limiting, lockout, IP blocks
Pass-the-hash	NTLM use, lateral movement without plaintext password	Windows logs, EDR, network logs	Disable compromised accounts, segment, reduce admin reuse
Kerberoasting	Service ticket requests for SPNs, offline cracking	Kerberos logs, AD audit	Rotate service account passwords, use managed service accounts
Web shell	Unexpected script file, odd process spawned by web server	Web logs, file integrity, EDR	Isolate server, remove shell, patch app
SQL injection	Suspicious query strings, database errors	WAF, web logs, DB logs	Parameterized queries, WAF tuning, patch code
XSS	Script payload in input/output	Web logs, app logs, reports	Output encoding, input validation, CSP
SSRF	Server requests internal metadata or internal URLs	App logs, cloud logs, proxy logs	Egress controls, metadata protections, input validation
Ransomware	File renames, ransom note, mass encryption, shadow copy deletion	EDR, file server logs, process tree	Isolate, preserve evidence, restore from clean backups
Cryptojacking	High CPU, mining pool connections	EDR, DNS/proxy, cloud billing anomaly	Kill workload, remove miner, fix exposed service
Data exfiltration	Large outbound transfer, compression, unusual destination	DLP, proxy, NetFlow, cloud logs	Contain, determine data set, notify stakeholders
Insider misuse	Access outside role, unusual downloads, policy violation	DLP, IAM, file access logs	Investigate with HR/legal per policy
Supply chain compromise	Trusted update or dependency behaves maliciously	EDR, package logs, CI/CD logs	Pin/verify packages, rotate secrets, rebuild from trusted source

Malware and Endpoint Clues

Behavior	Possible technique
Office app spawns PowerShell	Malicious macro or phishing payload
PowerShell with encoded command	Obfuscation or fileless execution
`rundll32`, `regsvr32`, `mshta`, `wmic` unusual usage	Living-off-the-land execution
New scheduled task	Persistence
New service with random name	Persistence or remote execution
LSASS memory access	Credential dumping
Security tool disabled	Defense evasion
Log cleared after admin logon	Anti-forensics
Archive created before outbound upload	Exfiltration staging
Process injects into browser/system process	Defense evasion or credential theft
Unexpected outbound TLS from server	C2 or unauthorized integration

Living-off-the-Land Binaries to Recognize

Tool	Normal use	Suspicious use
PowerShell	Administration and automation	Encoded commands, download cradle, hidden window
WMI/WMIC	Remote management	Remote process execution across many hosts
PsExec	Admin remote execution	Lateral movement with reused admin credentials
Certutil	Certificate utility	Downloading/encoding payloads
Regsvr32	Register DLLs	Scriptlet execution from remote URL
Rundll32	Execute DLL functions	Unknown DLL from temp/user path
Mshta	Run HTML applications	Remote script execution
Bitsadmin/BITS	Background transfer	Stealthy payload download
Schtasks	Scheduled tasks	Persistence at logon/startup
Net.exe	Windows network/admin tool	User/group changes, share discovery

Vulnerability Management Workflow

    flowchart TD
	    A[Asset inventory] --> B[Scan or assess]
	    B --> C[Validate findings]
	    C --> D[Prioritize risk]
	    D --> E[Assign remediation owner]
	    E --> F[Patch, configure, isolate, or accept]
	    F --> G[Rescan and verify]
	    G --> H[Report metrics and exceptions]
	    H --> A

Vulnerability Terms

Term	Meaning	Exam distinction
Vulnerability	Weakness that could be exploited	Not the same as an exploit or threat.
Threat	Potential cause of harm	Actor, event, or condition.
Risk	Likelihood and impact of a threat exploiting a vulnerability	Drives prioritization.
Exposure	Reachability or accessibility of weakness	Internet-facing exposure raises urgency.
Exploit	Code or method to take advantage of a vulnerability	Public exploit changes priority.
Patch	Vendor update correcting weakness	Preferred when feasible and tested.
Mitigation	Reduces risk without fully removing weakness	Useful when patching is delayed.
Compensating control	Alternate control that reduces risk	Must be documented and monitored.
Exception	Approved deviation from policy	Requires owner, justification, expiration.
False positive	Finding is not actually present	Validate before closing.
False negative	Scanner missed a real issue	Dangerous; improve coverage and credentials.
Credentialed scan	Authenticated assessment	More accurate, deeper configuration visibility.
Uncredentialed scan	External view without credentials	Shows attacker-visible exposure but less detail.
Agent-based scan	Local agent reports posture	Useful for roaming endpoints.
Passive scan	Observes traffic/assets without probing	Lower disruption, less complete.

Prioritization Inputs

Input	Why it matters
Asset criticality	Critical assets have higher business impact.
Data classification	Sensitive data increases impact.
Internet exposure	Easier attacker access.
Exploit availability	Raises likelihood.
Active exploitation	Strong urgency signal.
Authentication required	May lower likelihood but not eliminate risk.
Privileges required	Affects attack feasibility.
Attack complexity	Lower complexity usually higher priority.
Compensating controls	Segmentation, WAF, EDR, hardening may reduce risk.
Business constraints	Maintenance windows and uptime affect remediation plan.
Age of finding	Long-open issues indicate process weakness.
Vulnerability chaining	Medium issues can combine into high risk.

Risk Formula Concepts

\[ \text{Risk} = \text{Likelihood} \times \text{Impact} \]\[ \text{Residual Risk} = \text{Inherent Risk} - \text{Control Effectiveness} \]

Use formulas conceptually. For the exam, the key is usually which factor changes risk and which remediation is most appropriate, not advanced calculation.

Remediation Decision Matrix

Finding type	Preferred action	If immediate fix is not possible
Missing security patch	Test and deploy patch	Isolate, restrict access, apply virtual patch/WAF rule
Default credentials	Change/remove defaults	Disable service until remediated
Weak cipher/protocol	Disable weak option, enforce secure configuration	Restrict access and document exception
Public storage bucket	Remove public access, apply least privilege	Monitor access and notify data owner
Exposed admin interface	Restrict by VPN/jump host/allowlist	Disable interface or add strong MFA
Unsupported software	Upgrade or replace	Segment, monitor, document migration plan
SQL injection	Fix code with parameterized queries	WAF rule as temporary mitigation
Misconfigured IAM	Remove excessive privileges	Apply permission boundary/approval workflow
Container image CVE	Rebuild from patched base image	Block deployment or isolate workload
Insecure secrets storage	Move to secrets manager/vault	Rotate exposed secrets and remove from repo

Configuration and Compliance Assessment

Control area	What to check
Baseline hardening	Secure build standards, disabled unnecessary services
Patch state	OS, applications, firmware, dependencies
Identity	MFA, privileged accounts, stale accounts, group membership
Logging	Required audit logs enabled and forwarded
Encryption	Data at rest and in transit based on classification
Network	Segmentation, exposed ports, firewall rules
Endpoint	EDR status, disk encryption, local admin rights
Cloud	Public exposure, IAM policies, audit logs, key rotation
Containers	Image provenance, vulnerabilities, runtime privileges
Secrets	No hardcoded secrets, rotation, vault usage
Backups	Backup success, isolation, restore testing
Exceptions	Approved, time-bound, risk accepted by owner

Detection Engineering Reference

Detection Rule Quality

Rule attribute	Good sign	Bad sign
Data source	Reliable logs with needed fields	Missing or inconsistent telemetry
Logic	Maps to adversary behavior	Overly broad keyword matching
Context	Uses asset/user criticality	Same severity for all assets
Threshold	Based on baseline and behavior	Arbitrary count without tuning
Suppression	Reduces known benign noise	Hides true positives
Testability	Can be validated with sample events	No test data or expected output
Response	Links to playbook	No owner or next action
Maintenance	Reviewed after incidents and environment changes	Stale rule no one owns

Detection Logic Patterns

Pattern	Example use
Threshold	More than normal failed logins in a time window
Sequence	Phishing click followed by new mailbox rule
Rare event	First-time admin login from a country
Frequency	Beacon every fixed interval
Correlation	EDR malware hash plus proxy download
Statistical anomaly	User downloads far more data than baseline
Watchlist match	Known malicious domain queried
Behavior chain	Recon, credential access, lateral movement

False Positive Reduction

Technique	Use when
Add asset context	Admin servers or scanners trigger known events.
Add user context	Service accounts behave differently than humans.
Tune thresholds	Rule fires for normal bursty behavior.
Add maintenance-window suppression	Alerts occur during approved changes.
Allowlist carefully	Known-good signed tool or scanner is noisy.
Use parent/child process logic	Single process name is too broad.
Require multiple signals	Single weak IOC creates noise.
Review field normalization	Rule misses or misfires due to inconsistent fields.

SIEM and Query Concepts

Concept	Meaning
Normalization	Mapping vendor-specific fields to common names.
Parsing	Extracting fields from raw log text.
Correlation	Connecting events across sources.
Aggregation	Counting/grouping events over time.
Baseline	Expected activity for comparison.
Enrichment	Adding context such as asset owner or threat reputation.
Suppression	Temporarily hiding known benign matches.
Deduplication	Removing repeated identical events.
Time window	Period used for correlation or thresholding.
Ingestion gap	Missing logs that create detection blind spots.

Vendor-Neutral Query Examples

Failed logins by user and source:

event.category = authentication
AND event.outcome = failure
GROUP BY user.name, source.ip
COUNT >= threshold
WITHIN time_window

Suspicious PowerShell:

process.name = "powershell.exe"
AND (
  process.command_line CONTAINS "-enc"
  OR process.command_line CONTAINS "IEX"
  OR process.command_line CONTAINS "DownloadString"
)

Possible beaconing:

network.direction = outbound
GROUP BY source.host, destination.domain
CALCULATE regular_interval_score, connection_count
FILTER connection_count >= threshold

Mailbox forwarding rule creation:

event.action IN ("New-InboxRule", "Set-InboxRule", "Create forwarding rule")
AND user.type = "human"

Sigma and YARA Recognition

Sigma-Style Detection Skeleton

title: Suspicious Encoded PowerShell
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - '-enc'
      - '-encodedcommand'
  condition: selection
level: high

YARA-Style Malware Matching Skeleton

rule Suspicious_Macro_Dropper_Example
{
    strings:
        $a = "AutoOpen" nocase
        $b = "CreateObject" nocase
        $c = "powershell" nocase
    condition:
        2 of ($a,$b,$c)
}

Tool/language	Best for	Not best for
Sigma	SIEM-portable log detections	Deep file content matching
YARA	File and malware pattern matching	Network flow correlation
Snort/Suricata rule	Network packet/payload detection	Host-only behavior
Regex	Field extraction and pattern matching	Complex risk context by itself

Email and Phishing Analysis

Artifact	What to inspect
From header	Display-name spoofing and sender mismatch
Return-Path	Bounce address and infrastructure
Received headers	Mail path and originating server clues
Reply-To	Business email compromise clue
SPF	Whether sending IP is authorized for domain
DKIM	Whether message signature validates
DMARC	Domain policy alignment for SPF/DKIM
URLs	Redirectors, punycode, lookalike domains, tracking
Attachments	File type mismatch, macros, archive nesting, hashes
Message-ID	Odd format or infrastructure clue
Language/intent	Urgency, payment change, credential request

SPF, DKIM, DMARC Distinction

Control	Validates	Analyst use
SPF	Sending server is authorized for domain	Helps detect spoofed sending infrastructure.
DKIM	Message has valid cryptographic signature	Detects modification and validates signing domain.
DMARC	Alignment and policy using SPF/DKIM	Indicates how receivers should handle failures.

Web Application Attack Clues

Attack	Example clue	Better control
SQL injection	`' OR 1=1--`, `UNION SELECT`	Parameterized queries, input validation
Reflected XSS	`<script>alert(1)</script>` in request	Output encoding, CSP
Stored XSS	Malicious script persists in comments/profile	Output encoding, sanitization
Command injection	`; cat /etc/passwd`, `&& whoami`	Avoid shell calls, input allowlisting
Directory traversal	`../../etc/passwd`	Normalize paths, restrict file access
SSRF	Request to metadata/internal IP	Egress filtering, metadata protections
Insecure deserialization	Serialized payload causing code execution	Safe serialization, signing, validation
File inclusion	Remote/local file path in parameter	Restrict includes, validate paths
IDOR	Changing object ID accesses another user data	Object-level authorization checks
CSRF	State change from forged request	CSRF tokens, SameSite cookies

IAM and Access Control

Concept	Meaning	Exam decision point
Least privilege	Minimum permissions required	Preferred over broad admin rights.
Need to know	Access only to required information	Important for sensitive data.
RBAC	Permissions based on role	Good for stable job functions.
ABAC	Permissions based on attributes	Good for dynamic context such as location/device/data label.
DAC	Owner controls access	Flexible but less centrally controlled.
MAC	System-enforced labels	High-control environments.
PAM	Controls privileged access	Use for admin credentials, session recording, JIT access.
JIT access	Temporary elevated permissions	Reduces standing privilege.
JEA	Admin can perform only specific tasks	Limits blast radius.
MFA	Additional authentication factor	Strong control against password compromise.
SSO	One login across apps	Improves management; increases IdP criticality.
Federation	Trust between identity providers and services	Common for cloud/SaaS access.
Conditional access	Policy based on risk/context	Device, location, MFA, user risk.
Service account	Non-human account for services	Monitor, least privilege, rotate secrets.

Authentication and Authorization Protocols

Protocol	Primary use	High-yield distinction
SAML	Federated enterprise SSO	XML-based assertions, common with SaaS.
OAuth 2.0	Delegated authorization	Grants app access; not primarily authentication.
OpenID Connect	Authentication layer on OAuth 2.0	Provides identity tokens.
Kerberos	Domain authentication	Ticket-based; common in Active Directory.
LDAP/LDAPS	Directory queries/authentication	LDAPS encrypts LDAP traffic.
RADIUS	Network access authentication	Common for VPN/Wi-Fi AAA.
TACACS+	Device administration AAA	Separates authentication, authorization, accounting.

Cloud Security Operations

Shared Responsibility

Layer	Customer usually responsible for	Provider usually responsible for
IaaS	OS, applications, IAM, data, network rules, logging configuration	Physical data center, hardware, virtualization platform
PaaS	Application code, data, IAM, configuration	Managed runtime, platform maintenance
SaaS	Users, data, access policies, tenant configuration	Application infrastructure and service operation

Cloud Security Tool Selection

Need	Choose
Detect risky cloud configuration	CSPM
Protect cloud workloads/VMs/containers	CWPP
Manage excessive cloud identity permissions	CIEM
Secure SaaS usage and policy enforcement	CASB/SSE
Centralize cloud audit events	Cloud-native audit logs into SIEM
Protect secrets	Secrets manager/vault
Prevent public storage exposure	Storage policy, public access controls, IAM review
Detect anomalous API usage	Cloud audit log analytics and UEBA
Govern infrastructure changes	IaC scanning, policy as code, change control
Protect container images	Image scanning and trusted registry

Cloud Alert Investigation Checklist

Identify the principal: user, role, service account, workload identity.
Review action: API call, resource change, policy change, data access, key creation.
Check source: IP, geolocation, device, user agent, impossible travel.
Determine resource criticality and data classification.
Look for privilege escalation: new role, policy attachment, key generation.
Search for persistence: access keys, OAuth grants, backdoor roles, new users.
Scope lateral activity across accounts, projects, tenants, or subscriptions.
Contain by revoking sessions/keys, disabling principal, or restricting resource access.
Preserve cloud audit logs before retention or lifecycle rules remove them.

Container and Kubernetes Security

Area	What to inspect
Image provenance	Trusted registry, signed images, approved base images
Image vulnerabilities	Outdated packages, vulnerable dependencies
Secrets	No secrets in image layers, environment variables, or repos
Runtime privilege	Avoid privileged containers and host mounts unless required
Network policy	Restrict pod-to-pod and egress traffic
Admission control	Enforce policy before deployment
RBAC	Least privilege for service accounts
Namespace separation	Limit blast radius
Logging	API server, audit logs, container stdout/stderr
Persistence	Unexpected deployments, daemonsets, cronjobs
Supply chain	CI/CD integrity, dependency pinning, artifact scanning

Security Tool Selection Matrix

Tool/control	Best use	Common trap
SIEM	Central correlation and alerting	SIEM is only as good as ingested logs and tuning.
SOAR	Automated enrichment and response	Automating bad logic can amplify mistakes.
EDR	Endpoint process, malware, response	Does not replace patching or least privilege.
XDR	Cross-domain detection and response	Still needs analyst validation.
NDR	Network behavior detection	Encrypted traffic may limit payload visibility.
IDS	Detect suspicious traffic	Detection only unless paired with response.
IPS	Block suspicious traffic inline	Can disrupt business if poorly tuned.
WAF	Web attack protection	Temporary mitigation; code flaws still need fixing.
DLP	Detect/control sensitive data movement	Requires good data classification.
NAC	Control network admission	Asset identity and exceptions must be maintained.
UEBA	Detect abnormal user/entity behavior	Needs baseline and context.
Vulnerability scanner	Find known weaknesses	Findings require validation and prioritization.
BAS	Test controls with simulated attacks	Not a substitute for remediation.
Deception tech	Lure and detect attackers	Must avoid confusing production operations.
MDM/UEM	Manage endpoints/mobile devices	Coverage gaps weaken enforcement.
PAM	Protect privileged accounts	Does not fix excessive privileges by itself.
Backup platform	Recovery from deletion/ransomware	Must be isolated and restore-tested.

Cryptography and Data Protection

Need	Use	Watch for
Data confidentiality in transit	TLS	Expired certs, weak protocols, bad hostname validation
Data confidentiality at rest	Disk/database/object encryption	Key management and access control matter
Integrity	Hashing, digital signatures	Hash alone does not prove authenticity unless trusted
Authentication/nonrepudiation	Digital signatures, certificates	Private key protection is critical
Password storage	Salted adaptive hashing	Do not encrypt passwords for reversible storage
Key storage	KMS/HSM/secrets vault	Avoid hardcoded keys and unmanaged copies
Data minimization	Collect/store only needed data	Reduces breach impact
Tokenization	Replace sensitive value with token	Useful for payment or sensitive identifiers
Masking	Hide part of data in display/logs	Does not always protect underlying storage
DLP/classification	Control sensitive movement	Needs labels and accurate rules

Risk, Governance, and Reporting

Risk Response Options

Response	Meaning	Example
Avoid	Stop the risky activity	Decommission exposed legacy service
Mitigate	Reduce likelihood or impact	Patch, segment, add MFA
Transfer	Shift financial/operational impact	Cyber insurance, outsourced service
Accept	Acknowledge risk with approval	Document exception with owner and expiration

Metrics to Recognize

Metric	Meaning
MTTD	Mean time to detect
MTTA	Mean time to acknowledge
MTTR	Mean time to respond/restore/remediate, depending on context
Dwell time	Time attacker remains undetected
False positive rate	Portion of alerts that are not actionable malicious events
Vulnerability age	How long a finding has remained open
Patch compliance	Percentage of assets meeting patch standard
SLA adherence	Whether response/remediation met defined targets
Control coverage	Assets/users/log sources covered by control
Recurrence rate	Whether incidents/findings repeat after remediation

Report Audience Matrix

Audience	Include	Avoid
Executives	Business impact, risk, decisions needed, trend	Excessive raw logs and tool syntax
Technical teams	Root cause, affected systems, IOCs, remediation steps	Vague business-only summaries
Legal/compliance	Timeline, data types, preservation status, policy triggers	Speculation beyond evidence
HR	User-related facts when insider or policy issue exists	Technical overload or unapproved disclosure
Customers/partners	Approved impact and action guidance	Unverified details or blame
SOC leadership	Metrics, gaps, tuning, staffing/process needs	Unsupported claims

Common Commands and Analyst Utilities

Network and Host Triage

## Active connections and listening services
ss -tulpen
netstat -ano

## DNS investigation
dig example.com
nslookup example.com

## HTTP header and redirect review
curl -I -L https://example.com

## Packet capture
tcpdump -i eth0 host 203.0.113.10 -w capture.pcap

## Hash a file
sha256sum suspicious.bin

## Search logs
grep -i "failed password" /var/log/auth.log

Windows Triage Examples

## Recent processes
Get-Process | Sort-Object StartTime -Descending

## Local users
Get-LocalUser

## Local administrators
Get-LocalGroupMember Administrators

## Network connections with owning process
Get-NetTCPConnection | Select-Object LocalAddress,LocalPort,RemoteAddress,RemotePort,State,OwningProcess

## Scheduled tasks
Get-ScheduledTask | Where-Object {$_.State -ne "Disabled"}

Nmap Use Cases

## Basic service discovery
nmap -sV 192.0.2.10

## Scan top ports on a subnet
nmap --top-ports 100 192.0.2.0/24

## No ping discovery if hosts block ICMP
nmap -Pn 192.0.2.10

Nmap option	Meaning
`-sV`	Service/version detection
`-sS`	SYN scan
`-O`	OS detection
`-Pn`	Treat host as up; skip host discovery
`-p`	Specify ports
`--top-ports`	Scan most common ports
`-oA`	Output in multiple formats

Alert-to-Action Playbook Patterns

Alert	First checks	Likely next action
Malware detected	Host, file hash, process tree, user, network activity	Isolate if active; collect evidence; remove malware
Multiple failed VPN logins	User/source pattern, success after failures, MFA status	Block source, reset account if success, tune detection
Impossible travel	Geo/IP, VPN/proxy, device, recent password change	Revoke session and require MFA/reset if suspicious
New admin account	Change ticket, creator, source host, group membership	Disable if unauthorized; investigate creator
EDR disabled	User/process causing change, policy status	Re-enable, isolate if malicious, investigate tampering
DNS tunneling	Query length, entropy, volume, domain age	Block domain, inspect host, hunt similar queries
Web attack blocked by WAF	Payload, target URI, source frequency	Tune/monitor if blocked; escalate if exploitation succeeded
Public cloud storage	Resource owner, access logs, data type	Remove public access; assess exposure
DLP exfil alert	User, data type, destination, business justification	Contain transfer, notify data owner
Vulnerability scanner critical finding	Asset exposure, exploitability, owner	Validate and assign urgent remediation

High-Yield Exam Traps

If the question says…	Do not jump to…	Prefer…
“The alert fired”	Assume incident confirmed	Validate with correlated evidence.
“A patch is available”	Patch production immediately	Follow change control unless active critical risk requires emergency process.
“User clicked link”	Reimage immediately	Check credential submission, payload execution, and mailbox/account activity.
“Firewall blocked traffic”	Close ticket	Determine whether it indicates targeting or compromised internal host.
“CVSS is high”	Always top priority	Consider exposure, exploit activity, asset value, and compensating controls.
“Hash is malicious”	Hunt only by hash	Add behavior, filenames, domains, command lines, and parent process.
“Admin account used”	Treat as authorized	Validate source, timing, MFA, ticket, and expected admin path.
“Cloud key created”	Ignore if by admin	Check whether expected, then inspect usage and permissions.
“Need legal evidence”	Collect casually	Preserve chain of custody and minimize evidence modification.
“Need to reduce alert noise”	Disable the rule	Tune, enrich, suppress narrowly, or improve parsing.

Rapid Review Checklist

Before Exam Day

Know the difference between alert, event, incident, vulnerability, threat, and risk.
Practice choosing between containment, eradication, and recovery actions.
Review common Windows, Linux, DNS, web, firewall, IAM, and cloud log clues.
Memorize high-value Windows Event IDs for authentication, process creation, account changes, and log clearing.
Be able to explain IOC vs TTP, SIEM vs SOAR, EDR vs IDS, CSPM vs CWPP vs CIEM.
Review phishing header fields and SPF/DKIM/DMARC distinctions.
Practice vulnerability prioritization using exploitability, exposure, criticality, and business impact.
Understand when to escalate to legal, privacy, HR, management, or system owners.
Read questions for words such as first, best, most likely, next, and primary.

Practical Next Step

Use this Quick Reference to identify weak areas, then move into timed CS0-004-style practice questions and scenario-based labs that require you to triage alerts, prioritize vulnerabilities, interpret logs, and choose the best next analyst action.

Scenario Guide

Security Operations