CS0-004 — CompTIA CySA+ V4 Quick Review

Last revised: June 18, 2026

Quick Review for CompTIA CySA+ V4 (CS0-004): security operations, vulnerability management, incident response, forensics, cloud, reporting, and practice focus.

Quick Review purpose

This Quick Review is for candidates preparing for CompTIA CySA+ V4 (CS0-004) from CompTIA who want a fast, practical refresh before moving into topic drills, mock exams, and detailed explanations.

Use it to tighten your understanding of high-yield cybersecurity analyst decisions: what to investigate first, how to prioritize risk, which evidence to preserve, how to interpret logs, and how to choose the best response in scenario-based questions.

This is IT Mastery review support and is not affiliated with CompTIA.

Exam identity

Item	Detail
Vendor/provider	CompTIA
Official exam title	CompTIA CySA+ V4 (CS0-004)
Official exam code	CS0-004
Candidate focus	Cybersecurity analysis, detection, vulnerability management, incident response, communication, and operational security
Best use of this page	Quick concept refresh before IT Mastery practice and original practice questions

Last-pass study strategy

For a final review, do not try to reread everything. Focus on decisions.

Read the scenario carefully. Identify the asset, threat, business impact, evidence, and current phase of response.
Separate alert from incident. An alert is a signal; an incident requires validation and impact assessment.
Prioritize by risk, not noise. Severity, exploitability, asset criticality, exposure, and compensating controls matter.
Preserve evidence before destructive actions. Especially in forensic or legal-sensitive scenarios.
Match the tool to the question. Scanner, SIEM, EDR, packet capture, SOAR, DLP, WAF, CASB, IAM logs, cloud-native logs, and forensics tools solve different problems.
Choose the least disruptive effective action. Contain the threat while minimizing business impact.
Answer as an analyst. Communicate clearly, document findings, escalate appropriately, and verify remediation.

High-yield topic map

Area	Know cold	Common exam trap
Security monitoring	Logs, alerts, SIEM correlation, EDR telemetry, network traffic, authentication events	Treating one alert as proof without corroboration
Detection engineering	Signatures, behavior analytics, baselines, rules, false positives, tuning	Over-tuning until true positives disappear
Vulnerability management	Scanning, prioritization, remediation, exceptions, validation	Ranking by CVSS alone without asset context
Threat intelligence	IOCs, TTPs, confidence, relevance, source quality, sharing formats	Assuming every IOC is current or useful
Incident response	Preparation, detection, analysis, containment, eradication, recovery, lessons learned	Eradicating before containment or evidence capture
Digital forensics	Volatile data, disk images, hashing, chain of custody, timeline analysis	Changing evidence while collecting it
Cloud and hybrid security	IAM, logging, storage exposure, network controls, shared responsibility	Assuming cloud provider secures customer configuration
Application security	Injection, XSS, auth flaws, API abuse, insecure deserialization, SSRF	Confusing vulnerability type with remediation
Identity security	MFA, SSO, federation, privilege, conditional access, anomalous login behavior	Ignoring identity as the control plane
Reporting	Executive summary, technical findings, remediation plan, metrics, risk acceptance	Giving executives raw logs instead of business impact

Security operations review

Alert triage decision rule

When a question asks what to do first, decide whether the scenario needs validation, containment, escalation, or preservation.

Scenario clue	Best first move
Single alert, no confirmed impact	Validate with additional telemetry
Active exfiltration or malware spread	Contain affected systems or accounts
Possible legal/regulatory issue	Follow incident plan and preserve evidence
Executive asks for status	Provide concise impact, scope, actions, and next update
Known false positive pattern	Tune rule after documenting evidence
Critical system involved	Coordinate with business owner before disruptive action, unless immediate harm requires containment

Telemetry sources to recognize

Source	What it helps detect	Useful clues
Firewall logs	Blocked/allowed connections, scanning, policy violations	Source/destination IP, port, action, rule name
IDS/IPS	Known attack patterns and suspicious traffic	Signature ID, severity, packet details
SIEM	Correlated events across tools	Timeline, rule logic, related entities
EDR	Process, file, registry, memory, host behavior	Parent-child process chains, hashes, command line
DNS logs	C2, tunneling, domain generation, phishing	Unusual domains, high entropy, NXDOMAIN spikes
Proxy logs	Web access, downloads, user browsing	URL, category, user, user agent
Email gateway	Phishing, malware attachments, spoofing	SPF/DKIM/DMARC results, headers, attachment hash
Authentication logs	Brute force, impossible travel, privilege abuse	Failed logins, MFA prompts, source location
Cloud logs	API activity, identity use, storage exposure	Access keys, role assumption, object access
NetFlow	Traffic patterns without payload	Volume, direction, duration, endpoints
Vulnerability scanner	Known weaknesses and misconfigurations	Plugin ID, severity, proof, affected asset
DLP	Sensitive data movement	Data type, user, destination, channel

Log analysis patterns

Pattern	Likely meaning	Analyst response
Many failed logins followed by success	Brute force or password spraying	Check source, MFA, user behavior, privilege
Login from unusual country plus new device	Possible account compromise	Validate with user, revoke sessions, reset credentials if confirmed
PowerShell with encoded command	Suspicious execution	Decode, inspect parent process, isolate if malicious
DNS queries to random-looking domains	Possible DGA or tunneling	Compare threat intel, check endpoint process
Large outbound transfer after privilege escalation	Potential exfiltration	Contain, preserve logs, identify data scope
New admin account created outside change window	Unauthorized persistence	Disable account, review creator, audit related changes
Web server 500 errors with SQL keywords	Possible SQL injection testing	Review WAF/app logs, patch or tune controls
Endpoint beaconing at regular intervals	Possible command-and-control	Correlate with EDR and network data

Detection quality concepts

Concept	Meaning	Exam reminder
True positive	Alert correctly identifies malicious or policy-violating activity	Investigate and respond
False positive	Alert fires on benign activity	Tune carefully, do not ignore blindly
True negative	Benign activity correctly ignored	Desired normal state
False negative	Malicious activity missed	Most dangerous detection gap
Baseline	Known normal behavior	Needed for anomaly detection
Correlation	Linking multiple weak signals into stronger evidence	SIEM use case core concept
Enrichment	Adding context such as asset owner, threat intel, geolocation	Helps prioritization
Suppression	Reducing repetitive alerts	Use only when risk is understood
Thresholding	Alerting after a count, rate, or condition is met	Avoid thresholds that are too low or too high

SIEM and query thinking

You do not need to memorize every vendor syntax, but you should understand query logic.

Task	Query idea
Find brute force	Count failed logins by user/source over time
Find successful login after failures	Correlate failed events followed by success
Find rare process	Compare process name/hash against baseline
Find lateral movement	Look for remote logons, admin shares, remote execution
Find exfiltration	Large outbound transfers to unusual destination
Find privilege escalation	New role/group membership or policy change
Find suspicious PowerShell	Encoded commands, download cradle, bypass flags
Find cloud compromise	New access key, unusual API calls, role assumption, public exposure

Vulnerability management review

Vulnerability lifecycle

    flowchart LR
	    A[Asset inventory] --> B[Discover vulnerabilities]
	    B --> C[Validate findings]
	    C --> D[Prioritize risk]
	    D --> E[Remediate or mitigate]
	    E --> F[Verify fix]
	    F --> G[Report status]
	    G --> A

Prioritization factors

Do not prioritize remediation by scanner severity alone. Combine technical severity with business context.

Factor	Why it matters
Asset criticality	A medium issue on a crown-jewel system may outrank a high issue on a low-value lab host
Internet exposure	Externally reachable systems are easier to attack
Exploit availability	Known working exploit increases urgency
Active exploitation	Evidence of attacks raises priority
Data sensitivity	Systems with regulated or confidential data carry higher impact
Privilege required	No-auth remote issues are generally more urgent
Compensating controls	WAF, segmentation, EDR, or hardening may reduce immediate risk
Patch complexity	Downtime, dependencies, and testing affect remediation planning
Business deadline	Critical operations may require mitigation before patching
Vulnerability age	Long-open findings can indicate process failure

Scanner result interpretation

Finding type	Analyst caution
Unauthenticated scan	Faster and safer but may miss local/package/configuration issues
Authenticated scan	More complete but depends on credential scope and health
Agent-based scan	Good for roaming endpoints but requires deployment and maintenance
Network scan	Finds exposed services but may not see internal host state
Web app scan	Useful for application flaws but can create noise or affect fragile apps
Container image scan	Finds package/library issues before deployment
Cloud configuration scan	Detects risky permissions, public storage, insecure networking
False positive	Validate before escalating as confirmed risk
False negative	May occur if scanner lacks access, signatures, or context

Remediation versus mitigation

Action	Use when	Example
Remediation	You can remove the vulnerability	Apply vendor patch
Mitigation	You reduce likelihood or impact temporarily	Add WAF rule, disable service, restrict access
Compensating control	Alternative control provides comparable risk reduction	Network segmentation around unsupported system
Risk acceptance	Business formally accepts residual risk	Exception with owner and review date
Risk transfer	Shift financial/operational impact	Cyber insurance or outsourced responsibility
Avoidance	Stop the risky activity	Decommission exposed legacy app

Vulnerability management traps

Trap: “Highest CVSS always first.” Better answer: prioritize by exploitability, exposure, asset value, and business impact.
Trap: “Patch immediately in production.” Better answer: follow change control, test when appropriate, and use mitigation if urgent.
Trap: “Scanner output equals truth.” Better answer: validate critical findings and investigate anomalies.
Trap: “Risk accepted forever.” Better answer: exceptions should be documented, owned, justified, and reviewed.
Trap: “Remediation complete when ticket closes.” Better answer: verify with rescanning or control validation.

Threat intelligence review

Intelligence types

Type	Focus	Example use
Strategic	Business-level threat trends	Executive risk planning
Operational	Campaigns, adversary objectives, target sectors	Prepare defenses for likely attacks
Tactical	TTPs and behaviors	Improve detections and playbooks
Technical	IOCs such as IPs, hashes, domains	Block, search, enrich alerts

IOC versus TTP

Item	Meaning	Durability
IP address	Infrastructure indicator	Often short-lived
Domain	C2, phishing, or staging indicator	Can change quickly
File hash	Exact file match	Breaks if file changes
URL	Specific web resource	Useful but often temporary
Registry key	Host persistence clue	More durable than hash
Process behavior	Execution pattern	More durable
Attack technique	Adversary method	Most useful for detection engineering

Threat intel quality checks

Before acting on threat intelligence, ask:

Is it relevant to your industry, geography, technology stack, or users?
Is it timely, or is it stale?
Is the source reliable?
Is the confidence level clear?
Can the indicator cause collateral damage if blocked?
Does it support detection, prevention, hunting, or executive reporting?
Has it been correlated with internal telemetry?

Common formats and tools

Item	Purpose
STIX	Structured threat intelligence representation
TAXII	Sharing transport for threat intelligence
YARA	File/content pattern matching, often malware-focused
Sigma	Generic SIEM detection rule format
Snort/Suricata rules	Network detection signatures
ATT&CK-style mapping	Organizing adversary tactics and techniques
Threat feeds	External indicators for enrichment and blocking

Incident response review

Response phase decision path

    flowchart TD
	    A[Alert or report received] --> B{Is activity validated?}
	    B -- No --> C[Collect more evidence]
	    C --> B
	    B -- Yes --> D{Is harm ongoing?}
	    D -- Yes --> E[Contain spread or access]
	    D -- No --> F[Scope affected systems and data]
	    E --> F
	    F --> G[Eradicate root cause]
	    G --> H[Recover and monitor]
	    H --> I[Lessons learned and reporting]

Incident response phase reminders

Phase	Analyst focus	Common mistake
Preparation	Playbooks, contacts, tools, training, logging	Waiting until incident to define roles
Detection and analysis	Validate, scope, classify, prioritize	Declaring breach from one weak signal
Containment	Limit damage and spread	Taking systems offline without considering business impact
Eradication	Remove malware, persistence, compromised accounts	Missing root cause
Recovery	Restore services and monitor	Reconnecting before validating clean state
Lessons learned	Improve controls and process	Skipping documentation after recovery

Containment choices

Situation	Likely containment
Malware on one workstation	Isolate host via EDR or network control
Compromised user account	Disable account, revoke sessions/tokens, reset credentials
Leaked API key	Revoke key, rotate secrets, review access logs
Ransomware spreading	Segment network, isolate affected hosts, disable propagation paths
Malicious email campaign	Quarantine messages, block sender/domain/URL, search mailboxes
Web app attack	WAF rule, disable vulnerable function, patch app
Cloud storage exposure	Remove public access, review object access logs
Insider data theft	Preserve evidence, restrict access, involve appropriate stakeholders

Incident classification clues

Incident type	Evidence to look for
Phishing	Email headers, links, attachments, sender domain, user clicks
Malware	Hashes, process tree, persistence, network beacons
Ransomware	File extension changes, ransom note, encryption activity
Credential compromise	Impossible travel, MFA fatigue, new devices, token abuse
Data exfiltration	Large outbound transfer, unusual destination, sensitive file access
Web application attack	Injection strings, abnormal parameters, WAF alerts, error spikes
DDoS	Traffic volume, many sources, service degradation
Insider threat	Unusual access, bulk downloads, policy violations, timing
Cloud compromise	New keys, role changes, unusual API calls, public resources

Incident response traps

Trap: “Delete malware first.” Better answer: isolate, collect evidence if needed, then eradicate.
Trap: “Power off every system.” Better answer: consider volatile evidence, business impact, and containment goals.
Trap: “Notify everyone immediately with unverified claims.” Better answer: communicate confirmed facts, impact, actions, and uncertainty.
Trap: “Restore from backup before root cause analysis.” Better answer: ensure the restored environment will not be reinfected.
Trap: “Close after service restoration.” Better answer: monitor, document, and hold lessons learned.

Digital forensics review

Evidence handling basics

Concept	Meaning	Why it matters
Chain of custody	Documented control of evidence	Supports integrity and admissibility
Hashing	Integrity verification	Shows evidence was not altered
Forensic image	Bit-level copy where appropriate	Preserves original media
Write blocker	Prevents modification of source media	Protects evidence
Volatile data	Data lost on shutdown	Memory, network connections, running processes
Timeline analysis	Event reconstruction	Helps determine attack sequence
Scope	Systems, accounts, data, and time period affected	Drives response and reporting

Order of volatility

Collect the most volatile evidence first when it is safe and appropriate.

More volatile	Less volatile
CPU/register/cache state	Disk images
Memory contents	Archived logs
Network connections	Backups
Running processes	Printed documentation
Logged-in users	Long-term records
Temporary files	Historical reports

Host artifacts to recognize

Artifact	What it can show
Process list	Suspicious running programs
Parent-child process tree	Execution chain
Command history	User or attacker actions
Scheduled tasks/cron jobs	Persistence
Registry run keys	Windows persistence
Services/daemons	Auto-start mechanisms
Prefetch/shimcache/amcache-style artifacts	Program execution evidence
Browser history/downloads	Phishing or drive-by activity
Event logs	Authentication, process, service, policy events
File metadata	Creation, modification, access clues
Memory dump	Malware, credentials, network connections

Network analysis review

Packet and flow interpretation

Observation	Possible interpretation
SYN packets to many ports	Port scan
SYN packets to many hosts on same port	Service sweep
Large outbound HTTPS to unknown host	Possible exfiltration or normal cloud use
Repeated DNS TXT queries	Possible DNS tunneling
ICMP traffic with abnormal payload size	Possible tunneling or testing
SMB connections between workstations	Possible lateral movement
Beaconing at fixed intervals	Possible command-and-control
TLS to rare domain shortly after malware execution	Suspicious outbound callback

Common ports and services

Port/protocol	Service	Analyst note
22/TCP	SSH	Admin access; watch brute force and exposed keys
25/TCP	SMTP	Mail transfer; abuse and spoofing concerns
53/UDP/TCP	DNS	Tunneling, DGA, suspicious lookups
80/TCP	HTTP	Web traffic; inspect where unencrypted
443/TCP	HTTPS	Encrypted web traffic; use metadata and endpoint logs
445/TCP	SMB	Windows file sharing; lateral movement risk
3389/TCP	RDP	Remote access; high-value target
389/636	LDAP/LDAPS	Directory services
1433/TCP	MS SQL	Database exposure risk
3306/TCP	MySQL	Database exposure risk
5432/TCP	PostgreSQL	Database exposure risk

Network control selection

Need	Control
Block known bad traffic	Firewall, proxy, DNS filtering
Detect suspicious network activity	IDS, NDR, SIEM correlation
Stop malicious traffic inline	IPS, WAF, secure web gateway
Separate sensitive systems	Segmentation, VLANs, ACLs, microsegmentation
Secure remote access	VPN, ZTNA, MFA, conditional access
Protect web applications	WAF, secure coding, patching
Limit outbound exfiltration	Egress filtering, DLP, proxy controls

Identity and access review

Identity attack patterns

Pattern	Clue	Response
Password spraying	Few attempts across many accounts	Block source, enforce MFA, detect low-rate failures
Brute force	Many attempts against one account	Lockout policy, source blocking, reset if compromised
MFA fatigue	Many push prompts	Revoke sessions, educate user, require phishing-resistant MFA where available
Impossible travel	Logins from distant locations in short time	Validate user, check VPN/proxy, revoke if suspicious
Privilege escalation	New admin rights or role changes	Review change authorization and actor
Token theft	Valid session from unusual context	Revoke tokens/sessions and investigate endpoint
Service account abuse	Interactive login or unusual access	Restrict use, rotate secret, monitor activity

Authentication and federation concepts

Concept	Review point
MFA	Adds factor; not all MFA is equally phishing-resistant
SSO	Centralizes authentication; compromise can have broad impact
SAML	Common enterprise federation protocol
OAuth 2.0	Authorization framework for delegated access
OpenID Connect	Authentication layer built on OAuth 2.0
Kerberos	Ticket-based authentication common in Windows domains
Conditional access	Policy based on user, device, location, risk, app
Least privilege	Users and services get only necessary access
Privileged access management	Controls and monitors high-risk admin access

Identity traps

OAuth is not the same as authentication by itself. OpenID Connect provides authentication on top of OAuth.
MFA does not eliminate credential risk. Tokens, consent grants, fatigue attacks, and session theft still matter.
Service accounts are high risk. They often have broad permissions and weak rotation practices.
Disabling an account may not end active sessions. Revoke tokens/sessions when needed.
Least privilege must include cloud roles and API permissions, not only local accounts.

Application and API security review

Common web vulnerabilities

Vulnerability	What it means	Better remediation direction
SQL injection	User input alters database query	Parameterized queries, input validation
Command injection	User input executes OS commands	Avoid shell execution, sanitize input, least privilege
Cross-site scripting	Attacker script runs in user browser	Output encoding, CSP, input handling
CSRF	User is tricked into submitting authenticated action	Anti-CSRF tokens, SameSite cookies
SSRF	Server is tricked into making requests	Egress controls, allowlists, metadata protection
Path traversal	Access files outside intended directory	Canonicalize paths, restrict file access
Insecure deserialization	Untrusted object data causes code or logic abuse	Avoid unsafe deserialization, integrity checks
Broken access control	User accesses unauthorized function/data	Server-side authorization checks
Security misconfiguration	Unsafe defaults or exposed admin features	Hardening, configuration review
Vulnerable dependency	Flawed third-party component	SCA, patching, dependency management

API security review

Risk	Clue	Control
Broken object-level authorization	User can access another user’s object ID	Enforce authorization per object
Excessive data exposure	API returns more fields than needed	Minimize response data
Lack of rate limiting	Automated abuse succeeds	Throttling and abuse detection
Weak token handling	Long-lived or exposed tokens	Short lifetimes, rotation, secure storage
Poor input validation	Malformed requests trigger errors	Schema validation and sanitization
Shadow APIs	Unknown or undocumented endpoints	API inventory and gateway controls

Secure SDLC and testing

Method	Purpose
SAST	Static source/code analysis before runtime
DAST	Dynamic testing of running application
SCA	Third-party dependency and license/vulnerability analysis
IAST	Instrumented testing during application execution
Fuzzing	Sending malformed inputs to find crashes or flaws
Threat modeling	Identifying design-level risks early
Code review	Human review for logic and security flaws
Secrets scanning	Detecting hardcoded keys and credentials
CI/CD controls	Automated security checks in pipelines

Cloud, container, and hybrid security review

Cloud security decision points

Scenario	Think about
Public storage bucket	Data exposure, access policy, object logs
Overprivileged role	Least privilege, role assumption, permissions boundary
Leaked access key	Revoke, rotate, find use, check persistence
Public management port	Security group/network ACL, bastion, ZTNA
Unencrypted data store	Encryption at rest, key management, data sensitivity
Missing logs	Enable cloud audit logs before incident
Suspicious API call	Identity, source IP, user agent, role, time
Container escape concern	Host hardening, runtime security, patching
Image vulnerability	Rebuild from patched base image
Kubernetes secret exposure	Rotate secrets, RBAC review, audit logs

Shared responsibility reminder

In cloud scenarios, the provider and customer share responsibilities, but the customer is commonly responsible for identity configuration, data classification, access policies, workload configuration, and application security. Do not assume the provider fixes insecure customer settings.

Container and Kubernetes clues

Item	Security relevance
Image	May contain vulnerable packages or secrets
Registry	Needs access control and signing/scanning
Runtime	Detect suspicious container behavior
Namespace	Logical isolation boundary
RBAC	Controls Kubernetes permissions
Secrets	Must be protected and rotated
Admission control	Enforces deployment policy
Network policy	Limits pod-to-pod communication
Privileged container	High risk; may access host resources
Immutable infrastructure	Rebuild rather than manually patch running instances

Endpoint security review

Malware behavior indicators

Behavior	Possible purpose
Creates scheduled task	Persistence
Modifies registry run key	Persistence
Injects into another process	Evasion or privilege abuse
Disables security tools	Defense evasion
Dumps credentials	Credential theft
Scans local network	Discovery/lateral movement
Connects to rare external domain	Command-and-control
Encrypts many files rapidly	Ransomware
Compresses staged files	Exfiltration preparation
Deletes shadow copies/backups	Ransomware impact maximization

Endpoint response choices

Situation	Best action
Confirmed malware with active C2	Isolate endpoint and preserve evidence
Suspicious process but uncertain	Collect process, hash, command line, network evidence
Credential theft suspected	Reset credentials and revoke sessions after containment planning
Widespread endpoint indicator	Hunt across fleet using EDR query
False positive from known admin tool	Document and tune detection carefully
Ransomware indicator	Isolate immediately and protect backups

Email and phishing review

Phishing investigation checklist

Evidence	What to inspect
Headers	Sender path, return-path, received chain
SPF/DKIM/DMARC	Authentication and domain alignment
URLs	Redirects, lookalike domains, reputation
Attachments	Hashes, macros, sandbox results
User reports	Who received, clicked, submitted credentials
Mail gateway logs	Delivery, quarantine, similar messages
Authentication logs	Login attempts after click
Endpoint telemetry	Downloaded payload or script execution

Phishing response actions

Preserve a copy of the message and headers.
Identify all recipients.
Quarantine or remove similar messages.
Block malicious domains, URLs, hashes, or senders where appropriate.
Determine who clicked or submitted credentials.
Reset credentials and revoke sessions for affected users.
Search for payload execution or persistence.
Communicate user guidance without blame.
Update detections and awareness material.

Data protection and privacy-aware analysis

Data security controls

Need	Control
Protect data at rest	Encryption, access control, key management
Protect data in transit	TLS, VPN, secure protocols
Prevent unauthorized sharing	DLP, classification, access reviews
Limit blast radius	Least privilege, segmentation, token scoping
Detect exfiltration	DLP, proxy logs, cloud access logs, UEBA
Recover from loss	Backups, replication, tested restore
Reduce retained risk	Data minimization and retention controls

Backup and recovery reminders

Concept	Review point
Offline/immutable backup	Helps resist ransomware
Restore testing	Backup is not useful unless recoverable
Recovery point objective	Acceptable data loss target
Recovery time objective	Acceptable downtime target
Golden image	Trusted rebuild source
Clean restore	Restore only after root cause and reinfection risk are addressed

Risk, reporting, and communication review

Audience-based reporting

Audience	Wants	Avoid
Executive leadership	Business impact, risk, timeline, decision needed	Raw logs and tool jargon
Technical team	Affected systems, evidence, root cause, fix steps	Vague “secure it” statements
Legal/compliance	Facts, scope, timeline, evidence handling	Speculation
Asset owner	Operational impact and remediation plan	Security-only language
Customer/user communication	Clear impact and required action	Over-disclosure before facts are confirmed
Incident commander	Status, blockers, next actions	Unprioritized detail dump

Good security report structure

Executive summary
Scope and methodology
Key findings
Risk rating and business impact
Evidence
Affected assets
Recommended remediation
Compensating controls or exceptions
Validation plan
Appendices for technical detail

Metrics to understand

Metric	Use
MTTD	Mean time to detect
MTTR	Mean time to respond or recover, depending on context
Dwell time	Time attacker remains undetected
False positive rate	Detection quality and analyst workload
Patch compliance	Remediation program health
Vulnerability age	Backlog and process risk
Incident count by type	Trend analysis
Phishing click rate	Awareness and control effectiveness
Control coverage	Visibility and protection gaps

Tool and command quick review

Common analyst tools

Tool/category	Use
SIEM	Correlation, search, alerting, dashboards
SOAR	Automated enrichment and response workflows
EDR/XDR	Endpoint detection, containment, investigation
NDR	Network detection and response
Vulnerability scanner	Find known vulnerabilities and misconfigurations
Packet analyzer	Inspect network traffic
Sandbox	Detonate suspicious files/URLs safely
Forensic suite	Image, preserve, and analyze evidence
Ticketing system	Track remediation and accountability
GRC platform	Risk, compliance, exceptions, reporting

Command-line recognition

Command/tool	Typical use
ping	Basic reachability
traceroute/tracert	Network path
nslookup/dig	DNS lookup
whois	Domain/IP registration context
netstat/ss	Network connections and listening ports
ipconfig/ifconfig/ip	Interface configuration
route	Routing table
arp	Local neighbor mapping
nmap	Port/service discovery
curl/wget	HTTP requests and downloads
tcpdump	Packet capture
Wireshark/tshark	Packet analysis
grep/findstr	Search text/logs
awk/sed	Text processing
strings	Extract readable strings from binary
sha256sum/Get-FileHash	File integrity/hash
ps/tasklist	Running processes
lsof	Open files and sockets
journalctl	Linux system logs
sc/systemctl	Service management
reg	Windows registry inspection/modification

“Best tool” examples

Question asks for	Strong answer direction
Identify open ports	Nmap or scanner
Inspect payload details	Packet capture/Wireshark
Correlate many logs	SIEM
Isolate compromised host	EDR or network control
Automate enrichment	SOAR
Identify vulnerable packages	SCA or vulnerability scanner
Detect data leaving	DLP, proxy, NetFlow, cloud logs
Verify file integrity	Hash comparison
Preserve disk evidence	Forensic imaging
Analyze suspicious attachment safely	Sandbox

Scenario decision rules

“First,” “best,” and “next” wording

Wording	How to answer
FIRST	Choose the earliest correct step in the process
BEST	Choose the most complete and risk-appropriate action
NEXT	Continue from the current phase described
MOST likely	Infer from evidence, not from fear
LEAST likely	Eliminate supported options first
MOST secure	Strongest control, if operationally reasonable
MOST cost-effective	Adequate risk reduction with lower complexity
BEST long-term	Root cause fix, not temporary workaround

High-frequency decision rules

If the scenario says…	Prefer…
“Unconfirmed alert”	Validate and collect more evidence
“Active compromise”	Containment
“Forensic investigation”	Preserve evidence and chain of custody
“Critical production service”	Coordinate containment with business impact in mind
“Known exploited vulnerability on internet-facing asset”	Urgent remediation or mitigation
“Legacy system cannot be patched”	Compensating controls and risk documentation
“Many noisy alerts”	Tuning, correlation, and prioritization
“Credential compromise”	Revoke sessions/tokens, reset credentials, review activity
“Cloud public exposure”	Remove public access and review access logs
“Repeat incident”	Root cause analysis and control improvement

Common candidate mistakes

Technical mistakes

Confusing hashing with encryption. Hashing verifies integrity; encryption protects confidentiality.
Confusing encoding with encryption. Encoding is reversible formatting, not security.
Treating base64 as a secure protection method.
Assuming HTTPS traffic is safe just because it is encrypted.
Forgetting that valid credentials can be maliciously used.
Assuming MFA stops all account compromise.
Choosing eradication before containment during active compromise.
Ignoring egress traffic in exfiltration scenarios.
Overlooking cloud IAM as the highest-impact control plane.
Treating scanner severity as identical to business risk.

Process mistakes

Skipping documentation during incidents.
Failing to verify remediation.
Reporting technical detail without business impact.
Closing incidents without lessons learned.
Blocking indicators without considering collateral impact.
Not involving asset owners for production changes.
Failing to preserve chain of custody when evidence may matter.
Accepting risk without an owner, justification, or review.

Compact comparison tables

Preventive, detective, corrective

Control type	Purpose	Examples
Preventive	Stop event from happening	MFA, firewall, hardening, secure coding
Detective	Identify event	SIEM alert, IDS, audit logs
Corrective	Restore or fix	Patch, restore backup, remove malware
Deterrent	Discourage behavior	Warning banners, policies
Compensating	Alternative protection	Segmentation around unpatchable system
Recovery	Return to operation	Backups, disaster recovery plan

Signature, anomaly, behavior

Detection type	Strength	Weakness
Signature	Good for known threats	Misses new/modified threats
Anomaly	Finds unusual activity	Can produce false positives
Behavior	Detects suspicious actions/TTPs	Requires context and tuning
Heuristic	Flexible pattern-based detection	May be noisy
Threat intel match	Fast enrichment	Indicators may be stale

IDS, IPS, WAF, EDR

Control	Primary location	Main purpose
IDS	Network or host	Detect and alert
IPS	Inline network path	Detect and block
WAF	In front of web app	Filter malicious web requests
EDR	Endpoint	Detect, investigate, contain host threats
NDR	Network	Identify suspicious traffic behavior
DLP	Endpoint, network, cloud	Prevent or detect sensitive data leakage

Mini playbooks

Suspected ransomware

Isolate affected systems.
Protect backups and prevent further spread.
Preserve evidence where possible.
Identify initial access and scope.
Disable compromised accounts.
Remove persistence and malware.
Restore from known-good backups.
Monitor for reinfection.
Document timeline, impact, and lessons learned.

Suspected cloud key compromise

Disable or revoke the exposed key.
Rotate related secrets.
Review API activity for that identity.
Identify created users, roles, policies, compute, storage, or network changes.
Remove unauthorized resources and persistence.
Check data access and exfiltration.
Tighten permissions and add detection.
Document impact and remediation.

Suspected data exfiltration

Confirm unusual transfer or access.
Identify user, system, data type, destination, and time window.
Contain access path without destroying evidence.
Preserve logs and relevant artifacts.
Determine data sensitivity and scope.
Escalate according to incident plan.
Implement corrective controls.
Prepare audience-appropriate reporting.

Suspected phishing credential theft

Analyze email and identify recipients.
Remove message from mailboxes.
Determine who clicked or submitted credentials.
Revoke sessions and reset affected credentials.
Review authentication and mailbox rules.
Search for lateral movement or data access.
Block infrastructure and update detections.
Communicate user guidance.

How to use practice questions after this review

Use this Quick Review to identify weak decision areas, then move into IT Mastery practice:

Use topic drills for one area at a time: incident response, vulnerability management, log analysis, cloud security, or reporting.
Use original practice questions to test whether you can apply concepts in scenarios rather than recite definitions.
Review detailed explanations after each question, especially for why the wrong answers are wrong.
Build an error log with three columns: missed concept, clue you overlooked, rule to remember.
Retake only the questions you missed after a delay, not immediately from memory.
Finish with mixed, timed question bank sets so you practice switching topics under exam-like pressure.

Final quick checklist

Before you start a CS0-004 practice set, make sure you can answer these quickly:

What evidence confirms an alert is a real incident?
What should be contained first: host, account, network path, email, or cloud key?
What evidence is volatile and should be preserved early?
Which findings deserve priority when scanner severity and business risk differ?
Which log source best supports the investigation?
What is the difference between remediation, mitigation, and risk acceptance?
What should an executive report include?
What root cause must be fixed before recovery?
What detection should be improved after lessons learned?
What answer choice is safest, least disruptive, and aligned with the incident phase?

Next step: start a timed CompTIA CySA+ V4 (CS0-004) topic drill, review every detailed explanation, and turn each missed question into a short decision rule for your final question bank pass.

Continue in IT Mastery

Use this Quick Review as a final concept map, then move into IT Mastery for focused topic drills, mixed practice sets, timed mock exams, and detailed explanations. The practice questions are original IT Mastery practice items; they are not official CompTIA questions, copied live-exam content, or exam dumps.

Study Plan