Try 10 focused CompTIA CySA+ CS0-004 questions on Reporting and Communication, with explanations, then continue with IT Mastery.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
Try CompTIA CySA+ CS0-004 on Web View full CompTIA CySA+ CS0-004 practice page
| Field | Detail |
|---|---|
| Exam route | CompTIA CySA+ CS0-004 |
| Topic area | Reporting and Communication |
| Blueprint weight | 16% |
| Page purpose | Focused sample questions before returning to mixed practice |
Use this page to isolate Reporting and Communication for CompTIA CySA+ CS0-004. Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 16% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
These original IT Mastery practice questions are aligned to this topic area. Use them for self-assessment, scope review, and deciding what to drill next.
Topic: Reporting and Communication
A SOC lead is selecting one detection-improvement action for the next sprint. The goal is to reduce avoidable triage workload without weakening detections that reliably identify real incidents.
| Detection | Alerts/week | False-positive rate | True-positive rate |
|---|---|---|---|
| Web upload anomaly | 1,800 | 92% | 8% |
| Cloud impossible travel | 45 | 11% | 89% |
| Endpoint ransomware behavior | 22 | 5% | 95% |
| Legacy port scan | 650 | 55% | 45% |
Which action best maps to these requirements?
Options:
A. Suppress the endpoint ransomware behavior rule first
B. Tune the web upload anomaly rule and track rate changes
C. Increase review priority for cloud impossible travel alerts
D. Disable all legacy port scan alerts immediately
Best answer: B
Explanation: Alert volume shows how much work a detection creates for analysts. False-positive rate shows how much of that work is non-actionable, while true-positive rate shows how often alerts represent real security events. The web upload anomaly rule creates the largest queue burden and is mostly false positives, so tuning it is the best first monitoring action. Tuning could include threshold adjustment, better allowlisting, enrichment, or rule logic refinement, followed by monitoring whether alert volume drops and true-positive rate improves. High true-positive detections should generally be preserved unless there is evidence they are no longer useful.
Topic: Reporting and Communication
A vulnerability analyst is preparing a scan report for application owners after an authenticated web application scan found several high-risk issues. The recipients need to identify what they own, verify the finding, understand business risk, and start remediation without reading raw scanner output. Which report content best meets these requirements?
Options:
A. Executive risk trend chart and total open findings by month
B. Scanner plug-in IDs, full request logs, and vendor release notes
C. Compliance control IDs and attestation status only
D. Affected assets, finding evidence, severity rationale, and remediation guidance
Best answer: D
Explanation: A useful vulnerability scan report should turn scanner results into stakeholder-ready action. For application owners, that means naming the affected assets or components, showing enough evidence to validate the issue, explaining severity in context, and providing clear remediation guidance or next steps. Raw scanner details can support an appendix, but they usually do not help owners quickly decide what to fix. Trend charts and compliance mappings are useful for other audiences, but they do not satisfy the immediate need to verify and remediate specific findings.
Topic: Reporting and Communication
A SOC analyst validates a high-confidence alert showing outbound transfers from a compromised CRM server. The CRM contains customer PII, and the incident commander has declared a severity 1 incident. Forensics is still scoping the exact records affected, but contractual and regulatory notification timelines may apply. No public statement has been made. What is the BEST escalation path?
Options:
A. Notify all customers immediately with the unconfirmed record count
B. Send the evidence directly to law enforcement before internal escalation
C. Escalate to legal, privacy/compliance, executive leadership, and PR per the incident communication plan
D. Wait for complete forensics before involving nontechnical stakeholders
Best answer: C
Explanation: When incident evidence indicates possible exposure of customer PII, escalation should follow the incident communication plan and include the functions that own legal obligations, regulatory assessment, executive risk decisions, and public messaging. The team does not need final record-level certainty before escalating internally, because notification clocks, contractual duties, and reputational risk may already be in play. However, external notices should be coordinated and accurate, not rushed with unconfirmed details. Law enforcement may become appropriate, but that decision is normally coordinated through legal and executive incident leadership.
Topic: Reporting and Communication
A vulnerability analyst is preparing two deliverables after a quarterly assessment. The engineering team needs a prioritized remediation report for exploitable technical weaknesses. The compliance team needs evidence for a PCI DSS control review.
Findings:
Which reporting action best maps each finding to the correct purpose and audience?
Options:
A. Send the VPN CVE to engineering and the missing scan evidence to compliance.
B. Defer both findings until exploit validation is completed.
C. Send both findings to compliance as PCI DSS exceptions.
D. Send both findings to engineering as high-priority vulnerabilities.
Best answer: A
Explanation: Compliance findings and vulnerability findings are reported for different purposes. A vulnerability finding identifies a technical weakness that can be exploited and needs remediation or mitigation by technical owners. In this scenario, the actively exploited CVE on an internet-facing VPN appliance belongs in the engineering remediation report. A compliance finding identifies a gap against a required control, standard, policy, or evidence obligation. Missing documentation for a required quarterly external scan is not itself proof of an exploitable host weakness; it is a control-evidence gap for the compliance team. The key distinction is whether the report is driving technical risk remediation or demonstrating adherence to a requirement.
Topic: Reporting and Communication
A SOC team is investigating a suspected data exposure involving a customer portal. The incident is declared, but the scope and data types are not yet confirmed. The communication plan requires updates to executives, legal, privacy, and the service owner through approved internal channels only. Customer-facing statements must be approved by legal and public relations. Which communication action best preserves accuracy, confidentiality, and stakeholder trust?
Options:
A. Wait to communicate until root cause is fully confirmed
B. Notify all customers immediately that their data was exposed
C. Post full technical details in the company-wide chat
D. Send a concise internal update with confirmed facts, unknowns, actions, and next update time
Best answer: D
Explanation: Incident communications should be timely, accurate, need-to-know, and aligned with the communication plan. In this scenario, the incident is real enough to require stakeholder updates, but the customer impact is not confirmed and external messaging needs legal and public relations approval. A good update separates confirmed facts from unknowns, states current actions, identifies who is handling approvals, and sets the next update time. This builds trust because stakeholders are not left guessing, while confidentiality is preserved by using approved internal channels and limiting sensitive details. The key takeaway is to communicate what is known and what is being done, without speculating or bypassing approval paths.
Topic: Reporting and Communication
A vulnerability analyst must add one remediation item to the action plan for the finding below. Which item is the best fit?
Exhibit: Finding summary
| Field | Detail |
|---|---|
| Finding date | June 7 |
| Asset | vpn-admin01.example.com |
| Issue | Internet-facing VPN admin portal allows password-only login |
| Evidence | Password-spray alerts against admin accounts |
| Owner | Network Services manager |
| Remediation target | 14 days |
Options:
A. Network Services manager will enforce MFA on vpn-admin01 by June 21 and provide validation evidence.
B. Improve remote-access security as soon as staffing is available.
C. SOC will monitor password-spray alerts for the next quarter.
D. Asset team will review all VPN documentation this month.
Best answer: A
Explanation: A strong remediation action-plan item should be specific, accountable, time-aware, and directly tied to the reported finding. The exhibit identifies the affected asset, the control gap, the active evidence, the owner, and a 14-day target from June 7. Enforcing MFA on the named VPN admin portal by June 21 addresses the password-only exposure and gives the named owner a measurable deadline. Requiring validation evidence also makes closure auditable.
Monitoring may be useful during remediation, but it does not fix the control gap. Documentation review is also too indirect unless the finding is about missing documentation.
Topic: Reporting and Communication
A vulnerability analyst is updating a quarterly risk scorecard for executive leadership. The current draft ranks teams only by the number of critical and high CVSS findings. The CIO says the scorecard must reflect which unresolved findings are most likely to disrupt revenue-generating services or expose regulated data. Which action best meets this requirement?
Options:
A. Report only vulnerabilities with public exploit code
B. Group findings by scanner plugin family
C. Sort all findings strictly by CVSS base score
D. Add business impact factors to the scorecard ranking
Best answer: D
Explanation: A risk scorecard for leadership should translate technical vulnerability data into business risk. CVSS severity is useful, but it does not fully show whether an affected asset supports revenue, handles regulated data, has compensating controls, or is externally exposed. In this scenario, the CIO is asking for prioritization based on potential business disruption and data impact, so the scorecard should incorporate business impact factors alongside technical severity. The key takeaway is that technical severity helps rank flaws, but business impact helps rank organizational risk.
Topic: Reporting and Communication
A SOC lead asks for a brief handover note on whether a newly deployed SIEM rule improved triage performance. Staffing and ticket priority definitions did not change, and the numbers below are based on manually validated tickets.
| Week | Alert volume | True-positive rate | False-positive rate |
|---|---|---|---|
| Before rule | 400 | 30% | 70% |
| After rule | 900 | 15% | 85% |
Which note is the BEST professional decision for the handover?
Options:
A. Disable the rule immediately because false positives increased
B. Escalate all after-rule alerts as high priority incidents
C. Report degraded triage efficiency and recommend tuning the rule
D. Report improved detection because total alerts increased
Best answer: C
Explanation: Detection and triage metrics should be interpreted together. Alert volume alone is not a success measure; it can indicate workload growth or noise. In this case, the new rule increased alert volume from 400 to 900 while the true-positive rate dropped from 30% to 15% and the false-positive rate rose from 70% to 85%. That means analysts are reviewing many more tickets with a lower proportion of validated malicious activity. The best handover message should be evidence-based and actionable: note degraded triage efficiency and recommend tuning or threshold adjustment before expanding reliance on the rule. Disabling the rule immediately may be premature because it may still catch some valid activity, but treating the change as an improvement ignores the false-positive burden.
Topic: Reporting and Communication
A SOC lead is evaluating incident response performance for the last reporting period. The team’s KPI report defines mean time to detect (MTTD), mean time to respond (MTTR), and mean time to close (MTTC) as averages across incidents.
Exhibit: KPI report
| Metric | Target | Incident 1 | Incident 2 | Incident 3 |
|---|---|---|---|---|
| Time to detect | ≤30 min | 20 min | 40 min | 30 min |
| Time to respond | ≤60 min | 50 min | 70 min | 80 min |
| Time to close | ≤48 hr | 36 hr | 60 hr | 42 hr |
Which interpretation is best supported by the report?
Options:
A. All metrics met target because most incidents were within limits.
B. MTTC missed target; prioritize ticket closure workflow changes.
C. MTTR missed target; improve containment handoff and response execution.
D. MTTD missed target; improve detection engineering first.
Best answer: C
Explanation: Mean-time metrics evaluate average performance across the measured incident set, not only whether each individual incident met its target. In the exhibit, MTTD is \((20 + 40 + 30) / 3 = 30\) minutes, which meets the ≤30-minute target. MTTR is \((50 + 70 + 80) / 3 \approx 66.7\) minutes, which exceeds the ≤60-minute target. MTTC is \((36 + 60 + 42) / 3 = 46\) hours, which meets the ≤48-hour target. The performance issue is therefore response speed after detection, making containment handoff, escalation, or response execution the most relevant improvement area.
Topic: Reporting and Communication
A vulnerability management lead is preparing a monthly report for executives. The board wants to know whether remediation is actually improving for high-risk assets, not how busy the team was. The scanner and ticketing system can report finding counts, scan counts, patch counts, and SLA status. Which metric best supports that decision?
Options:
A. Scans completed during the month
B. Patches deployed across all systems
C. Critical internet-facing findings remediated within SLA
D. New vulnerability tickets opened
Best answer: C
Explanation: Remediation effectiveness metrics show whether risk is being reduced in a timely and prioritized way. In this scenario, executives need a result-oriented measure for high-risk assets, so tracking critical internet-facing findings remediated within SLA directly connects severity, exposure, and timeliness. Counts of scans, tickets, or patches can show workload, but they do not prove that the most important vulnerabilities were fixed or that remediation met expectations. A strong executive metric should be outcome-focused, risk-aligned, and actionable.
Use the CompTIA CySA+ CS0-004 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try CompTIA CySA+ CS0-004 on Web View CompTIA CySA+ CS0-004 Practice Test
Use the full IT Mastery practice page above for the latest review links and practice page.