CompTIA CySA+ (CS0-004) Certification

Certification guide

CompTIA CySA+ is the vendor-neutral certification for the people who sit on the defensive side of the wire: SOC analysts, threat hunters, vulnerability analysts, and incident responders. Where Security+ proves you understand security concepts, CySA+ proves you can apply them under operational conditions — reading logs, triaging alerts, prioritizing vulnerabilities by real risk, running an incident through its lifecycle, and reporting all of it to stakeholders who need to act. It sits in the middle of CompTIA’s cybersecurity pathway, above Security+ and below the expert-level SecurityX, and it is approved under DoD Directive 8140 for a long list of cyber defense work roles.

The current exam version is CS0-004 (V4), which went live on June 23, 2026. The format carries over unchanged from V3 — up to 85 multiple-choice and performance-based questions, a 165-minute window, and a passing score of 750 on a 100–900 scale — but the objectives were rebalanced and modernized. V4 adds explicit coverage of AI in security operations: using AI tools for log correlation and reporting, governing their use, and defending against AI-specific risks like prompt injection, hallucinated findings, sensitive-data exposure, and training-data poisoning. It also formalizes the control taxonomy (physical, technical, and administrative types; deterrent through compensating functions) and leans harder into cloud, hybrid, and critical-infrastructure scenarios. The older CS0-003 exam remains available in English through December 22, 2026, but new candidates should prepare for V4 — these practice exams are written to the V4 blueprint.

CompTIA recommends about four years of hands-on experience in a SOC analyst or vulnerability analyst role, with Network+ and Security+ (or equivalent knowledge) as the assumed foundation. There is no enforced prerequisite, but the exam is scenario-driven and punishes pure memorization: questions describe realistic telemetry, competing priorities, and messy operational constraints, then ask what a practitioner should do first, next, or instead.

Exam CS0-004 (V4) Max 85 questions 165 minutes Pass 750 / 900 MCQ + performance-based Valid 3 years · 60 CEUs

Security Operations

Domain 1 · 34%

The heaviest domain and the analyst’s daily bread: log and telemetry analysis across network, endpoint, identity, and email; detecting beaconing, tunneling, lateral movement, and living-off-the-land tradecraft; threat intelligence and hunting; SIEM tuning and alert triage; SOAR automation; and the new V4 material on using AI in operations while defending against prompt injection, hallucination, and poisoning.

Vulnerability Management

Domain 2 · 26%

Running the full program: scan types and scheduling (credentialed, agent-based, passive, and critical-infrastructure scanning), validating findings, CVSS and EPSS interpretation, KEV-driven prioritization, remediation versus compensating controls, exceptions and governance, secure-coding flaws like injection and overflows, cloud misconfigurations, and the V4 control-type and control-function taxonomy.

Incident Response and Management

Domain 3 · 24%

The lifecycle from preparation through lessons learned, expanded in V4: playbooks and tabletops, detection and scoping with indicators, containment decisions under business constraints, eradication and staged recovery, forensic fundamentals — order of volatility, imaging, hashing, chain of custody, legal holds — and attack-framework-driven analysis with MITRE ATT&CK.

Reporting and Communication

Domain 4 · 16%

Turning technical findings into action: stakeholder-appropriate reporting, vulnerability and incident metrics (MTTD, MTTR, dwell time, SLA compliance), escalation criteria, regulatory and law-enforcement engagement, coordinated disclosure, and AI governance policy — the domain that separates analysts who find problems from analysts who get them fixed.

Every Certifym practice set below is a full 90-question exam weighted to the official V4 blueprint — 31 Security Operations, 23 Vulnerability Management, 22 Incident Response and Management, and 14 Reporting and Communication items per set, each framed in realistic operational scenarios with explanations that justify why the best answer beats the near misses. The pass mark is set at 83%, the honest raw-score equivalent of CompTIA’s 750-on-a-900-point scale, so clearing it here means genuine coverage across all four domains — not luck in the heavy ones.

CompTIA CySA+ (CS0-004) - Practice Exam

90-question CompTIA CySA+ (CS0-004) practice exam. Weighted to the official V4 blueprint: Security Operations 34%, Vulnerability Management 26%, Incident Response and Management 24%, Reporting and Communication…

90 questions 165 min pass 83%
Subscribe to start

Trademark notice & independence. CompTIA® and CySA+® are registered trademarks of CompTIA, Inc. Certifym is an independent study resource and is not affiliated with, sponsored by, or endorsed by CompTIA, Inc. All references to the CySA+ certification and its exam objectives are for identification and educational purposes only.

All practice questions, explanations, and study material on this page are original works created by Certifym. They are not actual exam questions and are not derived from any CompTIA examination or copyrighted courseware.