CompTIA CySA+ CS0-004 Practice Questions: 20 Free Questions for the New Exam (2026)

CS0-004 replaces CS0-003 — here is what changed

CS0-003 retires on June 1, 2026. CS0-004 is the V4 release that replaces it. The exam length, format, and target audience are the same: ~85 questions (mix of multiple-choice and performance-based), 165 minutes, ~750 passing score on the 100-900 scale. What changed is the domain weighting and the topic emphasis.

Three changes matter for your prep. First, Incident Response & Management jumped from 20% to 24% of the exam — every additional point you can pull on IR scenarios is worth more than it was on CS0-003. Second, "AI in security operations" is a new explicit objective inside the Security Operations domain — expect questions on AI-driven detection, governance of AI-assisted analyst tooling, and risks like model evasion. Third, Vulnerability Management dropped from 30% to 26% but added explicit cloud-native coverage: container scanning, IaC scanning, API security. If your CS0-003 study materials predate 2026, those three areas need a fresh pass.

If you are studying CS0-003 right now and can sit it before June 1, do it — your existing prep transfers, and the credential you earn remains valid after retirement. If you cannot sit CS0-003 before June 1, switch to CS0-004 immediately; the carryover from CS0-003 study is roughly 80%, and the four-week study delta closes well within the time you would have spent finishing CS0-003.

Quick Answer Key (for Scanning After You Try the Questions)

1-B, 2-B, 3-A, 4-B, 5-B, 6-A, 7-B, 8-A, 9-B, 10-B, 11-B, 12-A, 13-B, 14-A, 15-B, 16-B, 17-A, 18-B, 19-B, 20-B.

CS0-004 Exam Domain Breakdown

1. Security Operations — 34% (architecture, IoCs, SIEM/EDR, threat intel, MITRE ATT&CK, threat hunting, SOAR, AI in security ops) 2. Vulnerability Management — 26% (scanning, CVSS, prioritization, patching, cloud-native + API + IaC scanning) 3. Incident Response & Management — 24% (kill chain, MITRE ATT&CK, Diamond Model, IR lifecycle, containment, post-incident) 4. Reporting & Communication — 16% (vuln program reporting, IR reporting, RCA, lessons learned)

The 20 questions below distribute as 7 from Domain 1, 5 from Domain 2, 5 from Domain 3, and 3 from Domain 4 — roughly matching the official weights. The domain weightings are what shifted vs CS0-003; the topic mix is largely the same with the AI-in-security-operations and cloud-native additions noted above.

Questions 1-7: Security Operations

Domain: Security Operations | Difficulty: Moderate 1. A SOC analyst notices repeated failed logon events from a single internal host targeting hundreds of accounts in Active Directory over a 30-minute window. Which IoC pattern matches this activity? A) Lateral movement using pass-the-hash B) Password spraying — high distinct-account count, low per-account attempt count, single source C) Phishing with a credential-harvesting landing page D) DNS tunnelling for C2

Correct Answer: B Password spraying is characterized by a small number of attempts against many accounts (often a single common password tried across all users) to evade per-account lockout thresholds. Pass-the-hash uses already-stolen NTLM hashes against few targeted accounts. Phishing produces credential drops at the attacker site, not internal failed-logon spikes. DNS tunnelling is a C2 indicator on resolution data, not authentication logs.

Domain: Security Operations | Difficulty: Foundation 2. Your SIEM correlates a login from a contractor account at 03:14 UTC followed two minutes later by a `whoami /priv` command and an attempt to read `C:\Windows\NTDS\NTDS.dit`. Which MITRE ATT&CK technique cluster does this most strongly suggest? A) Initial Access (T1078) B) Discovery + Credential Access (T1033 / T1003.003 — OS Credential Dumping: NTDS) C) Exfiltration over Alternative Protocol (T1048) D) Resource Development (T1583)

Correct Answer: B The `whoami /priv` is a textbook Discovery action (T1033 system owner/user discovery) and reading NTDS.dit on a domain controller maps to OS Credential Dumping: NTDS (T1003.003). Initial Access happened earlier (the login itself), but the question asks about the subsequent activity. Exfiltration and Resource Development are unrelated to this signal.

Domain: Security Operations | Difficulty: Moderate 3. You are tuning a YARA rule that fires too often on benign Windows updates. The rule matches on the string "MZ" in PE headers. What is the most effective tuning approach? A) Combine the PE header check with multiple additional strings unique to the targeted malware family (suspicious imports, unique mutex names, distinctive strings) using YARA's `condition` boolean logic B) Lower the YARA rule's severity from "high" to "medium" C) Allowlist the SIEM source so the rule never fires D) Disable the rule and rely on EDR alone

Correct Answer: A Matching only on 'MZ' (the magic bytes of every Windows PE) generates massive false positives. The fix is to combine PE-detection with malware-family-specific strings (e.g., a distinctive command string, a unique import, a known mutex name) so the rule fires only when multiple high-specificity indicators are present. Lowering severity hides the noise but doesn't fix it. Allowlisting and disabling are evasion, not tuning.

Domain: Security Operations | Difficulty: Moderate 4. Your SOC adopts an AI-assisted alert triage tool that uses an LLM to summarize and prioritize alerts. From a CS0-004 governance perspective, which control is MOST important to implement? A) Disable the tool whenever the SIEM has more than 100 alerts queued B) Establish a human-in-the-loop review for any alert the AI tool down-ranks below the analyst-attention threshold, plus periodic accuracy audits and a feedback loop into the model C) Require all analysts to use the AI summary verbatim in incident reports D) Allow the AI tool to auto-close alerts it scores below 0.5 confidence

Correct Answer: B AI in security operations is now an explicit CS0-004 objective. The right governance model is: AI augments the analyst, the analyst remains accountable, and the model's down-ranking decisions are audited (you check what it threw away, not just what it surfaced). Auto-closing alerts based on model confidence is the failure mode CS0-004 explicitly tests for — the model can be wrong, and unaudited auto-suppression hides real attacks. Verbatim copying of AI output into incident reports loses analyst judgment and is a quality and accountability problem.

Domain: Security Operations | Difficulty: Hard 5. A threat hunter wants to detect Living-Off-the-Land Binary (LOLBin) abuse where attackers use signed Microsoft binaries (e.g., certutil, regsvr32, mshta) to download payloads. Which detection approach has the best signal-to-noise ratio? A) Block all use of certutil, regsvr32, and mshta system-wide B) Hunt for these binaries spawning network connections to non-Microsoft external IPs, especially with command-line arguments containing URLs — combine process telemetry (EDR) with network telemetry C) Look for any execution of these binaries by non-admin users D) Add YARA rules to scan disk for the binaries themselves

Correct Answer: B The high-signal pattern is binary + behavior, not binary alone: certutil, regsvr32, and mshta are normal Windows utilities, but it is unusual for them to make outbound network connections to non-Microsoft IPs with URLs in their command line. Combining EDR process telemetry with network telemetry catches the abuse without breaking legitimate use. Blocking system-wide breaks legitimate IT scripts. Non-admin filtering misses admin-context attacks. YARA-on-disk does not detect the abuse pattern.

Domain: Security Operations | Difficulty: Foundation 6. Your SOAR playbook automatically isolates a host when an EDR alert reaches "high" severity. Which step should ALWAYS precede the auto-isolation action in the playbook? A) A guard condition that excludes specific business-critical hosts (domain controllers, payment gateways, EHR servers) from auto-isolation, deferring those to human approval B) A 30-minute wait to confirm the alert is not a false positive C) Sending an email to all 1500 employees announcing the isolation D) Submitting a change ticket and waiting for approval

Correct Answer: A A mature SOAR playbook always has a critical-asset guard condition that breaks out of full automation for hosts where unscheduled isolation would cause business impact larger than the suspected attack. Those go through a human-approval branch instead. A blanket 30-minute wait would let real attacks progress. Mass-email notification and change-ticket gating defeat the purpose of automation — speed.

Domain: Security Operations | Difficulty: Foundation 7. A SOC analyst needs to parse Windows Event Logs (.evtx files) at scale. Which combination of tools and approaches is most appropriate for repeatable analysis? A) Open each .evtx file in the Windows Event Viewer GUI manually B) Use a scripting tool (PowerShell with Get-WinEvent, or Python with python-evtx) to extract events into JSON or CSV, then ingest into the SIEM or analyze with pandas/grep — repeatable and scriptable C) Convert .evtx to .txt with notepad and grep through it D) Email .evtx files to an external analyst

Correct Answer: B Programmatic extraction (PowerShell Get-WinEvent or Python python-evtx) gives repeatable, version-controllable analysis that can be ingested into the SIEM. The Event Viewer GUI doesn't scale and isn't repeatable. Notepad treats .evtx as binary and produces garbage. Emailing event logs is a data-handling violation in most environments and bypasses chain of custody.

Questions 8-12: Vulnerability Management

Domain: Vulnerability Management | Difficulty: Foundation 8. Your scanner reports a CVSS 9.8 critical on an internal-only HR application server, while a CVSS 7.4 medium-severity vulnerability sits on the internet-facing customer portal. Limited remediation capacity — patch order? A) Patch the customer portal CVSS 7.4 first (internet-exposed, attacker-reachable, business-critical asset) then the internal HR system B) Patch strictly by CVSS — 9.8 first, then 7.4 C) Patch neither until both can be done together to avoid downtime D) Patch the internal HR server first because employees use it daily

Correct Answer: A CVSS base score does not encode exposure or asset criticality. Contextual prioritization in CS0-004 means: a 7.4 on an internet-facing customer portal that handles payments is a higher-risk patch target than a 9.8 on an internal-only system behind multiple defensive layers. The CVSS 9.8 still gets patched, just not first. Patching strictly by base CVSS without contextual factors is the failure mode the exam tests.

Domain: Vulnerability Management | Difficulty: Foundation 9. Your scanner reports a high-severity vulnerability in the running container image for a microservice. The container was built from a base image last updated 14 months ago. What is the correct response? A) Patch only the running container at runtime by exec'ing into it and running apt upgrade B) Rebuild the container image from an updated base image, push to the registry, redeploy via the deployment pipeline, and validate with a scanner against the new image — fix the supply chain, not the running instance C) Add a compensating control by blocking outbound traffic from the container D) Mark as accepted risk and document

Correct Answer: B Container vulnerabilities are fixed at the image-build layer, not by patching running containers (which are immutable by design and will be replaced on next deploy). Updating the base image, rebuilding, repushing, and redeploying eliminates the vulnerability across all instances. Runtime patching only fixes the single running container until it is replaced, then the vulnerability returns. Compensating controls are a stopgap, not a fix.

Domain: Vulnerability Management | Difficulty: Moderate 10. An external attacker scanned your APIs and found that PUT /api/users/{id} accepts arbitrary fields in the request body. The API allows passing `isAdmin: true` to elevate the user. The CS0-004 vulnerability you would log this as is: A) SQL Injection B) Mass Assignment / Broken Object Property Level Authorization (OWASP API Top 10) C) Server-Side Request Forgery (SSRF) D) Cross-Site Request Forgery (CSRF)

Correct Answer: B Accepting arbitrary fields and trusting the client to set sensitive properties (like isAdmin) is mass assignment, recognized in the OWASP API Security Top 10 as a Broken Object Property Level Authorization vulnerability. SQL injection involves the data layer. SSRF is server-to-server abuse. CSRF is browser-mediated. CS0-004's expanded API security coverage explicitly tests OWASP API Top 10 categories.

Domain: Vulnerability Management | Difficulty: Moderate 11. A scanner credentialed-scan run against a production database server found 47 vulnerabilities. The DBA pushes back: the same scanner returned 8 vulnerabilities last month, and "nothing has changed." What is the most likely explanation? A) The scanner is malfunctioning and should be disabled B) The scanner ran a non-credentialed scan last month and a credentialed scan this month — credentialed scans see internals (kernel-level CVEs, application-level CVEs, package-level CVEs) that non-credentialed scans cannot, producing dramatically more findings on the same host C) The DBA installed 39 new packages without telling anyone D) The asset is now misclassified as a database when last month it was classified as a web server

Correct Answer: B Credentialed vs non-credentialed scan results on the same host routinely differ by an order of magnitude. Credentialed scans authenticate and inspect installed packages and kernel versions; non-credentialed scans only see what's externally visible. The fix is to ensure both scan types are documented in scan policy and that prior baselines are compared apples-to-apples. The other options are possible but far less likely than the configuration delta.

Domain: Vulnerability Management | Difficulty: Moderate 12. Your IaC scanning tool flagged a Terraform module for creating an AWS S3 bucket without server-side encryption. The team's Terraform code has been deployed for two years across 80+ environments. What is the correct response? A) Update the module to enforce SSE (server-side encryption) by default, version-bump the module, and run a Terraform plan-and-apply across all environments to remediate; track which environments still use the legacy module B) Ignore — Terraform is secure by default C) Delete the existing buckets and have teams re-create them manually D) Add an exception to the IaC scanner to suppress this finding

Correct Answer: A IaC vulnerabilities are remediated at the module/template level, not on the deployed infrastructure manually. Updating the module, version-bumping, and rolling out via the existing pipeline fixes the issue everywhere. CS0-004 explicitly tests this pattern (vs the older CS0-003 emphasis on patching individual systems). Suppressing the finding hides the risk; manual deletion is destructive and unnecessary.

Questions 13-17: Incident Response and Management

Domain: Incident Response and Management | Difficulty: Foundation 13. During the eradication phase of an incident involving a compromised web server, the IR team has identified the malicious webshell. Which sequence of actions is MOST appropriate? A) Delete the webshell file, restart the web service, declare incident closed B) Capture forensic artifacts (memory image, disk image, relevant logs), determine root cause, remove the webshell, identify and close the entry vector (vulnerable plugin, leaked credential), validate, and only then proceed to recovery C) Reformat the host immediately to ensure complete eradication D) Move the webshell to a quarantine folder and continue serving traffic

Correct Answer: B Eradication without root-cause analysis closes the symptom but not the entry vector — the attacker comes back. The CS0-004 IR lifecycle requires: capture artifacts (preserves chain of custody for legal, forensic, lessons-learned), identify root cause, eradicate, validate, and only then move to recovery. Immediate reformat destroys evidence. Quarantine while still serving traffic leaves a backdoor.

Domain: Incident Response and Management | Difficulty: Hard 14. Mid-incident, your IR lead must decide between containing a compromised host (network-isolating it) versus continuing to monitor it to see what the attacker does next. The host is a domain controller. The right decision framework is: A) Isolate immediately — domain controllers are too critical to leave compromised, and continuing to "watch" exposes the entire identity store to ongoing exfiltration. Switch monitoring to honeypot/detonation infrastructure if active threat-actor characterization is required B) Continue monitoring for 48 hours to gather full attacker TTPs before isolating C) Take the DC offline gracefully to preserve uptime metrics D) Isolate only if the attacker has not exfiltrated more than 100 MB of data

Correct Answer: A Domain controllers are blast-radius-maximizing assets. CS0-004 IR doctrine treats DC compromise as immediate isolation, not extended monitoring — the data-loss and lateral-movement risk dwarfs the intelligence value. If you genuinely need attacker TTP characterization, do that in a separate honeypot/sandbox environment, not on production identity infrastructure. The 48-hour monitoring approach is appropriate for low-impact compromise, not DC-tier assets.

Domain: Incident Response and Management | Difficulty: Moderate 15. Your IR team is mapping an incident to the Diamond Model of Intrusion Analysis. The four vertices of the Diamond are: A) Detect, Analyze, Contain, Eradicate B) Adversary, Capability, Infrastructure, Victim C) Tactics, Techniques, Procedures, Indicators D) Confidentiality, Integrity, Availability, Authenticity

Correct Answer: B The Diamond Model of Intrusion Analysis (Caltagirone et al.) has four vertices: Adversary (who), Capability (how — TTPs, tools, malware), Infrastructure (where from — IPs, domains, hosting), and Victim (whom). Edges between vertices form the analytic relationships. Option A is the IR lifecycle, not the Diamond. C is closer to the MITRE ATT&CK taxonomy. D is the CIA triad (with non-repudiation appended).

Domain: Incident Response and Management | Difficulty: Foundation 16. You declare an incident on a Friday afternoon. By Monday, your written incident report should include WHICH timestamp at minimum, beyond the basic discovered/contained/closed timeline? A) Only the time the SOC analyst clicked "investigate" in the SIEM B) Initial-compromise time (best estimate from forensic evidence), discovery time, declaration time, containment time, eradication time, recovery time, and incident-closure time — plus dwell time as the elapsed between initial-compromise and discovery C) Only the times the IR lead arrived at the office D) Only the times that PII was accessed

Correct Answer: B A usable incident report distinguishes when the attacker actually got in (initial compromise, often inferred from logs days or weeks before discovery) from when the SOC noticed (discovery), and from each subsequent IR-lifecycle transition. Dwell time (initial-compromise → discovery) is one of the most important metrics for SOC effectiveness — it directly measures detection latency and is required by most regulatory frameworks for material incidents.

Domain: Incident Response and Management | Difficulty: Hard 17. Your tabletop exercise scenario: a ransomware actor encrypts 30% of file servers and demands $2M. Your IR plan documents "do not pay" as policy. Mid-tabletop, the CFO says "we will pay; the cost of restoration is higher than the ransom." The IR lead's correct response is: A) Document the conflict between standing IR-plan policy and the executive decision in real time, escalate to the IR-decision-rights authority (typically CEO + Legal + Compliance + Board if it is high-impact), reconvene the tabletop, and update the IR plan with the resolved decision and its supporting rationale post-tabletop B) Comply with the CFO and pay the ransom C) Refuse the CFO and follow the IR plan as written D) Pause the tabletop and consult outside counsel

Correct Answer: A A tabletop exercise is exactly when policy conflicts surface — that is the value. The IR lead does not arbitrate executive policy disputes in the moment; they document the conflict, route to the documented decision-rights authority, and update the IR plan after the exercise so the policy is testable and consistent for the next real incident. Outside counsel may be involved later, but the immediate move is to surface the gap, not to prematurely commit to either course.

Questions 18-20: Reporting and Communication

Domain: Reporting and Communication | Difficulty: Foundation 18. You are presenting your monthly vulnerability program metrics to the executive risk committee (CFO, GC, CRO). Which metric set is MOST appropriate for that audience? A) Raw count of CVEs detected this month, by severity B) Mean time to remediate (MTTR) for critical / high vulnerabilities, % of critical vulnerabilities remediated within SLA, top three risk areas with business-impact context, and trend over the last 6 months C) The full Tenable scan output XML D) A list of every CVE ID found, sorted alphabetically

Correct Answer: B Executive audiences want trend, business-impact context, and SLA adherence — they cannot act on raw counts or CVE ID lists. MTTR + SLA-adherence + top-three risks with impact context is the standard executive-reporting structure on CS0-004 and aligns with how CRO/CFO/GC consume risk data. Raw counts and full scan output are technical-audience artifacts.

Domain: Reporting and Communication | Difficulty: Moderate 19. After a confirmed PII breach affecting 28,000 EU residents, a regulatory notification is required. Which framework drives the notification timeline, and what is the typical maximum window? A) NIST 800-61 — 30 days to notify B) GDPR Article 33 — 72 hours to notify the supervisory authority once the controller becomes aware of the breach C) ISO 27001 — 90 days to notify D) PCI-DSS — 7 days to notify

Correct Answer: B GDPR Article 33 mandates a 72-hour notification window to the relevant supervisory authority when a personal-data breach is likely to result in risk to individuals. The clock starts at controller awareness. NIST 800-61 is a US IR guidance document (no global notification mandate). ISO 27001 governs ISMS but does not set breach-notification timelines. PCI-DSS notifications operate on different rules and do not have a 7-day window.

Domain: Reporting and Communication | Difficulty: Hard 20. Your post-incident lessons-learned report includes a finding that the SOC detected the malicious activity 9 days after the initial compromise (dwell time). The CFO asks: "Why is dwell time the metric we should track, when our SLA is on time-to-respond after detection?" The strongest defense of dwell time is: A) Dwell time is required by regulators B) Dwell time is a direct measure of the SOC's detection capability — every hour of dwell time is an hour the attacker can move laterally, escalate privileges, and stage exfiltration. Time-to-respond after detection is responsive (assumes detection happened); dwell time is preventive (forces investment in detection coverage and threat hunting). Both metrics matter; dwell time is the one that drives hardening of detection vs response C) Dwell time is in the IR plan because the previous CISO put it there D) Dwell time is what cyber-insurance underwriters score on

Correct Answer: B Dwell time and time-to-respond measure different SOC capabilities and both are important. Dwell time pressures the organization to invest in detection (more sensors, better hunting, mature threat intelligence) — it cannot be improved by responding faster after the alert fires. Time-to-respond pressures the response process. CS0-004 reporting & communication objectives explicitly test understanding the meaning of metrics, not just their definitions.

How Did You Score?

17-20 correct: You are exam-ready. Book CS0-004 with confidence and use the full 300-question ReadRoost CS0-004 pack at readroo.st/marketplace/comptia-cysa-plus-cs0-004 to drill remaining edge cases. Pay particular attention to AI-in-security-operations governance and cloud-native vulnerability management — they are the two areas where CS0-003-trained candidates lose points on CS0-004.

12-16 correct: Solid foundation; focus on Incident Response & Management (24% of the exam, the most-changed domain) and Reporting & Communication. The IR domain especially rewards understanding the difference between containment, eradication, and recovery — most candidates conflate them. Use the full pack to drill scenario-based questions across all four domains.

Under 12 correct: Start with the official CS0-004 objectives PDF and a structured study path. CompTIA recommends ~4 years of SOC L2 / vulnerability-analyst experience before sitting CySA+, and the exam expects intermediate-comfortable familiarity with SIEMs, EDR, MITRE ATT&CK, and Python or PowerShell scripting. If you are coming directly from Security+ (SY0-701) without operational experience, expect to invest 8-12 weeks of focused prep. Our Security+ practice questions at readroo.st/blog/security-plus-sy0-701-practice-questions-free are a good warm-up for the CySA+ Security Operations domain.