CompTIA CYSA+ To long Didn't Read Easy Mini Guide
- Kie Yavorsky
- Mar 12
- 12 min read
Summary
This guide preps you for the CompTIA CySA+ exam. It's short and simple, made for quick study. You get the core ideas, hands-on tips, and practice – all at an easy reading pace so it's simple to grasp but covers what you need to know. Read it, lab it, test it – you're set for CySA+ and your first security job. Good luck!
Dedication: As I’m writing this book I’m thankful to God for surrounding me with a loving family and unapologetic friends who support me every day through humor and empathy. Every day is brighter than the last thanks to those around me.
Goals
Help you pass the CySA+ test on the first try (750/900 score).
Teach real SOC analyst skills for jobs like watching networks and fixing hacks.
Build study habits with labs, plans, and tests in just 4 weeks.
Make hard topics simple with stories, lists, and cheat sheets
Objectives
Match the exam's 4 domains – you learn exactly what's tested:
Security Operations (33%) – Spot bad guys with logs, SIEM, EDR, threat hunts.
Vulnerability Management (30%) – Scan for holes, score risks, patch and harden systems.
Incident Response (20%) – Follow IR steps, triage, forensics, and recover.
Reporting (17%) – Write reports for bosses vs techies, track KPIs, fix roadblocks.
Exam Details
The test has 85 questions. You get 165 minutes, which is almost three hours. Some questions are multiple choice. Others are PBQs. That's where you drag items or click on pictures to solve problems.
Test Topics
The exam covers four main areas:
Security Operations (33%) – Watching logs and using tools to spot issues.
Vulnerability Management (30%) – Checking for weak spots in systems.
Incident Response (20%) – Handling attacks step by step.
Reporting (17%) – Sharing what you found with others.
You need 750 out of 900 points to pass. The certification lasts three years. To renew, you earn 60 CEUs from training or other certs.
CySA+ Overview
CySA+ is a certification that shows you're good at finding computer threats. It's for people who want to work as SOC analysts. These are the watchers who check networks and computers to stop hackers.
What Jobs Does It Help With?
SOC analysts:
Look for signs of trouble.
Stop attacks when they happen.
Keep company data safe from bad guys.
Core Concepts
Let's start with the basics you need to know. These ideas help you understand cybersecurity. They show up a lot on the CySA+ exam.
The CIA Triad
CIA stands for three big goals in security:
Confidentiality – Keep secrets safe so only the right people see them.
Integrity – Make sure data stays the same and no one changes it.
Availability – Keep systems working so people can use them anytime.
Think of it like guarding a house. Locks for secrets, alarms for changes, and power for lights.
Threats, Vulnerabilities, and Risks
Threats are bad things that can hurt you, like hackers or viruses.
Vulnerabilities are weak spots, like an open window in that house.
Risks happen when a threat finds a vulnerability. It's the chance of real damage.
You spot these to fix problems before they grow.
MITRE ATT&CK Mapping
MITRE ATT&CK is a list of hacker tricks. It maps what bad guys do, step by step. You learn to match alerts to these steps. This helps you spot attacks faster. You can learn more at MITRE’s website: https://attack.mitre.org
Detection & SIEM
Detection involves identifying malicious activity before it causes harm. SIEM is the primary tool for this, collecting data and identifying potential issues.
Log Types
Logs are records of what happens on systems. Here are the main ones:
System logs – Track user logins and program starts.
Application logs – Show what apps do, like errors or user actions.
Security logs – Flag failed logins or permission changes.
Network logs – Record traffic between devices.
Collecting these logs provides a comprehensive view of activity.
SIEM Queries
SIEM enables quick searches of logs. A query is a way to seek specific information.
Filter by time, device, or user.
Look for odd patterns, like too many logins.
Practice simple searches to find clues quickly.
Correlation Rules
Correlation rules link events across logs to identify concealed attacks. For example: a failed login, a new user, and a file download together may indicate a compromise.
SIEM checks rules all the time and sends alerts.
Rules should be adjusted to minimize false positives.
Good rules save time during real trouble.
Threat Intel
Threat intelligence shares info on bad guys:
IoCs – Clues like bad IP addresses or file hashes.
IoAs – Patterns of attack, like how they move step by step.
Get intel from feeds, other teams, or tools.
Use it to watch for known bad stuff.
Hunting Hypotheses
Hunting means you look for hidden threats:
Start with a guess, like "Is malware calling home?"
Pick data sources and search.
Test your idea with queries and tools.
Hunters find problems before alerts do. This wraps up detection basics.
Tools & Analysis
Tools offer visibility into computer and network activity. By analyzing their output, you identify genuine threats.
EDR, AV, and HIDS
These watch single machines:
EDR – Endpoint Detection and Response. It tracks behaviors, such as file changes or the presence of unusual programs.
AV – Antivirus. Scans for known malware and blocks it.
HIDS – Host Intrusion Detection System. The tool monitors for unauthorized changes on a computer.
The alerts from these tools apply to desktops or servers. Next, consider how other tools monitor activity across entire networks.
NIDS and PCAP
These check network traffic:
NIDS – Network Intrusion Detection System. This tool inspects packets, searching for signs of attack.
PCAP – Packet Capture. By saving network data, you enable later study, much like reviewing a replay.
Use these to catch bad traffic moving around. Next, let's discuss how to test suspicious files safely.
Sandboxing
A sandbox is a safe test area:
Run suspicious files here so they can't hurt real systems.
Observe what actions the file takes, such as reaching out to suspicious servers.
Many tools, including VirusTotal, leverage sandboxes to analyze malware.
It's great for unknown threats. After analysis, you need to assess alerts quickly, which brings us to triage.
Indicator Triage
Triage means sorting alerts fast:
Benign patterns – Normal stuff, like a user downloading a big file.
Malicious patterns – Weird combos, like login from a bad country at 3 AM.
Ask: Does it match threat intel? Is it repeating? What's the impact?
Good triage focuses you on real dangers. This sets you up for better decisions.
Process Improvement
You can't just react to alerts all day. Improvement makes your work faster and better. This chapter covers ways to measure and fix your processes.
Key Metrics
Metrics show how well you're doing:
MTTD – Mean Time to Detect. How fast you spot trouble.
MTTR – Mean Time to Respond. How quick you fix it.
Track these to see if you're getting better over time.
Low numbers mean you're on top of things.
Tuning Alerts
Alerts can be too noisy. Tune them to focus on real issues:
Look at old alerts. Which ones mattered?
Adjust rules to ignore normal behavior.
Test changes so you don't miss bad stuff.
Tuning cuts down false alarms and saves time.
Automation
Automation does boring tasks for you:
Auto-block bad IPs from alerts.
Run scans on new systems.
Send reports without typing everything.
Tools like scripts or SOAR platforms help. Start small, then grow.
Good processes mean less stress and fewer mistakes. You're building skills for the exam and real jobs. Next up is vulnerability management.
Scanning & Analysis
Find weak spots before attackers do with vulnerability management. Scan your systems for issues. Analyze the results and decide what to fix first. These scans should be run as often as your system or organization can support, like daily or weekly.
Scan Types
Perform active scans by poking systems to find holes, using tools like Nessus or Qualys.
Passive scans – Watch traffic without touching systems, quieter but misses some issues.
Authenticated scans – Use login info to see inside systems better.
Unauthenticated scans – Act like outsiders, show what hackers see.
Choosing the right scan type depends on your specific assessment goals and environment.
CVSS and CVEs
These help rate problems:
CVE – Common Vulnerabilities and Exposures. A name for each known issue, like CVE-2023-1234.
CVSS – Common Vulnerability Scoring System. Gives a score from 0-10. Higher means worse.
Use these to sort dangers fast.
False Positives and Negatives
No scan is perfect. Here's what can go wrong:
False positives – Tool yells "problem!" but it's really okay. You waste time checking nothing.
False negatives – Tool says "all good" but there's a real hole. That's the scary one because you think nothing is wrong when really you’re in trouble.
Always double-check big alerts.
Grouping Findings
Sort the issues into simple piles:
Stuff that needs patches.
Wrong setups, like extra open doors.
Bugs in apps or old programs.
This way, you fix things in smart order. Teams get it faster too. Scanning keeps you one step ahead.
Prioritization & Remediation
Scans give you a list of problems. Now you figure out which ones to fix first. That's prioritization. Then you make the fixes – that's remediation.
Risk Scoring
Not every hole is equal. Score them like this:
Check the asset value. Is it a key server or just a test machine?
Look at the threat. Can bad guys reach it easy? Is there an active exploit?
Multiply those. High number means fix it now.
Focus on what could cause real damage.
Patch Management
Patches close the holes:
Test them first on a safe setup.
Push them out slow – important systems later.
Do it during low-traffic times.
This stops attacks that use old bugs.
Exceptions
Some fixes take time or cost too much:
Note why you can't fix it yet.
Get a boss to sign off.
Plan to revisit in 30 or 90 days.
Don't let these slide forever.
Hardening Baselines (CIS)
Start with secure defaults:
CIS benchmarks are checklists from experts.
Kill unneeded services. Lock down your users. Close extra ports.
Use the same setup on all machines.
This cuts weak spots from the start. You're set to manage vulns now.
Secure Dev
Apps and software can have holes too. Secure development builds security in from the start. This stops bugs before they go live.
SDLC
SDLC means Software Development Life Cycle. It's the steps to make software:
Plan what to build.
Code it.
Test for bugs.
Deploy and watch it.
Add security checks at every step. Catch problems early.
Secure Steps in SDLC
In planning, list threats.
During coding, review for safe practices.
Before launch, scan the whole thing.
This keeps bad stuff out of new apps.
SAST, DAST, and SCA Tools
These scan code and apps for issues:
SAST – Static Application Security Testing. Checks source code without running it. Finds bugs like bad input checks.
DAST – Dynamic Testing. Runs the app and pokes it like a hacker would. Spots live problems.
SCA – Software Composition Analysis. Checks third-party libraries for known holes.
Use all three for full coverage. Developers run these often. Secure dev means fewer vulns in production. That's the end of vuln management.
IR Lifecycle
Incidents are real attacks or breaches. Incident response (IR) is your plan to handle them. The lifecycle has six steps you follow every time.
The Six Steps
Preparation – Set up tools, teams, and plans before trouble starts.
Identification – Spot the problem from alerts or reports.
Containment – Stop it from spreading, like isolating a sick person.
Eradication – Remove the bad stuff completely.
Recovery – Get systems back to normal and watch for return.
Lessons Learned – Write what went right or wrong for next time.
Why the Steps Matter
Each one builds on the last. Skip prep and you're scrambling. Good ID means fast fixes. Always do lessons to get better.
Playbooks
Playbooks are step-by-step guides:
One for ransomware. One for phishing.
List who to call, what to check, tools to use.
Everyone on the team knows them.
They cut confusion in a crisis.
Severity Classification
Rate incidents by how bad the damage could be. Use a scale like this:
Low – Minor issue that stays small. No data lost, quick fix, low cost.
Medium – Some systems go down for a while. Work stops for part of the business, but no big data loss.
High – Customer data stolen, full outage, or cash lost. Big impact on money or trust. Call leaders right away.
Factors to check:
How many users were hurt?
Type of data at risk?
Can it spread fast?
Pick the level based on real effects. High ones wake the boss and need fast action. This sets priority. IR lifecycle keeps chaos under control.
Investigation
After you find an incident, it's time to dig in. You need to learn what happened, how it started, and who's behind it. Start fast and get organized.
Triage
Triage is like sorting mail – you check what's urgent:
Look at the alert. Real problem or false alarm?
Check how far it spread. One PC or everything?
Pick your move: drop it, get help, or roll up sleeves.
Do this in minutes to stop worse damage.
Timelines
Timelines are used to line up what happened, and when it happened:
Note stuff like "2 PM: weird login from overseas. 2:02 PM: big file download."
Grab times from EDR logs or SIEM searches.
Watch for jumps that don't make sense.
The timeline tells the attack's story.
Forensics Basics
Forensics is like gathering clues at a crime scene. You collect evidence carefully so it holds up later. It's a big part of the investigation, especially when lawyers or bosses ask questions.
Volatile data – This is stuff in the computer's memory right now. Think running programs, open network connections, or live user sessions. It's fragile. If you reboot the machine, poof – it's gone forever. Grab this first.
Non-volatile data – This stays safe on the hard drive. Examples are files, system logs, deleted items, or user history. You can pull this later, but start with volatiles.
Here's how you do it right, step by step:
Don't change anything. Work on a copy, not the original. Use tools to make an exact disk image – like a perfect photo of the drive.
Write down every move. Note the date, time, who you are, what tool you used, and why. This is your chain of custody—the documented process showing who handled the evidence and when. This proves no one tampered with the evidence.
Hunt for clues. Look for malware files, or strange commands in the system's history, look for odd network calls, or fake accounts. Match them to your timeline.
Keep it organized. Label everything. Store copies in safe spots. Know when to call in experts if it's too big.
Don't touch anything extra. This helps you clean up for good, write solid reports, and win trust from your team.
Communication
After you fix an incident or do scans, you write reports. You tell what happened and what to do next. Make it easy for the reader to get it.
Exec vs Tech Reports
Bosses and tech teams need different info. For bosses, keep it short and talk money. Say, "Bad guys shut us down for two hours. It cost $10K. We stopped them and added new locks." Put in a picture or chart. One page is enough. No hard words. For tech teams, give all the facts. Say, "At 14:23, the tool saw a bad change from IP 192.168.1.100. Here are the steps we took to fix it." Bosses care about the hurt to business. Tech people want the how and why so they can do it too.
KPIs
KPIs are scores that show how good you are. MTTD is how fast you see trouble – less than one hour is great. MTTR is how fast you fix it – try for just a few hours. Watch things like holes you fixed each week or fake alerts. Look at them every month to get better.
Remediation Inhibitors
These are things that stop fixes. Old computers won't take updates. No money for new tools. Team is busy or new. Tell about them and say how to fix. Like, "Old machines need $5K to update next month." This gets help fast.
Good reports make your team strong. You finished the big exam parts. Test tips are next.
Study Plan & Labs
Now you know the exam topics. Time to study smart and practice. This chapter gives a 4-week plan and free labs to build hands-on skills.
4-Week Study Plan
Focus more on big domains since they count extra. Study 1-2 hours a day, 5 days a week.
Week 1: Security Operations (33%)
Learn logs, SIEM, tools, metrics.
Do 50 practice questions on detection.
Week 2: Vulnerability Management (30%)
Study scans, CVSS, patches, secure dev.
Practice 50 questions on vulns.
Week 3: Incident Response & Reporting (37% total)
Cover IR steps, forensics, reports.
Do 50 questions on incidents and KPIs.
Week 4: Review & Practice
Review your weak spots (The things you don't quite get).
Take two full practice tests.
Do PBQ labs every day.
Adjust if you work full-time. Test yourself daily.
Free Lab Setup
Practice on fake systems – safe and free:
VulnHub VMs – Download easy targets like DVWA. Run in VirtualBox to scan and attack.
Wireshark – Grab it free. Capture network traffic and hunt bad packets.
ELK trial – Elastic's free version for SIEM practice. Feed in logs and write queries.
Set up a home lab in an hour. Break stuff there, not at work. This makes exam puzzles easy.
Common Acronyms
CIA – Confidentiality, Integrity, Availability
SIEM – Security Information and Event Management
EDR – Endpoint Detection and Response
NIDS – Network Intrusion Detection System
CVSS – Common Vulnerability Scoring System
CVE – Common Vulnerabilities and Exposures
MTTD – Mean Time to Detect
MTTR – Mean Time to Respond
IR – Incident Response
IoC – Indicator of Compromise
PBQ – Performance-Based Question
Comments