CompTIA Cybersecurity Analyst CySA+ Quick Facts (2025)

Exam Domain Breakdown

Domain 1: Security operations (33% of the exam)

System and network architecture — explaining log ingestion, operating system (OS) concepts, infrastructure, network architecture, identity and access management (IAM), encryption, and sensitive data protection.

Summary: This section equips you with the knowledge to understand how system and network components interact and how critical security fundamentals are applied across an infrastructure. You'll explore how logs are ingested and analyzed, how OS-level concepts integrate with network architecture, and how IAM frameworks, encryption methods, and sensitive data protection strategies build a strong defense posture. Beyond the basics, expect to connect these concepts into the wider goal of protecting information across every layer of an IT environment. By linking architectural principles with real-world application, this section ensures you understand both theoretical underpinnings and their practical impact on security.

Malicious activity indicators — analyzing network anomalies like bandwidth spikes and rogue devices, host issues like unauthorized software and data exfiltration, application irregularities like unexpected communication and service interruptions, and threats like social engineering attacks.

Summary: This part focuses on identifying signs that point to potential malicious activity. You'll study how anomalies manifest, from network-level issues such as spikes in traffic or rogue devices to host-level problems like unauthorized applications and data leakage. At the application level, you'll learn to spot unexpected communications and service failures while also recognizing social engineering attacks. The emphasis is on pattern recognition and quick analysis, helping you transform activity indicators into actionable insights. By building fluency in the signals of compromise, you are prepared to act rapidly and effectively to protect organizational assets.

Tools and techniques — detecting malicious activity using tools like Wireshark, security information and event management (SIEM), and VirusTotal, along with techniques like pattern recognition and email analysis, supported by scripting languages like Python and PowerShell.

Summary: Here, you’ll focus on the practical how-to of threat detection, using a range of cybersecurity tools. You'll learn to leverage packet analysis with Wireshark, log analysis with SIEM platforms, and file and URL inspection with solutions like VirusTotal. Alongside these, you’ll become adept at techniques such as email header inspection and advanced pattern recognition. Scripting languages like Python and PowerShell round out this toolkit, empowering you with automation and customization capabilities. This combination ensures you can both follow established processes and innovate more efficient workflows as part of modern defensive strategies.

Threat intelligence and hunting — comparing threat actors, tactics, techniques, and procedures (TTP); confidence levels; collection methods; intelligence sharing; and hunting techniques.

Summary: In this section, you explore the realm of threat intelligence and proactive hunting. You'll compare different types of threat actors and their TTPs, evaluate the quality and confidence of intelligence data, and examine methods of collection and sharing across organizations. These insights form a practical framework for anticipating threat activity before it escalates. You’ll also study active hunting techniques that not only detect but proactively pursue hidden threats within the environment. The blend of theory and practical application fosters a mindset of resilience, ensuring you are always a step ahead of adversaries.

Process improvement — standardizing processes, streamlining operations, integrating tools, and using a single pane of glass.

Summary: This section emphasizes the value of efficiency in security workflows. You'll consider how standardized processes reduce errors and ensure consistency, how streamlined operations save time, and how tool integration improves visibility. The concept of a "single pane of glass" introduces centralized management for monitoring and response. By analyzing and implementing these improvements, you learn how incremental adjustments compound into stronger protective measures. This focus highlights how security teams can maximize their resources and improve operational maturity over time.

Domain 2: Vulnerability management (30% of the exam)

Vulnerability scanning — implementing asset discovery, internal vs. external scanning, agent vs. agentless, credentialed vs. non-credentialed, passive vs. active, static vs. dynamic, and critical infrastructure scanning.

Summary: This section guides you in mastering vulnerability scanning techniques across diverse environments and approaches. You'll learn about discovery methods, the differences between internal and external scanning, and the considerations that come with using agents or remaining agentless. Credentialed versus non-credentialed approaches and passive versus active scanning further highlight the adaptability required for comprehensive assessments. From static versus dynamic environments to specialized needs for critical infrastructure, you’ll learn to adjust vulnerability scanning methods to fit the unique landscape. The focus is on ensuring thorough coverage and accurate insights for decision-making.

Assessment tool output — analyzing network scanning, web application scanners, vulnerability scanners, debuggers, multipurpose tools, and cloud infrastructure assessments.

Summary: This portion emphasizes how to interpret and analyze tool-based output from various vulnerability assessments. You'll compare results from network scanners, web tools, and broad multipurpose software, as well as understand the unique outputs of debuggers and specialized cloud-infrastructure assessments. What matters most is applying context appropriately to varying outputs. With competence in recognizing the strengths of each tool, you gain confidence in crafting reliable assessments that support actionable remediation strategies.

Vulnerability prioritization — interpreting common vulnerability scoring system (CVSS), validating findings, assessing exploitability, and considering asset value and zero-day vulnerabilities.

Summary: This section develops your ability to sort through vulnerabilities and assign meaningful priority based on impact. You'll learn how CVSS scores inform urgency, why validating findings is essential, and how factors like exploitability and asset value determine response. Special attention is given to understanding risks associated with zero-day vulnerabilities. By combining technical scoring frameworks with critical business context, you can ensure that teams focus their efforts where protection is most urgent. This skill turns vulnerability information into a clear roadmap for effective defense.

Mitigation controls — recommending controls for cross-site scripting (XSS), overflow vulnerabilities, and data poisoning.

Summary: This section provides a closer look at mitigation strategies. You'll learn to recommend practical controls against common threats such as XSS, buffer overflows, and data poisoning. It’s not just about understanding vulnerabilities but demonstrating the ability to close the gaps. The focus is on actionable recommendations that security teams can deploy. You’ll be able to connect theoretical vulnerabilities to real-world solutions, directly improving the security posture through applied knowledge.

Vulnerability response — explaining compensating controls, patching, configuration management, maintenance windows, exceptions, governance, service-level objectives (SLOs), secure software development life cycle (SDLC), and threat modeling.

Summary: This section highlights the importance of organizational readiness in response to vulnerabilities. You'll explore options like compensating controls, patching policies, and detailed configuration management. From identifying effective maintenance windows to defining exceptions, you’ll see how governance and coordination shape outcomes. By incorporating SLOs, SDLC, and threat modeling into the equation, this section emphasizes long-term prevention combined with adaptive response. You’ll learn to maintain resilience by focusing on both quick fixes and sustainable improvements.

Domain 3: Incident response management (20% of the exam)

Attack methodology frameworks — explaining cyber kill chains, diamond model of intrusion analysis, MITRE ATT&CK, Open Source Security Testing Methodology Manual (OSSTMM), and OWASP testing guide.

Summary: This section introduces frameworks that provide structured ways to understand threat behaviors and attacks. You'll examine the cyber kill chain, the diamond model, and MITRE ATT&CK, along with methodologies like OSSTMM and OWASP guidelines. Each serves as a unique lens for evaluating adversarial activity. Together, they help you approach incident response with clarity and consistency. By internalizing these frameworks, you strengthen your ability to respond methodically no matter the situation, turning theory into practical defensive action.

Incident response activities — performing detection, analysis, containment, eradication, and recovery.

Summary: Here, you’ll walk through the vital activities that form the backbone of incident response. From detecting and analyzing incidents to containing their impact and eradicating threats, you’ll practice building structured responses to security events. These steps culminate with recovery, which restores systems back to normal state. By understanding each stage in depth, you gain both the discipline and adaptability needed to manage incidents with confidence and precision.

Incident management life cycle — explaining incident response plans, tools, playbooks, tabletop exercises, training, business continuity (BC), disaster recovery (DR), forensic analysis, and root cause analysis.

Summary: This section outlines how organizations prepare for incidents as part of a cycle. You’ll learn about plans, response tools, and the role of playbooks in standardizing procedures. Tabletop exercises and training emphasize readiness, while BC and DR ensure resilience and restoration after disruptions. Additionally, forensic analysis and root cause analysis deepen your capacity to contribute to prevention. By connecting preparation, action, and evaluation, this area encourages a holistic approach to incident management.

Domain 4: Reporting and communication (17% of the exam)

Vulnerability management reporting — explaining compliance reports, action plans, inhibitors to remediation, metrics, key performance indicators (KPIs), and stakeholder communication.

Summary: This part highlights the importance of clear and effective reporting in vulnerability management. You’ll explore how compliance reports and action plans strengthen accountability, while also learning to recognize inhibitors to remediation that might slow progress. Metrics and KPIs ensure progress is measurable and transparent. Effective stakeholder communication is emphasized, ensuring that relevant decision-makers are aligned with security goals. By mastering these reporting techniques, you not only document vulnerabilities but also drive remediation processes forward.

Incident response reporting — explaining incident declaration, escalation, reporting, communication, root cause analysis, lessons learned, and metrics and KPIs.

Summary: This section gives special attention to how incident response activities are documented and communicated. You'll learn how to declare incidents, escalate them appropriately, and produce reports that matter to different audiences. The integration of communication practices ensures that responses stay coordinated and clear. Root cause analysis and lessons learned help close the loop by transforming incidents into opportunities for improvement. Metrics and KPIs provide measurable outcomes, empowering organizations to assess the effectiveness of their response programs and strengthen them over time.