🚀 Early Adopter Price: $39/mo for lifeClaim Your Price →
CSX P
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
AccelaStudy AIAssociateComing Soon

CSX P

CSX-P is ISACA's performance-based cybersecurity certification. The exam is delivered in a virtualized lab environment where candidates perform realistic security operations tasks across the NIST Cybersecurity Framework functions: Identify, Protect, Detect, Respond, Recover. This spec covers the practical skills, tooling, and decision-making validated by the CSX-P exam.

Who Should Take This

Cybersecurity practitioners with 3-5 years of hands-on experience who want to validate operational security skills via a performance-based exam. Assumes working knowledge of Linux, networking, scripting, and common security tools. Learners finish able to perform practical security operations tasks under time pressure, mapped to the NIST CSF.

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
13 Activity Formats

Course Outline

1Identify
3 topics

Asset Identification

  • Apply nmap host discovery and port scanning to enumerate live hosts and exposed services on a target subnet.
  • Apply network-mapping output to produce an asset inventory with IP, hostname, OS, exposed ports, and observed services.
  • Analyze a partial asset inventory and propose targeted additional discovery techniques (passive monitoring, ARP scanning, DNS zone transfer attempts).

Vulnerability Assessment

  • Apply Nessus or OpenVAS scan policy selection, target scoping, and credential injection for an authenticated scan.
  • Apply CIS-CAT or CIS Benchmark assessment to a Linux host and identify the highest-priority deviations.
  • Analyze a vulnerability-scan report and prioritize findings using exploitability, exposure, and business impact rather than raw CVSS.

Risk Identification

  • Identify common control gaps that a vulnerability scan does not detect: misconfigured IAM, missing logging, weak encryption, exposed metadata.
  • Apply a control-gap analysis using the NIST CSF Identify category as a checklist for a small sample environment.
2Protect
3 topics

Account and Identity Hardening

  • Apply Linux account hardening: disable unused accounts, enforce password policies, configure sudo rules, and audit /etc/passwd and /etc/shadow.
  • Apply Windows account hardening: GPO-based password and lockout policy, restricted local admins, disabled SMBv1.
  • Analyze an account audit output and identify accounts with excessive privilege, stale accounts, and shared-administrator anti-patterns.

System Hardening and Patching

  • Apply CIS-Benchmark-driven service minimization on a Linux host: disable unneeded services, restrict listening ports, enforce kernel parameters.
  • Apply patch-management procedures: identify missing patches, verify patch sources, schedule deployment with rollback plans.

Network Hardening

  • Apply iptables/nftables or Windows Firewall rule design for a host that should expose only HTTPS to a specific subnet.
  • Apply network segmentation between application tiers (web/app/db) using firewall rules and route tables.
  • Analyze a permissive ruleset and identify rules that violate stated policy, rules with excessive scope, and redundant rules.
3Detect
3 topics

Log Analysis

  • Apply grep/awk/jq or Splunk SPL to find authentication failures, lateral movement indicators, and privilege escalations in system logs.
  • Apply log-correlation across host (auth.log), network (firewall, NetFlow), and identity (SSO) sources to reconstruct an event timeline.
  • Analyze noisy log output and propose filtering criteria that retain signal without dropping relevant events.

Network Detection

  • Apply tcpdump and Wireshark to capture and inspect a TCP session, identifying SNI, TLS version, and unencrypted payloads.
  • Apply Suricata or Snort rule reading to identify which traffic patterns trigger alerts and what protocols are inspected.
  • Analyze a PCAP containing a beaconing host and propose detection criteria (timing regularity, JA3 fingerprint, destination reputation).

Endpoint Detection

  • Apply EDR query language (CrowdStrike CQL, Microsoft Defender KQL) to find a suspicious process tree and parent-child anomalies.
  • Apply YARA rule reading and writing to match known malware indicators in files and process memory.
4Respond
3 topics

Containment

  • Apply network containment of a compromised host: VLAN move, firewall isolation rule, or EDR-driven host isolation.
  • Apply identity containment: revoke session tokens, rotate compromised credentials, disable the affected account at the IdP.
  • Analyze a containment trade-off scenario where isolating a system preserves evidence but disrupts business operations and recommend the appropriate response.

Eradication

  • Apply malware eradication procedures: process kill, persistence-mechanism removal (cron jobs, scheduled tasks, services, autostart), system rebuild as fallback.
  • Apply credential rotation across all systems where the compromised credential was used and verify rotation completion via authentication-log review.

Forensic Capture

  • Apply volatile-data capture: process list, network connections, mounted filesystems, memory image (LiME, Magnet RAM, FTK Imager).
  • Apply disk imaging procedures with hash verification (MD5/SHA-256) and chain-of-custody documentation.
5Recover
3 topics

Backup Validation

  • Apply backup-integrity validation: hash verification, restore-test on isolated network, retention-policy review.
  • Apply ransomware-resilient backup verification: immutable storage / object lock, offline copies, recovery-point objectives.

Restoration

  • Apply a restoration procedure for a compromised system: rebuild from clean image, restore data from validated backup, re-establish baseline configuration.
  • Analyze a restoration scenario where backups predate the compromise but contain the same vulnerability that caused it, and propose the safe restoration sequence.

Continuity Coordination

  • Apply BCP/DR coordination patterns: priority restoration order based on business-impact analysis, communication tree activation, RTO/RPO tracking.
  • Apply post-incident review (PIR) procedures: timeline reconstruction, control-gap identification, remediation tracking.
6Cross-Cutting Skills
3 topics

Scripting and Automation

  • Apply Bash or PowerShell scripting to automate routine security operations tasks (log triage, account audit, configuration check).
  • Apply Python scripting to parse vulnerability-scan output, query a SIEM API, or generate an asset inventory.

Documentation and Communication

  • Apply incident-report writing: executive summary, technical timeline, root cause, remediation actions, residual risk.
  • Apply technical-to-business translation: explain a SQLi, ransomware, or supply-chain incident to a non-technical executive.

Time Management Under Pressure

  • Apply task prioritization in a multi-incident scenario: triage by impact and urgency, escalate when capacity is exceeded, document decisions.
  • Apply timeboxing and stop-loss decisions when a single investigative thread is consuming disproportionate time relative to the broader incident scope.
7Cloud and Container Operations
3 topics

Cloud-Specific Tooling

  • Apply AWS CLI, az CLI, or gcloud to enumerate IAM principals, query CloudTrail/Activity Log/Audit Log events, and inspect object-storage permissions.
  • Apply IMDSv2 verification on EC2, identify exposed metadata services, and propose remediation grounded in IMDSv2 enforcement.
  • Analyze a cloud-IAM scenario where a long-lived access key was leaked, and trace the chain of CloudTrail events that should be reviewed.

Container Operations

  • Apply container image scanning (Trivy, Grype) to identify vulnerable base images, and propose mitigation grounded in pinned digests and minimal base images.
  • Apply kubectl-based investigation: enumerate pods, inspect RBAC, audit service accounts, and identify privilege-escalation paths.
  • Analyze a Kubernetes cluster with permissive PodSecurity admission and propose hardening grounded in the restricted PSA profile.

CI/CD Investigation

  • Identify CI/CD compromise indicators: unauthorized workflow changes, leaked secrets, unpinned actions/dependencies, post-build artifact tampering.
  • Apply CI/CD investigation: trace build logs for a suspicious push, verify artifact signatures, and identify the impacted downstream consumers.
8Threat Intelligence and Hunting
3 topics

Threat Intelligence Sources

  • Identify common threat-intel sources: CISA advisories, vendor advisories, MISP, OTX, ISAC feeds, and commercial intel platforms.
  • Apply threat-intel ingestion: convert IOCs (IPs, hashes, domains, JA3 fingerprints) to detection rules in a SIEM or EDR.

Threat Hunting

  • Define threat hunting and identify the difference from alert triage (proactive vs reactive).
  • Apply MITRE ATT&CK as a hunt-prioritization framework: select a technique, hypothesize observable artifacts, query telemetry, and document findings.
  • Analyze a hunt that produced no findings and articulate whether absence of evidence is evidence of absence (telemetry gaps, time-window scoping, hypothesis quality).

Tactics and Techniques

  • Identify the MITRE ATT&CK tactic categories (Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, C2, Exfiltration, Impact) and identify a representative technique for each.
  • Apply ATT&CK technique mapping to a sample incident and produce a tactic-by-tactic timeline for the post-incident review.
  • Apply ATT&CK Navigator to overlay detection coverage on the technique matrix and identify the highest-priority gaps to close.
  • Analyze a detection-engineering scenario where ATT&CK coverage is broad but shallow, and propose tuning to deepen coverage on the most-observed techniques.

Scope

Included Topics

  • NIST Cybersecurity Framework (CSF) functions: Identify, Protect, Detect, Respond, Recover.
  • Asset identification and management on a representative network.
  • Vulnerability assessment and configuration baseline tools (Nessus, OpenVAS, CIS-CAT).
  • Hardening: account hardening, service minimization, patch management, secure configuration.
  • Network defense: firewall rules, IDS/IPS, network segmentation, monitoring.
  • Endpoint defense: EDR, host firewalls, application allowlisting.
  • Incident detection: log analysis, SIEM queries, IOC matching, basic threat hunting.
  • Incident response: containment, eradication, recovery, post-incident review.
  • Forensic basics: chain of custody, volatile-data capture, disk imaging.
  • Recovery: backup integrity validation, restoration testing, BCP/DR coordination.

Not Covered

  • Strategy/governance depth typical of CISM (covered separately).
  • Detailed legal/regulatory analysis (covered in CISA, CISM, CGEIT).

CSX P is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified