🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
CompTIA Coming Soon

CySA Plus

The course teaches advanced security operations, vulnerability management, incident response, and reporting techniques aligned with CompTIA CySA+ (CS0-003), enabling analysts to protect enterprise environments effectively.

Who Should Take This

It is intended for cybersecurity analysts who have three to four years of hands‑on experience in SOC or CSIRT teams and possess CompTIA Security+ or equivalent knowledge. These professionals seek to deepen their expertise in threat detection, mitigation, and communication to advance toward senior analyst or specialist roles.

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

62 learning goals
1 Domain 1: Security Operations
5 topics

System and network architecture for security operations

  • Apply knowledge of network architecture components including firewalls, proxies, IDS/IPS, and network taps to determine optimal sensor and log collection placement for security monitoring.
  • Implement network traffic analysis using packet capture tools, NetFlow/sFlow data, and protocol analyzers to identify anomalous communication patterns and potential data exfiltration.
  • Configure endpoint detection and response agents to collect process execution, file system changes, registry modifications, and network connection telemetry from managed endpoints.
  • Analyze system architecture diagrams including cloud, on-premises, and hybrid environments to identify visibility gaps, blind spots, and unmonitored attack surfaces.
  • Recommend sensor deployment strategies to achieve comprehensive monitoring coverage across network, endpoint, cloud, and identity data sources for enterprise environments.

Log analysis and SIEM operations

  • Configure SIEM data ingestion from diverse log sources including operating systems, network devices, applications, cloud services, and endpoint agents for comprehensive visibility.
  • Implement SIEM correlation rules and detection logic to identify multi-stage attack patterns including brute force, lateral movement, privilege escalation, and command-and-control activity.
  • Implement SIEM dashboards and visualizations to display alert trends, top talkers, geographic anomalies, and compliance status for real-time operational awareness.
  • Analyze SIEM alerts and log data to perform root cause analysis, distinguish true positives from false positives, and determine the scope and severity of detected security events.
  • Design SIEM tuning strategies to reduce false positive rates, optimize correlation rule performance, adjust alert thresholds, and improve detection fidelity.

Threat intelligence and indicator management

  • Implement threat intelligence feed integration with IoC types including IP addresses, domains, file hashes, URLs, and YARA rules into detection and prevention tools.
  • Apply threat intelligence frameworks including MITRE ATT&CK, Cyber Kill Chain, and Diamond Model to map observed adversary behavior to known TTPs.
  • Implement STIX/TAXII protocols for automated threat intelligence sharing and configure threat intelligence platform integrations with SIEM and EDR tools.
  • Assess the relevance, timeliness, and accuracy of threat intelligence sources to determine which feeds provide actionable value for the organization's threat landscape.
  • Recommend threat intelligence program improvements including source diversification, automated enrichment, TIP platform selection, and ISAC sharing partnerships.

Threat hunting

  • Execute hypothesis-driven threat hunts using MITRE ATT&CK techniques, known adversary TTPs, and environmental baselines to proactively identify threats evading automated detection.
  • Perform data-driven threat hunts using statistical baselining, anomaly detection, and stack counting techniques across authentication, network, and process execution logs.
  • Analyze threat hunting results to identify previously undetected malicious activity and convert successful hunts into automated detection rules.
  • Design a threat hunting program including team structure, cadence, hypothesis generation methodology, data source requirements, and success metrics.

Automation and scripting for security operations

  • Implement security automation scripts using Python, PowerShell, or Bash to parse logs, extract IoCs, enrich alerts, and automate routine analysis tasks.
  • Configure SOAR platform workflows to orchestrate automated response actions including alert triage, ticket creation, containment, and notification based on playbooks.
  • Implement API integrations between security tools including SIEM, EDR, ticketing, and threat intelligence platforms to enable automated data sharing and coordinated response.
  • Recommend automation strategies to optimize SOC efficiency by identifying high-volume, low-complexity tasks for automation while preserving analyst judgment for complex investigations.
2 Domain 2: Vulnerability Management
4 topics

Vulnerability scanning tools and techniques

  • Configure vulnerability scanning tools including Nessus, Qualys, and OpenVAS with appropriate scan policies, credential sets, and scope definitions for enterprise environments.
  • Execute credentialed and non-credentialed vulnerability scans across network, web application, and cloud environments and compare result completeness from each approach.
  • Implement web application vulnerability scanning using DAST tools to identify OWASP Top 10 vulnerabilities including injection flaws and authentication weaknesses.
  • Configure cloud-specific vulnerability scanning for misconfigured storage, exposed APIs, overly permissive IAM policies, and unencrypted data across cloud provider environments.

Vulnerability scan output analysis

  • Analyze vulnerability scan results to validate findings, identify false positives, and determine exploitability using CVSS base, temporal, and environmental scores.
  • Evaluate vulnerability trends across multiple scan cycles to identify recurring issues, measure remediation effectiveness, and detect configuration drift.
  • Assess the impact of discovered vulnerabilities on organizational risk by mapping findings to business-critical assets, regulatory requirements, and compensating controls.
  • Investigate vulnerability scan discrepancies by correlating results from multiple scanners, comparing agent-based and network-based findings, and resolving conflicting severity ratings.

Remediation prioritization and compensating controls

  • Apply remediation prioritization using CVSS scores, exploit availability, asset criticality, business impact, and threat intelligence context to rank vulnerabilities for patching.
  • Implement compensating controls including virtual patching, WAF rules, network segmentation, and access restrictions when immediate remediation is not feasible.
  • Implement exception management workflows for accepted risks including documentation requirements, approval chains, periodic review schedules, and expiration enforcement.
  • Design a vulnerability management lifecycle including discovery, assessment, prioritization, remediation, verification, and reporting with defined SLAs per severity level.

Vulnerability validation and verification

  • Perform vulnerability validation through manual verification including targeted scanning, proof-of-concept testing, and cross-referencing with exploit databases.
  • Execute post-remediation verification scans to confirm patches and compensating controls effectively address identified vulnerabilities without introducing regressions.
  • Analyze validation results to determine whether remediations fully closed vulnerabilities and recommend additional corrective actions for persistent findings.
3 Domain 3: Incident Response Management
4 topics

Incident detection and triage

  • Implement incident detection methods including signature-based, anomaly-based, and behavior-based detection across network, endpoint, and cloud monitoring platforms.
  • Perform initial incident triage by classifying event severity, identifying affected systems, determining whether the event constitutes a security incident, and assigning response priority.
  • Investigate indicators of compromise across multiple data sources to determine attack vector, establish an event timeline, and assess the scope of compromise.
  • Assess incident severity by correlating technical indicators with business impact, data sensitivity classifications, and regulatory notification thresholds.

Containment and eradication

  • Execute containment strategies including network isolation, account disabling, DNS sinkholing, firewall rule insertion, and endpoint quarantine to limit incident spread.
  • Perform eradication including malware removal, backdoor elimination, compromised credential rotation, and system hardening to remove attacker presence.
  • Determine appropriate containment scope and timing by analyzing tradeoffs between operational disruption, evidence preservation, and threat neutralization.

Recovery and post-incident activities

  • Execute recovery procedures including system restoration, service validation, enhanced monitoring deployment, and phased return to normal operations.
  • Analyze completed incidents to conduct root cause analysis, identify detection gaps, document lessons learned, and generate control improvement recommendations.
  • Formulate incident response playbook improvements based on post-incident analysis including updated detection rules, refined containment procedures, and improved workflows.

Forensic evidence and incident communication

  • Apply digital forensics evidence handling including chain of custody documentation, forensic imaging, evidence preservation, volatile data collection, and legal hold compliance.
  • Implement incident communication plans including internal escalation procedures, external notification requirements, and executive briefing protocols.
  • Plan enterprise incident response capabilities including team structure, roles, escalation matrices, tabletop exercise programs, and business continuity integration.
4 Domain 4: Reporting and Communication
4 topics

Vulnerability and compliance reporting

  • Implement vulnerability reporting workflows including scan result aggregation, finding deduplication, severity classification, remediation owner assignment, and SLA tracking.
  • Implement compliance reporting by mapping security controls to regulatory requirements, generating evidence artifacts, and preparing audit-ready documentation.
  • Analyze vulnerability and compliance report data to identify systemic issues, measure program maturity, and assess risk tolerance alignment.

Security metrics and KPIs

  • Implement security operations metrics including MTTD, MTTR, alert volume trends, false positive rates, and vulnerability remediation SLA compliance tracking.
  • Evaluate security metric trends to determine SOC performance trajectory, identify resource bottlenecks, and assess security tool investment ROI.
  • Design a security metrics program aligning operational KPIs with business objectives, providing actionable insights, and driving continuous improvement.

Executive communication and stakeholder management

  • Apply communication strategies to translate technical findings into business-impact language suitable for executive leadership and non-technical stakeholders.
  • Implement action plan documentation including remediation timelines, resource requirements, risk acceptance justifications, and progress tracking for findings.
  • Recommend reporting cadence and format adjustments based on audience feedback, organizational changes, and evolving compliance requirements.

Incident reporting and documentation

  • Implement incident report documentation including executive summaries, technical details, timeline reconstructions, impact assessments, and corrective action recommendations.
  • Assess incident report quality by evaluating completeness, accuracy, actionability, and adherence to regulatory notification requirements.

Scope

Included Topics

  • All domains and objectives in the CompTIA CySA+ (CS0-003) exam: Domain 1 Security Operations (33%), Domain 2 Vulnerability Management (30%), Domain 3 Incident Response Management (20%), and Domain 4 Reporting and Communication (17%).
  • Advanced blue team and defensive analyst skills including continuous security monitoring, threat intelligence consumption, SIEM tuning and correlation, threat hunting, vulnerability lifecycle management, and incident response orchestration.
  • Core analyst tools and techniques: SIEM platforms (Splunk, ELK, QRadar), vulnerability scanners (Nessus, Qualys, OpenVAS), packet capture and analysis (Wireshark, tcpdump), OSINT feeds, MITRE ATT&CK framework mapping, CVSS scoring, threat intelligence platforms (TIPs), endpoint detection and response (EDR), and scripting for automation (Python, PowerShell).
  • Scenario-driven analysis requiring triage decisions, alert investigation, vulnerability prioritization, incident coordination, and stakeholder communication in enterprise SOC environments.

Not Covered

  • Offensive penetration testing techniques and exploitation methodology (covered by PenTest+ PT0-003).
  • Enterprise-level security architecture design and zero trust implementation strategy (covered by SecurityX CAS-005).
  • Foundational security concepts and terminology at the introductory level (covered by Security+ SY0-701).
  • Vendor-specific product administration for commercial tools unless directly tested in CySA+ exam scenarios.
  • Malware reverse engineering at the binary analysis level and advanced forensic tool internals beyond analyst-level usage.

CySA Plus is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified

Trademark Notice

CompTIA® and all related certification marks (A+®, Network+®, Security+®, etc.) are registered trademarks of the Computing Technology Industry Association. CompTIA does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.