It is important to prepare for an exam by studying course material, practicing skills, and committing new concepts to memory. You can use the instruction and tests in this course to help you prepare more efficiently.
We recommend that you take the following steps as you prepare for the exam:
| Step | Description |
|---|
| Study the course material | The course materials include text lessons, demonstrations, video lessons, and hands-on labs. As you work through the course, follow these hints for effective study: - Review the learning and exam objectives on each section page. The objectives outline the knowledge and skills you will need for the official certification exam.
- Watch the videos.
- Watch the demonstrations.
- Read all text lesson fact pages.
- Practice the tasks in the lab simulations until you feel comfortable with your ability to complete them.
- Avoid skipping any sections unless you can easily pass the Practice Questions at the end of each section. Even if you already know the material, a review can always be helpful when preparing for an exam.
|
| Take the section Practice Questions | The section Practice Questions at the end of each section will help you assess your understanding of the content for that section. - Use the immediate feedback to go back and study the course material covering the questions you missed until you can pass the section Practice Questions easily.
- After you have mastered the material in a section, move on to the next section.
|
| Review the domain Practice Questions | When you have finished studying the course material and taken the section Practice Questions, you are ready to focus on exam preparation. Practice questions are available by exam domain. There are two types available: - 20 Questions - Twenty questions are randomly selected from the available pool of questions for a specific exam domain.
- All Questions - All questions from the available pool of questions for a specific exam domain are presented. This option allows the review of all available questions by exam domain.
|
| Take the certification practice exams | After you are confident with your ability to answer each question, take the certification practice exam to assess your preparedness to take the certification exam. - This exam has roughly the same number of questions and time limit as the certification exam.
- Check your answers after each exam, and review the course material for questions that you missed.
- Practice questions are designed to assess your knowledge as it relates to the exam objectives.
- Focus your time on understanding the topics covered in the objectives and not on memorizing answers, as the actual certification exam will have a different set of questions.
- When your practice exam scores are consistently over 95%, and you feel confident in your understanding of the exam objectives and topics, the next step is to take the certification exam.
|
| Schedule and take the certification exam | When you are ready, schedule the exam through Pearson VUE. Details on how to schedule an exam are provided in this section. |
The CyberDefense Pro course and certification exam cover the following CompTIA Cybersecurity Analyst (CySA+) CSO-003 objectives:
| # | Domain | Module.Section |
|---|
| 1.0 | Security Operations | |
|---|
| 1.1 | Explain the importance of system and network architecture concepts in security operations - 1.1.1 - Log ingestion
- 1.1.1.1 - Time synchronization
- 1.1.1.2 - Logging levels
- 1.1.2 - Operating system (OS) concepts
- 1.1.2.1 - Windows Registry
- 1.1.2.2 - System hardening
- 1.1.2.3 - File structure
- 1.1.2.3.1 - Configuration file locations
- 1.1.2.4 - System processes
- 1.1.2.5 - Hardware architecture
- 1.1.3 - Infrastructure concepts
- 1.1.3.1 - Serverless
- 1.1.3.2 - Virtualization
- 1.1.3.3 - Containerization
- 1.1.4 - Network architecture
- 1.1.4.1 - On-premises
- 1.1.4.2 - Cloud
- 1.1.4.3 - Hybrid
- 1.1.4.4 - Network segmentation
- 1.1.4.5 - Zero trust
- 1.1.4.6 - Secure access secure edge (SASE)
- 1.1.4.7 - Software-defined networking (SDN)
- 1.1.5 - Identity and access management
- 1.1.5.1 - Multifactor authentication (MFA)
- 1.1.5.2 - Single sign-on (SSO)
- 1.1.5.3 - Federation
- 1.1.5.4 - Privileged access management (PAM)
- 1.1.5.5 - Passwordless
- 1.1.5.6 - Cloud access security broker (CASB)
- 1.1.6 - Encryption
- 1.1.6.1 - Public key infrastructure (PKI)
- 1.1.6.2 - Secure sockets layer (SSL) inspection
- 1.1.7 - Sensitive data protection
- 1.1.7.1 - Data loss prevention (DLP)
- 1.1.7.2 - Personally identifiable information (PII)
- 1.1.7.3 - Cardholder data (CHD)
| 4.1, 4.2, 4.3, 4.4, 4.5 5.1, 5.2 6.6, 6.7 7.1, 7.2, 7.3 9.3 |
| 1.2 | Given a scenario, analyze indicators of potentially malicious activity - 1.2.1 - Network-related
- 1.2.1.1 - Bandwidth consumption
- 1.2.1.2 - Beaconing
- 1.2.1.3 - Irregular peer-to-peer communication
- 1.2.1.4 - Rogue devices on the network
- 1.2.1.5 - Scans/sweep
- 1.2.1.6 - Unusual traffic spikes
- 1.2.1.7 - Activity on unexpected ports
- 1.2.2 - Host-related
- 1.2.2.1 - Processor consumption
- 1.2.2.2 - Memory consumption
- 1.2.2.3 - Drive capacity consumption
- 1.2.2.4 - Unauthorized software
- 1.2.2.5 - Malicious processes
- 1.2.2.6 - Unauthorized changes
- 1.2.2.7 - Unauthorized privileges
- 1.2.2.8 - Data exfiltration
- 1.2.2.9 - Abnormal OS process behavior
- 1.2.2.10 - File system changes or anomalies
- 1.2.2.11 - Registry changes or anomalies
- 1.2.2.12 - Unauthorized scheduled tasks
- 1.2.3 - Application-related
- 1.2.3.1 - Anomalous activity
- 1.2.3.2 - Introduction of new accounts
- 1.2.3.3 - Unexpected output
- 1.2.3.4 - Unexpected outbound communication
- 1.2.3.5 - Service interruption
- 1.2.3.6 - Application logs
- 1.2.4 - Other
- 1.2.4.1 - Social engineering attacks
- 1.2.4.2 - Obfuscated links
| 3.2, 3.3, 3.4 4.1, 4.4, 4.5 5.1, 5.2 6.1, 6.2, 6.3, 6.5, 6.6, 6.7, 6.9 7.1, 7.2, 7.3, 7.4, 7.5 8.1, 8.2, 8.3 9.2 |
| 1.3 | Given a scenario, use appropriate tools or techniques to determine malicious activity - 1.3.1 - Tools
- 1.3.1.1 - Packet capture
- 1.3.1.1.1 - Wireshark
- 1.3.1.1.2 - tcpdump
- 1.3.1.2 - Log analysis/correlation
- 1.3.1.2.1 - Security information and event management (SIEM)
- 1.3.1.2.2 - Security orchestration, automation, and response (SOAR)
- 1.3.1.3 - Endpoint security
- 1.3.1.3.1 - Endpoint detection and response (EDR)
- 1.3.1.4 - Domain name service (DNS) and Internet Protocol (IP) reputation
- 1.3.1.4.1 - WHOIS
- 1.3.1.4.2 - AbuseIPDB
- 1.3.1.5 - File analysis
- 1.3.1.5.1 - Strings
- 1.3.1.5.2 - VirusTotal
- 1.3.1.6 - Sandboxing
- 1.3.1.6.1 - Joe Sandbox
- 1.3.1.6.2 - Cuckoo Sandbox
- 1.3.2 - Common techniques
- 1.3.2.1 - Pattern recognition
- 1.3.2.1.1 - Command and control
- 1.3.2.2 - Interpreting suspicious commands
- 1.3.2.3 - Email analysis
- 1.3.2.3.1 - Header
- 1.3.2.3.2 - Impersonation
- 1.3.2.3.3 - DomainKeys Identified Mail (DKIM)
- 1.3.2.3.4 - Domain-based Message Authentication, Reporting, and Conformance (DMARC)
- 1.3.2.3.5 - Sender Policy Framework (SPF)
- 1.3.2.3.6 - Embedded links
- 1.3.2.4 - File analysis
- 1.3.2.4.1 - Hashing
- 1.3.2.5 - User behavior analysis
- 1.3.2.5.1 - Abnormal account activity
- 1.3.2.5.2 - Impossible travel
- 1.3.3 - Programming languages/scripting
- 1.3.3.1 - JavaScript Object Notation (JSON)
- 1.3.3.2 - Extensible Markup Language (XML)
- 1.3.3.3 - Python
- 1.3.3.4 - PowerShell
- 1.3.3.5 - Shell script
- 1.3.3.6 - Regular expressions
| 4.4, 4.5 5.1 6.3, 6.5, 6.6, 6.8, 6.9 7.1, 7.2, 7.3, 7.6 8.1, 8.2, 8.3 9.2, 9.3 |
| 1.4 | Compare and contrast threat-intelligence and threat-hunting concepts - 1.4.1 - Threat actors
- 1.4.1.1 - Advanced persistent threat (APT)
- 1.4.1.2 - Hacktivists
- 1.4.1.3 - Organized crime
- 1.4.1.4 - Nation-state
- 1.4.1.5 - Script kiddie
- 1.4.1.6 - Insider threat
- 1.4.1.6.1 - Intentional
- 1.4.1.6.2 - Unintentional
- 1.4.1.7 - Supply chain
- 1.4.2 - Tactics, techniques, and procedures (TTP)
- 1.4.3 - Confidence levels
- 1.4.3.1 - Timeliness
- 1.4.3.2 - Relevancy
- 1.4.3.3 - Accuracy
- 1.4.4 - Collection methods and sources
- 1.4.4.1 - Open source
- 1.4.4.1.1 - Social media
- 1.4.4.1.2 - Blogs/forums
- 1.4.4.1.3 - Government bulletins
- 1.4.4.1.4 - Computer emergency response team (CERT)
- 1.4.4.1.5 - Cybersecurity incident response team (CSIRT)
- 1.4.4.1.6 - Deep/dark web
- 1.4.4.2 - Closed source
- 1.4.4.2.1 - Paid feeds
- 1.4.4.2.2 - Information sharing organizations
- 1.4.4.2.3 - Internal sources
- 1.4.5 - Threat intelligence sharing
- 1.4.5.1 - Incident response
- 1.4.5.2 - Vulnerability management
- 1.4.5.3 - Risk management
- 1.4.5.4 - Security engineering
- 1.4.5.5 - Detection and monitoring
- 1.4.6 - Threat hunting
- 1.4.6.1 - Indicators of compromise (IoC)
- 1.4.6.1.1 - Collection
- 1.4.6.1.2 - Analysis
- 1.4.6.1.3 - Application
- 1.4.6.2 - Focus areas
- 1.4.6.2.1 - Configurations/ misconfigurations
- 1.4.6.2.2 - Isolated networks
- 1.4.6.2.3 - Business-critical assets and processes
- 1.4.6.3 - Active defense
- 1.4.6.4 - Honeypot
| 2.2, 2.4, 2.6 3.1, 3.2, 3.3, 3.4 4.2, 4.4 5.2, 5.5, 5.6 6.1, 6.6 7.3 9.1, 9.2 |
| 1.5 | Explain the importance of efficiency and process improvement in security operations - 1.5.1 - Standardize processes
- 1.5.1.1 - Identification of tasks suitable for automation
- 1.5.1.1.1 - Repeatable/do not require human interaction
- 1.5.1.2 - Team coordination to manage and facilitate automation
- 1.5.2 - Streamline operations
- 1.5.2.1 - Automation and orchestration
- 1.5.2.1.1 - Security orchestration, automation, and response (SOAR)
- 1.5.2.2 - Orchestrating threat intelligence data
- 1.5.2.2.1 - Data enrichment
- 1.5.2.2.2 - Threat feed combination
- 1.5.2.3 - Minimize human engagement
- 1.5.3 - Technology and tool integration
- 1.5.3.1 - Application programming interface (API)
- 1.5.3.2 - Webhooks
- 1.5.3.3 - Plugins
- 1.5.4 - Single pane of glass
| 3.3 8.2 |
| 2.0 | Vulnerability Management | |
|---|
| 2.1 | Given a scenario, implement vulnerability scanning methods and concepts - 2.1.1 - Asset discovery
- 2.1.1.1 - Map scans
- 2.1.1.2 - Device fingerprinting
- 2.1.2 - Special considerations
- 2.1.2.1 - Scheduling
- 2.1.2.2 - Operations
- 2.1.2.3 - Performance
- 2.1.2.4 - Sensitivity levels
- 2.1.2.5 - Segmentation
- 2.1.2.6 - Regulatory requirements
- 2.1.3 - Internal vs. external scanning
- 2.1.4 - Agent vs. agentless
- 2.1.5 - Credentialed vs. non-credentialed
- 2.1.6 - Passive vs. active
- 2.1.7 - Static vs. dynamic
- 2.1.7.1 - Reverse engineering
- 2.1.7.2 - Fuzzing
- 2.1.8 - Critical infrastructure
- 2.1.8.1 - Operational technology (OT)
- 2.1.8.2 - Industrial control systems (ICS)
- 2.1.8.3 - Supervisory control and data acquisition (SCADA)
- 2.1.9 - Security baseline scanning
- 2.1.10 - Industry frameworks
- 2.1.10.1 - Payment Card Industry Data Security Standard (PCI DSS)
- 2.1.10.2 - Center for Internet Security (CIS) benchmarks
- 2.1.10.3 - Open Web Application Security Project (OWASP)
- 2.1.10.4 - International Organization for Standardization (ISO) 27000 series
| 2.1, 2.3 3.2, 3.4 4.1, 4.4 5.1, 5.2, 5.3, 5.4, 5.6 6.1, 6.7, 6.10 7.3, 7.6 9.3 |
| 2.2 | Given a scenario, analyze output from vulnerability assessment tools - 2.2.1 - Tools
- 2.2.1.1 - Network scanning and mapping
- 2.2.1.1.1 - Angry IP Scanner
- 2.2.1.1.2 - Maltego
- 2.2.1.2 - Web application scanners
- 2.2.1.2.1 - Burp Suite
- 2.2.1.2.2 - Zed Attack Proxy (ZAP)
- 2.2.1.2.3 - Arachni
- 2.2.1.2.4 - Nikto
- 2.2.1.3 - Vulnerability scanners
- 2.2.1.3.1 - Nessus
- 2.2.1.3.2 - OpenVAS
- 2.2.1.4 - Debuggers
- 2.2.1.4.1 - Immunity debugger
- 2.2.1.4.2 - GNU debugger (GDB)
- 2.2.1.5 - Multipurpose
- 2.2.1.5.1 - Nmap
- 2.2.1.5.2 - Metasploit framework (MSF)
- 2.2.1.5.3 - Recon-ng
- 2.2.1.6 - Cloud infrastructure assessment tools
- 2.2.1.6.1 - Scout Suite
- 2.2.1.6.2 - Prowler
- 2.2.1.6.3 - Pacu
| 3.4 4.1 5.1, 5.2, 5.3, 5.4, 5.5 6.1, 6.3, 6.4, 6.5, 6.6, 6.7, 6.9 7.4, 7.5 8.1 |
| 2.3 | Given a scenario, analyze data to prioritize vulnerabilities - 2.3.1 - Common Vulnerability Scoring System (CVSS) interpretation
- 2.3.1.1 - Attack vectors
- 2.3.1.2 - Attack complexity
- 2.3.1.3 - Privileges required
- 2.3.1.4 - User interaction
- 2.3.1.5 - Scope
- 2.3.1.6 - Impact
- 2.3.1.6.1 - Confidentiality
- 2.3.1.6.2 - Integrity
- 2.3.1.6.3 - Availability
- 2.3.2 - Validation
- 2.3.2.1 - True/false positives
- 2.3.2.2 - True/false negatives
- 2.3.3 - Context awareness
- 2.3.3.1 - Internal
- 2.3.3.2 - External
- 2.3.3.3 - Isolated
- 2.3.4 - Exploitability/weaponization
- 2.3.5 - Asset value
- 2.3.6 - Zero-day
| 3.4 4.4 5.2, 5.4, 5.5, 5.6 |
| 2.4 | Given a scenario, recommend controls to mitigate attacks and software vulnerabilities - 2.4.1 - Cross-site scripting
- 2.4.1.1 - Reflected
- 2.4.1.2 - Persistent
- 2.4.2 - Overflow vulnerabilities
- 2.4.2.1 - Buffer
- 2.4.2.2 - Integer
- 2.4.2.3 - Heap
- 2.4.2.4 - Stack
- 2.4.3 - Data poisoning
- 2.4.4 - Broken access control
- 2.4.5 - Cryptographic failures
- 2.4.6 - Injection flaws
- 2.4.7 - Cross-site request forgery
- 2.4.8 - Directory traversal
- 2.4.9 - Insecure design
- 2.4.10 - Security misconfiguration
- 2.4.11 - End-of-life or outdated components
- 2.4.12 - Identification and authentication failures
- 2.4.13 - Server-side request forgery
- 2.4.14 - Remote code execution
- 2.4.15 - Privilege escalation
- 2.4.16 - Local file inclusion (LFI)/remote file inclusion (RFI)
| 5.1, 5.3, 5.4 6.3, 6.4, 6.6, 6.9 7.2, 7.3, 7.7 9.1 |
| 2.5 | Explain concepts related to vulnerability response, handling, and management - 2.5.1 - Compensating control
- 2.5.2 - Control types
- 2.5.2.1 - Managerial
- 2.5.2.2 - Operational
- 2.5.2.3 - Technical
- 2.5.2.4 - Preventative
- 2.5.2.5 - Detective
- 2.5.2.6 - Responsive
- 2.5.2.7 - Corrective
- 2.5.3 - Patching and configuration management
- 2.5.3.1 - Testing
- 2.5.3.2 - Implementation
- 2.5.3.3 - Rollback
- 2.5.3.4 - Validation
- 2.5.4 - Maintenance windows
- 2.5.5 - Exceptions
- 2.5.6 - Risk management principles
- 2.5.6.1 - Accept
- 2.5.6.2 - Transfer
- 2.5.6.3 - Avoid
- 2.5.6.4 - Mitigate
- 2.5.7 - Policies, governance, and service-level objectives (SLOs)
- 2.5.8 - Prioritization and escalation
- 2.5.9 - Attack surface management
- 2.5.9.1 - Edge discovery
- 2.5.9.2 - Passive discovery
- 2.5.9.3 - Security controls testing
- 2.5.9.4 - Penetration testing and adversary emulation
- 2.5.9.5 - Bug bounty
- 2.5.9.6 - Attack surface reduction
- 2.5.10 - Secure coding best practices
- 2.5.10.1 - Input validation
- 2.5.10.2 - Output encoding
- 2.5.10.3 - Session management
- 2.5.10.4 - Authentication
- 2.5.10.5 - Data protection
- 2.5.10.6 - Parameterized queries
- 2.5.11 - Secure software development life cycle (SDLC)
- 2.5.12 - Threat modeling
| 2.1, 2.2, 2.3, 2.4, 2.5 3.3, 3.4 5.2, 5.3, 5.4, 5.6 6.3, 6.6, 6.7 7.1, 7.3, 7.6 9.2 |
| 3.0 | Incident Response and Management | |
|---|
| 3.1 | Explain concepts related to attack methodology frameworks - 3.1.1 - Cyber kill chain
- 3.1.1.1 - Reconnaissance
- 3.1.1.2 - Weaponization
- 3.1.1.3 - Delivery
- 3.1.1.4 - Exploitation
- 3.1.1.5 - Installation
- 3.1.1.6 - Command and Control (C2)
- 3.1.1.7 - Actions and objectives
- 3.1.2 - Diamond Model of Intrusion Analysis
- 3.1.2.1 - Adversary
- 3.1.2.2 - Victim
- 3.1.2.3 - Infrastructure
- 3.1.2.4 - Capability
- 3.1.3 - MITRE ATT&CK
- 3.1.4 - Open Source Security Testing Methodology Manual (OSS TMM)
- 3.1.5 - OWASP Testing Guide
| 2.6 3.3 |
| 3.2 | Given a scenario, perform incident response activities - 3.2.1 - Detection and analysis
- 3.2.1.1 - IoC
- 3.2.1.2 - Evidence acquisitions
- 3.2.1.2.1 - Chain of custody
- 3.2.1.2.2 - Validating data integrity
- 3.2.1.2.3 - Preservation
- 3.2.1.2.4 - Legal hold
- 3.2.1.3 - Data and log analysis
- 3.2.2 - Containment, eradication, and recovery
- 3.2.2.1 - Scope
- 3.2.2.2 - Impact
- 3.2.2.3 - Isolation
- 3.2.2.4 - Remediation
- 3.2.2.5 - Re-imaging
- 3.2.2.6 - Compensating controls
| 3.3, 3.4 4.5 5.1, 5.2 6.1 7.1, 7.2 8.2 9.1, 9.2, 9.3 |
| 3.3 | Explain the preparation and post-incident activity phases of the incident management life cycle - 3.3.1 - Preparation
- 3.3.1.1 - Incident response plan
- 3.3.1.2 - Tools
- 3.3.1.3 - Playbooks
- 3.3.1.4 - Tabletop
- 3.3.1.5 - Training
- 3.3.1.6 - Business continuity (BC)/ disaster recovery (DR)
- 3.3.2 - Post-incident activity
- 3.3.2.1 - Forensic analysis
- 3.3.2.2 - Root cause analysis
- 3.3.2.3 - Lessons learned
| 3.3 7.1 9.1, 9.2, 9.3 |
| 4.0 | Reporting and Communication | |
|---|
| 4.1 | Explain the importance of vulnerability management reporting and communication - 4.1.1 - Vulnerability management reporting
- 4.1.1.1 - Vulnerabilities
- 4.1.1.2 - Affected hosts
- 4.1.1.3 - Risk score
- 4.1.1.4 - Mitigation
- 4.1.1.5 - Recurrence
- 4.1.1.6 - Prioritization
- 4.1.2 - Compliance reports
- 4.1.3 - Action plans
- 4.1.3.1 - Configuration management
- 4.1.3.2 - Patching
- 4.1.3.3 - Compensating controls
- 4.1.3.4 - Awareness, education, and training
- 4.1.3.5 - Changing business requirements
- 4.1.4 - Inhibitors to remediation
- 4.1.4.1 - Memorandum of understanding (MOU)
- 4.1.4.2 - Service-level agreement (SLA)
- 4.1.4.3 - Organizational governance
- 4.1.4.4 - Business process interruption
- 4.1.4.5 - Degrading functionality
- 4.1.4.6 - Legacy systems
- 4.1.4.7 - Proprietary systems
- 4.1.5 - Metrics and key performance indicators (KPIs)
- 4.1.5.1 - Trends
- 4.1.5.2 - Top 10
- 4.1.5.3 - Critical vulnerabilities and zero-days
- 4.1.5.4 - SLOs
- 4.1.6 - Stakeholder identification and communication
| 2.1, 2.5 4.4 5.4, 5.5, 5.6 6.1 7.3 9.2 |
| 4.2 | Explain the importance of incident response reporting and communication - 4.2.1 - Stakeholder identification and communication
- 4.2.2 - Incident declaration and escalation
- 4.2.3 - Incident response reporting
- 4.2.3.1 - Executive summary
- 4.2.3.2 - Who, what, when, where, and why
- 4.2.3.3 - Recommendations
- 4.2.3.4 - Timeline
- 4.2.3.5 - Impact
- 4.2.3.6 - Scope
- 4.2.3.7 - Evidence
- 4.2.4 - Communications
- 4.2.4.1 - Legal
- 4.2.4.2 - Public relations
- 4.2.4.2.1 - Customer communication
- 4.2.4.2.2 - Media
- 4.2.4.3 - Regulatory reporting
- 4.2.4.4 - Law enforcement
- 4.2.5 - Root cause analysis
- 4.2.6 - Lessons learned
- 4.2.7 - Metrics and KPIs
- 4.2.7.1 - Mean time to detect
- 4.2.7.2 - Mean time to respond
- 4.2.7.3 - Mean time to remediate
- 4.2.7.4 - Alert volume
| 9.2, 9.3 |
The CyberDefense Pro course covers the following CompTIA Cybersecurity Analyst (CySA+) CSO-003 exam objectives:
| Section | Title | Objectives |
|---|
| 1.0 | Introduction | |
|---|
| 1.1 | Introduction to TestOut CyberDefense Pro | |
| 2.0 | Vulnerability Response, Handling, and Management | |
|---|
| 2.1 | Regulations and Standards | 2.1 Given a scenario, implement vulnerability scanning methods and concepts 2.1.10 - Industry frameworks - 2.1.10.1 - Payment Card Industry Data Security Standard (PCI DSS)
- 2.1.10.2 - Center for Internet Security (CIS) benchmarks
- 2.1.10.3 - Open Web Application Security Project (OWASP)
- 2.1.10.4 - International Organization for Standardization (ISO) 27000 series
2.5 Explain concepts related to vulnerability response, handling, and management 2.5.6 - Risk management principles - 2.5.6.3 - Avoid
- 2.5.6.4 - Mitigate
2.5.7 - Policies, governance, and service-level objectives (SLOs) 4.1 Explain the importance of vulnerability management reporting and communication 4.1.5 - Metrics and key performance indicators (KPIs) |
| 2.2 | Risk Management | 1.4 Compare and contrast threat-intelligence and threat-hunting concepts 1.4.5 - Threat intelligence sharing - 1.4.5.3 - Risk management
2.5 Explain concepts related to vulnerability response, handling, and management 2.5.6 - Risk management principles - 2.5.6.1 - Accept
- 2.5.6.2 - Transfer
- 2.5.6.3 - Avoid
- 2.5.6.4 - Mitigate
2.5.12 - Threat modeling |
| 2.3 | Security Controls | 2.1 Given a scenario, implement vulnerability scanning methods and concepts 2.1.10 - Industry frameworks 2.5 Explain concepts related to vulnerability response, handling, and management 2.5.1 - Compensating control 2.5.2 - Control types - 2.5.2.1 - Managerial
- 2.5.2.2 - Operational
- 2.5.2.3 - Technical
- 2.5.2.4 - Preventative
- 2.5.2.5 - Detective
- 2.5.2.6 - Responsive
- 2.5.2.7 - Corrective
2.5.8 - Prioritization and escalation 2.5.9 - Attack surface management - 2.5.9.3 - Security controls testing
|
| 2.4 | Attack Surfaces | 1.4 Compare and contrast threat-intelligence and threat-hunting concepts 1.4.6 - Threat hunting 2.5 Explain concepts related to vulnerability response, handling, and management 2.5.9 - Attack surface management - 2.5.9.1 - Edge discovery
- 2.5.9.2 - Passive discovery
- 2.5.9.3 - Security controls testing
- 2.5.9.4 - Penetration testing and adversary emulation
- 2.5.9.5 - Bug bounty
- 2.5.9.6 - Attack surface reduction
|
| 2.5 | Patch Management | 2.5 Explain concepts related to vulnerability response, handling, and management 2.5.3 - Patching and configuration management2.5.3.1 - Testing2.5.3.2 - Implementation2.5.3.3 - Rollback2.5.4 - Maintenance windows 4.1 Explain the importance of vulnerability management reporting and communication 4.1.3 - Action plans |
| 2.6 | Security Testing | 1.4 Compare and contrast threat-intelligence and threat-hunting concepts 1.4.1 - Threat actors3.1 Explain concepts related to attack methodology frameworks 3.1.1 - Cyber kill chain - 3.1.1.1 - Reconnaissance
- 3.1.1.2 - Weaponization
- 3.1.1.3 - Delivery
- 3.1.1.4 - Exploitation
- 3.1.1.5 - Installation
- 3.1.1.6 - Command and Control (C2)
- 3.1.1.7 - Actions and objectives
3.1.2 - Diamond Model of Intrusion Analysis - 3.1.2.1 - Adversary
- 3.1.2.2 - Victim
- 3.1.2.3 - Infrastructure
- 3.1.2.4 - Capability
3.1.3 - MITRE ATT&CK 3.1.4 - Open Source Security Testing Methodology Manual (OSS TMM) |
| 3.0 | Threat Intelligence and Threat Hunting | |
|---|
| 3.1 | Threat Actors | 1.4 Compare and contrast threat-intelligence and threat-hunting concepts 1.4.1 - Threat actors - 1.4.1.1 - Advanced persistent threat (APT)
- 1.4.1.2 - Hacktivists
- 1.4.1.3 - Organized crime
- 1.4.1.4 - Nation-state
- 1.4.1.5 - Script kiddie
- 1.4.1.6 - Insider threat
- 1.4.1.6.1 - Intentional
- 1.4.1.6.2 - Unintentional
- 1.4.1.7 - Supply chain
|
| 3.2 | Threat Intelligence | 1.2 Given a scenario, analyze indicators of potentially malicious activity 1.2.1 - Network-related 1.4 Compare and contrast threat-intelligence and threat-hunting concepts 1.4.3 - Confidence levels - 1.4.3.1 - Timeliness
- 1.4.3.2 - Relevancy
- 1.4.3.3 - Accuracy
1.4.4 - Collection methods and sources - 1.4.4.1 - Open source
- 1.4.4.1.2 - Blogs/forums
- 1.4.4.1.3 - Government bulletins
- 1.4.4.1.4 - Computer emergency response team (CERT)
- 1.4.4.1.5 - Cybersecurity incident response team (CSIRT)
- 1.4.4.1.6 - Deep/dark web
- 1.4.4.2 - Closed source
- 1.4.4.2.1 - Paid feeds
- 1.4.4.2.2 - Information sharing organizations
- 1.4.4.2.3 - Internal sources
1.4.5 - Threat intelligence sharing - 1.4.5.1 - Incident response
- 1.4.5.2 - Vulnerability management
- 1.4.5.3 - Risk management
- 1.4.5.4 - Security engineering
- 1.4.5.5 - Detection and monitoring
2.1 Given a scenario, implement vulnerability scanning methods and concepts 2.1.6 - Passive vs. active2.1.8 - Critical infrastructure |
| 3.3 | Threat Hunting | 1.2 Given a scenario, analyze indicators of potentially malicious activity 1.2.1 - Network-related - 1.2.1.1 - Bandwidth consumption
- 1.2.1.3 - Irregular peer-to-peer communication
- 1.2.1.7 - Activity on unexpected ports
1.2.2 - Host-related - 1.2.2.1 - Processor consumption
- 1.2.2.2 - Memory consumption
- 1.2.2.3 - Drive capacity consumption
- 1.2.2.7 - Unauthorized privileges
- 1.2.2.10 - File system changes or anomalies
- 1.2.2.11 - Registry changes or anomalies
1.2.3 - Application-related - 1.2.3.1 - Anomalous activity
1.4 Compare and contrast threat-intelligence and threat-hunting concepts 1.4.1 - Threat actors - 1.4.1.1 - Advanced persistent threat (APT)
1.4.2 - Tactics, techniques, and procedures (TTP) 1.4.5 - Threat intelligence sharing - 1.4.5.5 - Detection and monitoring
1.4.6 - Threat hunting - 1.4.6.1 - Indicators of compromise (IoC)
- 1.4.6.1.1 - Collection
- 1.4.6.1.2 - Analysis
- 1.4.6.1.3 - Application
- 1.4.6.2 - Focus areas
- 1.4.6.2.1 - Configurations/ misconfigurations
- 1.4.6.2.2 - Isolated networks
- 1.4.6.2.3 - Business-critical assets and processes
1.5 Explain the importance of efficiency and process improvement in security operations 1.5.2 - Streamline operations - 1.5.2.2 - Orchestrating threat intelligence data
2.5 Explain concepts related to vulnerability response, handling, and management 2.5.9 - Attack surface management - 2.5.9.6 - Attack surface reduction
2.5.12 - Threat modeling3.1 Explain concepts related to attack methodology frameworks 3.1.3 - MITRE ATT&CK3.2 Given a scenario, perform incident response activities 3.2.1 - Detection and analysis - 3.2.1.1 - IoC
- 3.2.1.3 - Data and log analysis
3.3 Explain the preparation and post-incident activity phases of the incident management life cycle 3.3.2 - Post-incident activity - 3.3.2.1 - Forensic analysis
|
| 3.4 | Honeypots | 1.2 Given a scenario, analyze indicators of potentially malicious activity 1.2.1 - Network-related 1.2.2 - Host-related - 1.2.2.5 - Malicious processes
1.2.3 - Application-related - 1.2.3.4 - Unexpected outbound communication
1.4 Compare and contrast threat-intelligence and threat-hunting concepts 1.4.1 - Threat actors 1.4.6 - Threat hunting - 1.4.6.3 - Active defense
- 1.4.6.4 - Honeypot
2.1 Given a scenario, implement vulnerability scanning methods and concepts 2.1.3 - Internal vs. external scanning2.1.9 - Security baseline scanning 2.2 Given a scenario, analyze output from vulnerability assessment tools 2.2.1 - Tools - 2.2.1.1 - Network scanning and mapping
2.3 Given a scenario, analyze data to prioritize vulnerabilities 2.3.1 - Common Vulnerability Scoring System (CVSS) interpretation 2.5 Explain concepts related to vulnerability response, handling, and management 2.5.9 - Attack surface management - 2.5.9.4 - Penetration testing and adversary emulation
3.2 Given a scenario, perform incident response activities 3.2.1 - Detection and analysis - 3.2.1.3 - Data and log analysis
|
| 4.0 | System and Network Architecture | |
|---|
| 4.1 | Operating System Concepts | 1.1 Explain the importance of system and network architecture concepts in security operations 1.1.2 - Operating system (OS) concepts - 1.1.2.1 - Windows Registry
- 1.1.2.2 - System hardening
- 1.1.2.3 - File structure
- 1.1.2.3.1 - Configuration file locations
- 1.1.2.4 - System processes
- 1.1.2.5 - Hardware architecture
1.2 Given a scenario, analyze indicators of potentially malicious activity 1.2.1 - Network-related 2.1 Given a scenario, implement vulnerability scanning methods and concepts 2.1.10 - Industry frameworks - 2.1.10.2 - Center for Internet Security (CIS) benchmarks
2.2 Given a scenario, analyze output from vulnerability assessment tools 2.2.1 - Tools |
| 4.2 | Network Architecture | 1.1 Explain the importance of system and network architecture concepts in security operations 1.1.3 - Infrastructure concepts - 1.1.3.1 - Serverless
- 1.1.3.2 - Virtualization
- 1.1.3.3 - Containerization
1.1.4 - Network architecture - 1.1.4.1 - On-premises
- 1.1.4.2 - Cloud
- 1.1.4.3 - Hybrid
- 1.1.4.5 - Zero trust
- 1.1.4.6 - Secure access secure edge (SASE)
- 1.1.4.7 - Software-defined networking (SDN)
1.4 Compare and contrast threat-intelligence and threat-hunting concepts 1.4.6 - Threat hunting |
| 4.3 | Identity and Access Management (IAM) | 1.1 Explain the importance of system and network architecture concepts in security operations 1.1.5 - Identity and access management - 1.1.5.1 - Multifactor authentication (MFA)
- 1.1.5.2 - Single sign-on (SSO)
- 1.1.5.3 - Federation
- 1.1.5.4 - Privileged access management (PAM)
- 1.1.5.5 - Passwordless
- 1.1.5.6 - Cloud access security broker (CASB)
|
| 4.4 | Data Protection | 1.1 Explain the importance of system and network architecture concepts in security operations 1.1.6 - Encryption - 1.1.6.1 - Public key infrastructure (PKI)
- 1.1.6.2 - Secure sockets layer (SSL) inspection
1.1.7 - Sensitive data protection - 1.1.7.1 - Data loss prevention (DLP)
- 1.1.7.2 - Personally identifiable information (PII)
- 1.1.7.3 - Cardholder data (CHD)
1.2 Given a scenario, analyze indicators of potentially malicious activity 1.2.2 - Host-related - 1.2.2.2 - Memory consumption
- 1.2.2.8 - Data exfiltration
- 1.2.2.10 - File system changes or anomalies
1.3 Given a scenario, use appropriate tools or techniques to determine malicious activity 1.3.1 - Tools 1.3.2 - Common techniques - 1.3.2.5 - User behavior analysis
1.4 Compare and contrast threat-intelligence and threat-hunting concepts 1.4.5 - Threat intelligence sharing - 1.4.5.2 - Vulnerability management
- 1.4.5.5 - Detection and monitoring
2.1 Given a scenario, implement vulnerability scanning methods and concepts 2.1.1 - Asset discovery 2.3 Given a scenario, analyze data to prioritize vulnerabilities 2.3.1 - Common Vulnerability Scoring System (CVSS) interpretation - 2.3.1.6 - Impact
- 2.3.1.6.1 - Confidentiality
- 2.3.1.6.2 - Integrity
- 2.3.1.6.3 - Availability
4.1 Explain the importance of vulnerability management reporting and communication 4.1.5 - Metrics and key performance indicators (KPIs) |
| 4.5 | Logging | 1.1 Explain the importance of system and network architecture concepts in security operations 1.1.1 - Log ingestion - 1.1.1.1 - Time synchronization
- 1.1.1.2 - Logging levels
1.2 Given a scenario, analyze indicators of potentially malicious activity 1.2.3 - Application-related - 1.2.3.6 - Application logs
1.3 Given a scenario, use appropriate tools or techniques to determine malicious activity 1.3.1 - Tools - 1.3.1.2 - Log analysis/correlation
3.2 Given a scenario, perform incident response activities 3.2.1 - Detection and analysis - 3.2.1.3 - Data and log analysis
|
| 5.0 | Vulnerability Assessments | |
|---|
| 5.1 | Reconnaissance | 1.1 Explain the importance of system and network architecture concepts in security operations 1.1.2 - Operating system (OS) concepts - 1.1.2.2 - System hardening
1.2 Given a scenario, analyze indicators of potentially malicious activity 1.2.1 - Network-related - 1.2.1.1 - Bandwidth consumption
- 1.2.1.4 - Rogue devices on the network
- 1.2.1.5 - Scans/sweep
- 1.2.1.6 - Unusual traffic spikes
1.3 Given a scenario, use appropriate tools or techniques to determine malicious activity 1.3.1 - Tools - 1.3.1.1.1 - Wireshark
- 1.3.1.4 - Domain name service (DNS) and Internet Protocol (IP) reputation
- 1.3.1.4.1 - WHOIS
1.3.3 - Programming languages/scripting 2.1 Given a scenario, implement vulnerability scanning methods and concepts 2.1.1 - Asset discovery - 2.1.1.2 - Device fingerprinting
2.1.3 - Internal vs. external scanning2.1.6 - Passive vs. active 2.1.10 - Industry frameworks - 2.1.10.3 - Open Web Application Security Project (OWASP)
2.2 Given a scenario, analyze output from vulnerability assessment tools 2.2.1 - Tools - 2.2.1.1 - Network scanning and mapping
- 2.2.1.1.2 - Maltego
- 2.2.1.2 - Web application scanners
- 2.2.1.2.2 - Zed Attack Proxy (ZAP)
- 2.2.1.5 - Multipurpose
- 2.2.1.5.1 - Nmap
- 2.2.1.5.2 - Metasploit framework (MSF)
- 2.2.1.5.3 - Recon-ng
2.4 Given a scenario, recommend controls to mitigate attacks and software vulnerabilities 2.4.2 - Overflow vulnerabilities 3.2 Given a scenario, perform incident response activities 3.2.1 - Detection and analysis - 3.2.1.3 - Data and log analysis
|
| 5.2 | Scanning | 1.1 Explain the importance of system and network architecture concepts in security operations 1.1.4 - Network architecture 1.2 Given a scenario, analyze indicators of potentially malicious activity 1.2.1 - Network-related - 1.2.1.1 - Bandwidth consumption
- 1.2.1.4 - Rogue devices on the network
- 1.2.1.5 - Scans/sweep
- 1.2.1.7 - Activity on unexpected ports
1.2.3 - Application-related - 1.2.3.1 - Anomalous activity
1.4 Compare and contrast threat-intelligence and threat-hunting concepts 1.4.2 - Tactics, techniques, and procedures (TTP) 1.4.6 - Threat hunting - 1.4.6.2.1 - Configurations/ misconfigurations
- 1.4.6.3 - Active defense
2.1 Given a scenario, implement vulnerability scanning methods and concepts 2.1.1 - Asset discovery - 2.1.1.1 - Map scans
- 2.1.1.2 - Device fingerprinting
2.1.2 - Special considerations - 2.1.2.1 - Scheduling
- 2.1.2.2 - Operations
- 2.1.2.3 - Performance
- 2.1.2.4 - Sensitivity levels
- 2.1.2.5 - Segmentation
- 2.1.2.6 - Regulatory requirements
2.1.3 - Internal vs. external scanning2.1.4 - Agent vs. agentless2.1.5 - Credentialed vs. non-credentialed2.1.6 - Passive vs. active 2.2 Given a scenario, analyze output from vulnerability assessment tools 2.2.1 - Tools - 2.2.1.1 - Network scanning and mapping
- 2.2.1.1.1 - Angry IP Scanner
- 2.2.1.1.2 - Maltego
- 2.2.1.3 - Vulnerability scanners
- 2.2.1.3.1 - Nessus
- 2.2.1.3.2 - OpenVAS
- 2.2.1.5.1 - Nmap
- 2.2.1.5.2 - Metasploit framework (MSF)
- 2.2.1.5.3 - Recon-ng
2.3 Given a scenario, analyze data to prioritize vulnerabilities 2.3.1 - Common Vulnerability Scoring System (CVSS) interpretation 2.3.2 - Validation - 2.3.2.1 - True/false positives
2.5 Explain concepts related to vulnerability response, handling, and management 2.5.9 - Attack surface management - 2.5.9.4 - Penetration testing and adversary emulation
3.2 Given a scenario, perform incident response activities 3.2.2 - Containment, eradication, and recovery |
| 5.3 | Enumeration | 2.1 Given a scenario, implement vulnerability scanning methods and concepts 2.1.1 - Asset discovery - 2.1.1.1 - Map scans
- 2.1.1.2 - Device fingerprinting
2.1.2 - Special considerations - 2.1.2.3 - Performance
- 2.1.2.6 - Regulatory requirements
2.1.6 - Passive vs. active 2.1.7 - Static vs. dynamic - 2.1.7.1 - Reverse engineering
- 2.1.7.2 - Fuzzing
2.2 Given a scenario, analyze output from vulnerability assessment tools 2.2.1 - Tools - 2.2.1.5.1 - Nmap
- 2.2.1.5.2 - Metasploit framework (MSF)
2.4 Given a scenario, recommend controls to mitigate attacks and software vulnerabilities 2.4.10 - Security misconfiguration 2.5 Explain concepts related to vulnerability response, handling, and management 2.5.9 - Attack surface management - 2.5.9.4 - Penetration testing and adversary emulation
|
| 5.4 | Vulnerability Assessments | 2.1 Given a scenario, implement vulnerability scanning methods and concepts 2.1.5 - Credentialed vs. non-credentialed 2.1.7 - Static vs. dynamic 2.2 Given a scenario, analyze output from vulnerability assessment tools 2.2.1 - Tools - 2.2.1.2.1 - Burp Suite
- 2.2.1.2.2 - Zed Attack Proxy (ZAP)
- 2.2.1.2.3 - Arachni
- 2.2.1.2.4 - Nikto
- 2.2.1.3 - Vulnerability scanners
- 2.2.1.3.1 - Nessus
- 2.2.1.3.2 - OpenVAS
2.3 Given a scenario, analyze data to prioritize vulnerabilities 2.3.1 - Common Vulnerability Scoring System (CVSS) interpretation 2.4 Given a scenario, recommend controls to mitigate attacks and software vulnerabilities 2.4.1 - Cross-site scripting2.4.6 - Injection flaws2.4.7 - Cross-site request forgery 2.4.16 - Local file inclusion (LFI)/remote file inclusion (RFI) 2.5 Explain concepts related to vulnerability response, handling, and management 2.5.9 - Attack surface management - 2.5.9.3 - Security controls testing
- 2.5.9.4 - Penetration testing and adversary emulation
4.1 Explain the importance of vulnerability management reporting and communication 4.1.1 - Vulnerability management reporting - 4.1.1.1 - Vulnerabilities
- 4.1.1.3 - Risk score
- 4.1.1.4 - Mitigation
|
| 5.5 | Vulnerability Scoring Systems | 1.4 Compare and contrast threat-intelligence and threat-hunting concepts 1.4.4 - Collection methods and sources - 1.4.4.1 - Open source
- 1.4.4.1.2 - Blogs/forums
- 1.4.4.1.3 - Government bulletins
1.4.5 - Threat intelligence sharing - 1.4.5.2 - Vulnerability management
2.2 Given a scenario, analyze output from vulnerability assessment tools 2.2.1 - Tools - 2.2.1.3.1 - Nessus
- 2.2.1.3.2 - OpenVAS
2.3 Given a scenario, analyze data to prioritize vulnerabilities 2.3.1 - Common Vulnerability Scoring System (CVSS) interpretation - 2.3.1.1 - Attack vectors
- 2.3.1.2 - Attack complexity
- 2.3.1.3 - Privileges required
- 2.3.1.4 - User interaction
- 2.3.1.5 - Scope
- 2.3.1.6 - Impact
- 2.3.1.6.1 - Confidentiality
- 2.3.1.6.2 - Integrity
- 2.3.1.6.3 - Availability
2.3.4 - Exploitability/weaponization2.3.5 - Asset value2.3.6 - Zero-day 4.1 Explain the importance of vulnerability management reporting and communication 4.1.1 - Vulnerability management reporting - 4.1.1.1 - Vulnerabilities
- 4.1.1.3 - Risk score
|
| 5.6 | Classifying Vulnerability Information | 1.4 Compare and contrast threat-intelligence and threat-hunting concepts 1.4.4 - Collection methods and sources - 1.4.4.1.3 - Government bulletins
2.1 Given a scenario, implement vulnerability scanning methods and concepts 2.1.1 - Asset discovery 2.1.2 - Special considerations - 2.1.2.6 - Regulatory requirements
2.1.9 - Security baseline scanning 2.1.10 - Industry frameworks - 2.1.10.2 - Center for Internet Security (CIS) benchmarks
2.3 Given a scenario, analyze data to prioritize vulnerabilities 2.3.2 - Validation - 2.3.2.1 - True/false positives
- 2.3.2.2 - True/false negatives
2.5 Explain concepts related to vulnerability response, handling, and management 2.5.3.1 - Testing2.5.3.2 - Implementation2.5.3.4 - Validation2.5.6 - Risk management principles 2.5.7 - Policies, governance, and service-level objectives (SLOs) 2.5.8 - Prioritization and escalation 4.1 Explain the importance of vulnerability management reporting and communication 4.1.1 - Vulnerability management reporting - 4.1.1.1 - Vulnerabilities
- 4.1.1.2 - Affected hosts
- 4.1.1.3 - Risk score
- 4.1.1.4 - Mitigation
- 4.1.1.5 - Recurrence
- 4.1.1.6 - Prioritization
4.1.2 - Compliance reports 4.1.3 - Action plans - 4.1.3.1 - Configuration management
- 4.1.3.2 - Patching
- 4.1.3.3 - Compensating controls
- 4.1.3.4 - Awareness, education, and training
- 4.1.3.5 - Changing business requirements
4.1.4 - Inhibitors to remediation - 4.1.4.1 - Memorandum of understanding (MOU)
- 4.1.4.2 - Service-level agreement (SLA)
- 4.1.4.3 - Organizational governance
- 4.1.4.4 - Business process interruption
- 4.1.4.5 - Degrading functionality
- 4.1.4.6 - Legacy systems
- 4.1.4.7 - Proprietary systems
4.1.5 - Metrics and key performance indicators (KPIs) - 4.1.5.2 - Top 10
- 4.1.5.4 - SLOs
4.1.6 - Stakeholder identification and communication |
| 6.0 | Network Security | |
|---|
| 6.1 | Security Monitoring | 1.2 Given a scenario, analyze indicators of potentially malicious activity 1.2.1 - Network-related 1.2.4 - Other - 1.2.4.2 - Obfuscated links
1.4 Compare and contrast threat-intelligence and threat-hunting concepts 1.4.5 - Threat intelligence sharing - 1.4.5.5 - Detection and monitoring
2.1 Given a scenario, implement vulnerability scanning methods and concepts 2.1.2 - Special considerations 2.2 Given a scenario, analyze output from vulnerability assessment tools 2.2.1 - Tools - 2.2.1.1 - Network scanning and mapping
- 2.2.1.5.1 - Nmap
3.2 Given a scenario, perform incident response activities 3.2.1 - Detection and analysis 4.1 Explain the importance of vulnerability management reporting and communication 4.1.5 - Metrics and key performance indicators (KPIs) |
| 6.2 | Wireless Security | 1.2 Given a scenario, analyze indicators of potentially malicious activity 1.2.1 - Network-related - 1.2.1.4 - Rogue devices on the network
- 1.2.1.7 - Activity on unexpected ports
|
| 6.3 | Web Server Security | 1.2 Given a scenario, analyze indicators of potentially malicious activity 1.2.1 - Network-related 1.3 Given a scenario, use appropriate tools or techniques to determine malicious activity 1.3.1 - Tools - 1.3.1.4 - Domain name service (DNS) and Internet Protocol (IP) reputation
2.2 Given a scenario, analyze output from vulnerability assessment tools 2.2.1 - Tools - 2.2.1.1 - Network scanning and mapping
- 2.2.1.2 - Web application scanners
2.4 Given a scenario, recommend controls to mitigate attacks and software vulnerabilities 2.4.1 - Cross-site scripting2.4.2 - Overflow vulnerabilities2.4.3 - Data poisoning2.4.4 - Broken access control2.4.5 - Cryptographic failures2.4.6 - Injection flaws2.4.7 - Cross-site request forgery2.4.8 - Directory traversal2.4.10 - Security misconfiguration2.4.12 - Identification and authentication failures 2.4.16 - Local file inclusion (LFI)/remote file inclusion (RFI) 2.5 Explain concepts related to vulnerability response, handling, and management 2.5.10 - Secure coding best practices - 2.5.10.1 - Input validation
|
| 6.4 | SQL Injection | 2.2 Given a scenario, analyze output from vulnerability assessment tools 2.2.1 - Tools - 2.2.1.2 - Web application scanners
- 2.2.1.2.1 - Burp Suite
2.4 Given a scenario, recommend controls to mitigate attacks and software vulnerabilities 2.4.6 - Injection flaws |
| 6.5 | Sniffing | 1.2 Given a scenario, analyze indicators of potentially malicious activity 1.2.1 - Network-related 1.3 Given a scenario, use appropriate tools or techniques to determine malicious activity 1.3.1 - Tools - 1.3.1.1 - Packet capture
- 1.3.1.1.1 - Wireshark
- 1.3.1.1.2 - tcpdump
- 1.3.1.4 - Domain name service (DNS) and Internet Protocol (IP) reputation
2.2 Given a scenario, analyze output from vulnerability assessment tools 2.2.1 - Tools - 2.2.1.1 - Network scanning and mapping
|
| 6.6 | Authentication Attacks | 1.1 Explain the importance of system and network architecture concepts in security operations 1.1.4 - Network architecture 1.2 Given a scenario, analyze indicators of potentially malicious activity 1.2.1 - Network-related - 1.2.1.3 - Irregular peer-to-peer communication
- 1.2.1.5 - Scans/sweep
1.2.3 - Application-related 1.3 Given a scenario, use appropriate tools or techniques to determine malicious activity 1.3.1 - Tools - 1.3.1.1.1 - Wireshark
- 1.3.1.4 - Domain name service (DNS) and Internet Protocol (IP) reputation
1.4 Compare and contrast threat-intelligence and threat-hunting concepts 1.4.6 - Threat hunting - 1.4.6.1 - Indicators of compromise (IoC)
2.2 Given a scenario, analyze output from vulnerability assessment tools 2.2.1 - Tools - 2.2.1.1 - Network scanning and mapping
2.4 Given a scenario, recommend controls to mitigate attacks and software vulnerabilities 2.4.1 - Cross-site scripting2.4.3 - Data poisoning2.4.4 - Broken access control2.4.12 - Identification and authentication failures 2.5 Explain concepts related to vulnerability response, handling, and management 2.5.10 - Secure coding best practices - 2.5.10.3 - Session management
|
| 6.7 | Cloud Security | 1.1 Explain the importance of system and network architecture concepts in security operations 1.1.4 - Network architecture 1.2 Given a scenario, analyze indicators of potentially malicious activity 1.2.2 - Host-related - 1.2.2.8 - Data exfiltration
2.1 Given a scenario, implement vulnerability scanning methods and concepts 2.1.6 - Passive vs. active 2.2 Given a scenario, analyze output from vulnerability assessment tools 2.2.1 - Tools - 2.2.1.6 - Cloud infrastructure assessment tools
- 2.2.1.6.1 - Scout Suite
- 2.2.1.6.2 - Prowler
- 2.2.1.6.3 - Pacu
2.5 Explain concepts related to vulnerability response, handling, and management 2.5.2 - Control types - 2.5.2.1 - Managerial
- 2.5.2.2 - Operational
- 2.5.2.3 - Technical
- 2.5.2.4 - Preventative
- 2.5.2.5 - Detective
- 2.5.2.6 - Responsive
- 2.5.2.7 - Corrective
|
| 6.8 | Email Security | 1.3 Given a scenario, use appropriate tools or techniques to determine malicious activity 1.3.2 - Common techniques - 1.3.2.3 - Email analysis
- 1.3.2.3.1 - Header
- 1.3.2.3.2 - Impersonation
- 1.3.2.3.3 - DomainKeys Identified Mail (DKIM)
- 1.3.2.3.4 - Domain-based Message Authentication, Reporting, and Conformance (DMARC)
- 1.3.2.3.5 - Sender Policy Framework (SPF)
- 1.3.2.3.6 - Embedded links
|
| 6.9 | Denial-of-Service Attacks | 1.2 Given a scenario, analyze indicators of potentially malicious activity 1.2.1 - Network-related - 1.2.1.1 - Bandwidth consumption
1.3 Given a scenario, use appropriate tools or techniques to determine malicious activity 1.3.1 - Tools - 1.3.1.1.1 - Wireshark
- 1.3.1.4 - Domain name service (DNS) and Internet Protocol (IP) reputation
2.2 Given a scenario, analyze output from vulnerability assessment tools 2.2.1 - Tools - 2.2.1.1 - Network scanning and mapping
2.4 Given a scenario, recommend controls to mitigate attacks and software vulnerabilities 2.4.2 - Overflow vulnerabilities |
| 6.10 | Industrial Computer Systems | 2.1 Given a scenario, implement vulnerability scanning methods and concepts 2.1.8 - Critical infrastructure - 2.1.8.1 - Operational technology (OT)
- 2.1.8.2 - Industrial control systems (ICS)
- 2.1.8.3 - Supervisory control and data acquisition (SCADA)
|
| 7.0 | Host-Based Attacks | |
|---|
| 7.1 | Device Security | 1.1 Explain the importance of system and network architecture concepts in security operations 1.1.2 - Operating system (OS) concepts - 1.1.2.2 - System hardening
1.1.6 - Encryption 1.2 Given a scenario, analyze indicators of potentially malicious activity 1.2.2 - Host-related - 1.2.2.1 - Processor consumption
- 1.2.2.2 - Memory consumption
- 1.2.2.10 - File system changes or anomalies
1.3 Given a scenario, use appropriate tools or techniques to determine malicious activity 1.3.1 - Tools - 1.3.1.3 - Endpoint security
- 1.3.1.5 - File analysis
1.3.2 - Common techniques - 1.3.2.4 - File analysis
- 1.3.2.4.1 - Hashing
2.5 Explain concepts related to vulnerability response, handling, and management 2.5.7 - Policies, governance, and service-level objectives (SLOs) 3.2 Given a scenario, perform incident response activities 3.2.1 - Detection and analysis3.2.2 - Containment, eradication, and recovery 3.3 Explain the preparation and post-incident activity phases of the incident management life cycle 3.3.2 - Post-incident activity - 3.3.2.1 - Forensic analysis
|
| 7.2 | Unauthorized Changes | 1.1 Explain the importance of system and network architecture concepts in security operations 1.1.2 - Operating system (OS) concepts - 1.1.2.4 - System processes
1.2 Given a scenario, analyze indicators of potentially malicious activity 1.2.2 - Host-related - 1.2.2.6 - Unauthorized changes
- 1.2.2.7 - Unauthorized privileges
- 1.2.2.9 - Abnormal OS process behavior
1.2.3 - Application-related - 1.2.3.2 - Introduction of new accounts
1.3 Given a scenario, use appropriate tools or techniques to determine malicious activity 1.3.1 - Tools - 1.3.1.2 - Log analysis/correlation
1.3.2 - Common techniques - 1.3.2.5.1 - Abnormal account activity
2.4 Given a scenario, recommend controls to mitigate attacks and software vulnerabilities 2.4.12 - Identification and authentication failures2.4.15 - Privilege escalation3.2 Given a scenario, perform incident response activities 3.2.1 - Detection and analysis - 3.2.1.3 - Data and log analysis
|
| 7.3 | Malware | 1.1 Explain the importance of system and network architecture concepts in security operations 1.1.2 - Operating system (OS) concepts - 1.1.2.1 - Windows Registry
1.2 Given a scenario, analyze indicators of potentially malicious activity 1.2.1 - Network-related 1.2.2 - Host-related - 1.2.2.2 - Memory consumption
- 1.2.2.5 - Malicious processes
- 1.2.2.10 - File system changes or anomalies
1.2.3 - Application-related 1.2.4 - Other - 1.2.4.2 - Obfuscated links
1.3 Given a scenario, use appropriate tools or techniques to determine malicious activity 1.3.1 - Tools - 1.3.1.3 - Endpoint security
- 1.3.1.5.1 - Strings
- 1.3.1.6 - Sandboxing
1.4 Compare and contrast threat-intelligence and threat-hunting concepts 1.4.6 - Threat hunting - 1.4.6.1 - Indicators of compromise (IoC)
- 1.4.6.1.1 - Collection
- 1.4.6.1.2 - Analysis
- 1.4.6.1.3 - Application
2.1 Given a scenario, implement vulnerability scanning methods and concepts 2.1.1 - Asset discovery - 2.1.1.2 - Device fingerprinting
2.1.7 - Static vs. dynamic - 2.1.7.1 - Reverse engineering
- 2.1.7.2 - Fuzzing
2.4 Given a scenario, recommend controls to mitigate attacks and software vulnerabilities 2.4.4 - Broken access control 2.5 Explain concepts related to vulnerability response, handling, and management 2.5.3 - Patching and configuration management 4.1 Explain the importance of vulnerability management reporting and communication 4.1.3 - Action plans - 4.1.3.4 - Awareness, education, and training
|
| 7.4 | Command and Control | 1.2 Given a scenario, analyze indicators of potentially malicious activity 1.2.1 - Network-related 2.2 Given a scenario, analyze output from vulnerability assessment tools 2.2.1 - Tools - 2.2.1.1 - Network scanning and mapping
|
| 7.5 | Social Engineering | 1.2 Given a scenario, analyze indicators of potentially malicious activity 1.2.4 - Other - 1.2.4.1 - Social engineering attacks
- 1.2.4.2 - Obfuscated links
2.2 Given a scenario, analyze output from vulnerability assessment tools 2.2.1 - Tools - 2.2.1.1 - Network scanning and mapping
|
| 7.6 | Scripting and Programming | 1.3 Given a scenario, use appropriate tools or techniques to determine malicious activity 1.3.3 - Programming languages/scripting - 1.3.3.1 - JavaScript Object Notation (JSON)
- 1.3.3.2 - Extensible Markup Language (XML)
- 1.3.3.3 - Python
- 1.3.3.4 - PowerShell
- 1.3.3.5 - Shell script
- 1.3.3.6 - Regular expressions
2.1 Given a scenario, implement vulnerability scanning methods and concepts 2.1.7 - Static vs. dynamic - 2.1.7.1 - Reverse engineering
2.5 Explain concepts related to vulnerability response, handling, and management 2.5.10 - Secure coding best practices - 2.5.10.1 - Input validation
- 2.5.10.2 - Output encoding
- 2.5.10.3 - Session management
- 2.5.10.4 - Authentication
- 2.5.10.5 - Data protection
- 2.5.10.6 - Parameterized queries
2.5.11 - Secure software development life cycle (SDLC) |
| 7.7 | Application Vulnerabilities | 2.4 Given a scenario, recommend controls to mitigate attacks and software vulnerabilities 2.4.1 - Cross-site scripting 2.4.2 - Overflow vulnerabilities - 2.4.2.1 - Buffer
- 2.4.2.2 - Integer
- 2.4.2.3 - Heap
- 2.4.2.4 - Stack
2.4.4 - Broken access control2.4.5 - Cryptographic failures2.4.9 - Insecure design2.4.10 - Security misconfiguration2.4.11 - End-of-life or outdated components2.4.12 - Identification and authentication failures2.4.14 - Remote code execution2.4.15 - Privilege escalation |
| 8.0 | Security Management | |
|---|
| 8.1 | Security Information and Event Management (SIEM) | 1.2 Given a scenario, analyze indicators of potentially malicious activity 1.2.1 - Network-related 1.3 Given a scenario, use appropriate tools or techniques to determine malicious activity 1.3.1 - Tools - 1.3.1.2 - Log analysis/correlation
- 1.3.1.2.1 - Security information and event management (SIEM)
2.2 Given a scenario, analyze output from vulnerability assessment tools 2.2.1 - Tools - 2.2.1.1 - Network scanning and mapping
|
| 8.2 | Security Orchestration, Automation, and Response (SOAR) | 1.2 Given a scenario, analyze indicators of potentially malicious activity 1.2.2 - Host-related - 1.2.2.5 - Malicious processes
1.3 Given a scenario, use appropriate tools or techniques to determine malicious activity 1.3.1 - Tools - 1.3.1.2.2 - Security orchestration, automation, and response (SOAR)
1.3.3 - Programming languages/scripting 1.5 Explain the importance of efficiency and process improvement in security operations 1.5.1 - Standardize processes - 1.5.1.1 - Identification of tasks suitable for automation
- 1.5.1.2 - Team coordination to manage and facilitate automation
1.5.2 - Streamline operations - 1.5.2.1 - Automation and orchestration
- 1.5.2.2 - Orchestrating threat intelligence data
- 1.5.2.2.2 - Threat feed combination
1.5.3 - Technology and tool integration - 1.5.3.1 - Application programming interface (API)
1.5.4 - Single pane of glass3.2 Given a scenario, perform incident response activities 3.2.1 - Detection and analysis - 3.2.1.3 - Data and log analysis
|
| 8.3 | Exploring Abnormal Activity | 1.2 Given a scenario, analyze indicators of potentially malicious activity 1.2.1 - Network-related - 1.2.1.3 - Irregular peer-to-peer communication
- 1.2.1.7 - Activity on unexpected ports
1.2.3 - Application-related - 1.2.3.1 - Anomalous activity
- 1.2.3.4 - Unexpected outbound communication
- 1.2.3.5 - Service interruption
- 1.2.3.6 - Application logs
1.3 Given a scenario, use appropriate tools or techniques to determine malicious activity 1.3.1 - Tools - 1.3.1.1.1 - Wireshark
- 1.3.1.2.1 - Security information and event management (SIEM)
- 1.3.1.3 - Endpoint security
- 1.3.1.3.1 - Endpoint detection and response (EDR)
- 1.3.1.4 - Domain name service (DNS) and Internet Protocol (IP) reputation
1.3.2 - Common techniques - 1.3.2.2 - Interpreting suspicious commands
- 1.3.2.4 - File analysis
- 1.3.2.5.1 - Abnormal account activity
1.3.3 - Programming languages/scripting - 1.3.3.4 - PowerShell
- 1.3.3.5 - Shell script
|
| 9.0 | Post-Attack | |
|---|
| 9.1 | Containment | 1.4 Compare and contrast threat-intelligence and threat-hunting concepts 1.4.6 - Threat hunting - 1.4.6.2.2 - Isolated networks
2.4 Given a scenario, recommend controls to mitigate attacks and software vulnerabilities 2.4.5 - Cryptographic failures3.2 Given a scenario, perform incident response activities 3.2.1 - Detection and analysis - 3.2.1.2 - Evidence acquisitions
3.2.2 - Containment, eradication, and recovery - 3.2.2.1 - Scope
- 3.2.2.2 - Impact
- 3.2.2.3 - Isolation
- 3.2.2.4 - Remediation
- 3.2.2.5 - Re-imaging
- 3.2.2.6 - Compensating controls
3.3 Explain the preparation and post-incident activity phases of the incident management life cycle 3.3.2 - Post-incident activity - 3.3.2.1 - Forensic analysis
|
| 9.2 | Incident Response | 1.2 Given a scenario, analyze indicators of potentially malicious activity 1.2.2 - Host-related - 1.2.2.8 - Data exfiltration
1.2.4 - Other - 1.2.4.1 - Social engineering attacks
1.3 Given a scenario, use appropriate tools or techniques to determine malicious activity 1.3.1 - Tools - 1.3.1.2.1 - Security information and event management (SIEM)
1.4 Compare and contrast threat-intelligence and threat-hunting concepts 1.4.5 - Threat intelligence sharing - 1.4.5.1 - Incident response
2.5 Explain concepts related to vulnerability response, handling, and management 2.5.9 - Attack surface management - 2.5.9.4 - Penetration testing and adversary emulation
3.2 Given a scenario, perform incident response activities 3.2.1 - Detection and analysis - 3.2.1.1 - IoC
- 3.2.1.2.1 - Chain of custody
- 3.2.1.3 - Data and log analysis
3.2.2 - Containment, eradication, and recovery - 3.2.2.1 - Scope
- 3.2.2.2 - Impact
3.3 Explain the preparation and post-incident activity phases of the incident management life cycle 3.3.1 - Preparation - 3.3.1.1 - Incident response plan
- 3.3.1.2 - Tools
- 3.3.1.3 - Playbooks
- 3.3.1.4 - Tabletop
- 3.3.1.5 - Training
- 3.3.1.6 - Business continuity (BC)/ disaster recovery (DR)
3.3.2 - Post-incident activity - 3.3.2.3 - Lessons learned
4.1 Explain the importance of vulnerability management reporting and communication 4.1.6 - Stakeholder identification and communication 4.2 Explain the importance of incident response reporting and communication 4.2.2 - Incident declaration and escalation4.2.3 - Incident response reporting 4.2.4 - Communications - 4.2.4.1 - Legal
- 4.2.4.2 - Public relations
- 4.2.4.2.1 - Customer communication
- 4.2.4.2.2 - Media
- 4.2.4.3 - Regulatory reporting
- 4.2.4.4 - Law enforcement
|
| 9.3 | Post-Incident Activities | 1.1 Explain the importance of system and network architecture concepts in security operations 1.1.3 - Infrastructure concepts 1.3 Given a scenario, use appropriate tools or techniques to determine malicious activity 1.3.2 - Common techniques 2.1 Given a scenario, implement vulnerability scanning methods and concepts 2.1.8 - Critical infrastructure - 2.1.8.3 - Supervisory control and data acquisition (SCADA)
3.2 Given a scenario, perform incident response activities 3.2.1 - Detection and analysis - 3.2.1.2 - Evidence acquisitions
- 3.2.1.2.1 - Chain of custody
- 3.2.1.2.4 - Legal hold
3.3 Explain the preparation and post-incident activity phases of the incident management life cycle 3.3.1 - Preparation - 3.3.1.6 - Business continuity (BC)/ disaster recovery (DR)
3.3.2 - Post-incident activity - 3.3.2.1 - Forensic analysis
4.2 Explain the importance of incident response reporting and communication 4.2.2 - Incident declaration and escalation 4.2.3 - Incident response reporting - 4.2.3.1 - Executive summary
- 4.2.3.2 - Who, what, when, where, and why
- 4.2.3.3 - Recommendations
- 4.2.3.7 - Evidence
4.2.5 - Root cause analysis4.2.6 - Lessons learned 4.2.7 - Metrics and KPIs - 4.2.7.1 - Mean time to detect
- 4.2.7.2 - Mean time to respond
- 4.2.7.3 - Mean time to remediate
|
| A.0 | CompTIA CySA+ CS0-003 - Practice Exams | |
|---|
| A.1 | Prepare for CompTIA CySA+ Certification | |
| A.2 | CompTIA CySA+ CS0-003 Domain Review (20 Questions) | |
| A.3 | CompTIA CySA+ CS0-003 Practice Exams (All Questions) | |
| B.0 | TestOut CyberDefense Pro - Practice Exams | |
|---|
| B.1 | Prepare for TestOut CyberDefense Pro Certification | |
| B.2 | TestOut CyberDefense Pro Exam Domain Review | |
The CySA+ CS0-003 Exam is scheduled through Pearson VUE.
| Certification | Provider | Website | Customer Service |
|---|
| CompTIA | Pearson VUE | pearsonvue.com | Online chat and phone numbers by region are available on pearsonvue.com/comptia/contact |
The CySA+ CS0-003 Exam information web page on CompTIA's website provides the latest details on how to schedule the exam.
TestOut is pleased to offer students a 10% off coupon code for exam vouchers purchased from CompTIA's online marketplace.
To purchase a voucher, go to the CompTIA website and complete the following:
- Select your desired certification.
- Add the corresponding CompTIA voucher(s) to your shopping cart.
- Enter the coupon code TESTOUT10 at checkout to get 10% off your purchase.
- Go to the Pearson VUE website.
- Enter your voucher information to register for the certification.
When you schedule the exam with Pearson VUE, you will be presented with options to take the exam at a local testing center or your home or office. If you choose a local testing center, you will be given the option to pick from the testing centers closest to your location.
You will need two forms of identification, one with a picture. For example, you could use a driver's license and a credit card. You will typically receive an erasable marker and whiteboard or laminated paper to use during the exam. Notes or other reference materials are not allowed inside the testing center. It is recommended that you do not bring personal items to the testing center; however, they typically provide a locker to store personal items.
People often ask, "What is on the exam?" This course is intended to help you gain the knowledge, skills, and abilities necessary to perform the corresponding job roles. Additionally, we highly recommend using the certification practice exam to prepare for the CySA+ CS0-003 exam.
The questions on certification exams are protected to maintain the integrity of the exam. While the practice exam does not include the exact questions, it will help measure your understanding of the topics covered in the CompTIA objectives. You should review the CySA+ CS0-003 exam objectives and make sure you are comfortable with each topic and objective listed. After taking the practice exam, the objectives for the exam are listed on the Report screen. You can use the report to focus your studies on preparing for the exam.
CompTIA offers discounts on their exam vouchers and academic pricing for students through the academic store. Check the exam information page and www.comptia.org/blog/voucher-discount for more information. TestOut is pleased to offer students a 10% off coupon code for exam vouchers purchased from CompTIA's online marketplace.
The CySA+ CS0-003 exam and the certification practice exam are not adaptive tests. The certification practice exam is the best way to prepare for the certification exam because the content of the objectives for an exam is more comprehensive than any single adaptive test. Adaptive tests are too short to give you a thorough review and the chance to practice taking the test. You need to understand all the questions before taking the certification exam.
An adaptive exam begins by giving you an easy-to-moderate question. If you answer the question correctly, it gives you a more difficult question. With each correct answer, the difficulty of the next question increases. On the other hand, if you answer the second question incorrectly, the next questions will be easier. The test changes the question difficulty until it determines your skill level.
There are two primary characteristics you will notice as you take an adaptive exam:
- You cannot skip questions or review previously answered questions. This means you need to take a little more time to answer each question carefully before going on to the next question. Adaptive exams display a warning screen at the beginning of the exam stating that you will not be allowed to review previous questions.
- Adaptive tests are typically shorter than traditional exams. The current adaptive exams range between 15 and 35 questions.
Certification exams are all computer-based. At the beginning of the exam, you will have an opportunity to view a tutorial on the exam software. Time spent reviewing the tutorial does not count toward the time you have to take the exam.
The CySA+ CS0-003 exam has mostly multiple-choice questions. Additionally, there are a few performance-based questions at the start of the exam and some drag-and-drop activities. The CompTIA website provides sample questions and also information on performance-based questions.
The CySA+ CS0-003 exam has a maximum of 85 questions and 165 minutes to complete the exam.
You will receive results as soon as you have completed the exam. The testing program provides immediate feedback and automatically generates a report showing the required passing score and your score. Pick up your exam report before you leave the testing center. You should keep this report in case there are any discrepancies in your certification program.
For the CySA+ CS0-003 exam, see the CompTIA website for exam policies. Typically, there is no waiting period before attempting to retake the exam a second time. However, the 3rd and subsequent attempts have a waiting period. See the CompTIA website for specific information on the retake policy.
Follow these tips to make your exam experience less stressful and more successful:
| When | Tips |
|---|
| Before the exam | Before you take an exam, try these tips: - Prepare a short review sheet for the exam. It should contain reference tables and information that you have trouble remembering. Shortly before you start the exam, study your notes as a last-minute review.
- Arrive 20 minutes early and relax for a few minutes before the exam. Take a deep breath. Look at the review sheet one last time. You will make fewer mistakes if you are not tense and rushed.
- Before the exam starts, review the exam tutorial to familiarize yourself with the exam. The time you spend on the orientation exam does not count toward the test time. If you have any questions, ask the exam administrator before the exam begins. The exam is timed, so make sure you ask questions before the test begins.
|
| During the exam | Once the exam has started: - If you are unsure of a question's answer, eliminate the obviously incorrect answers first. Eliminating the obvious makes it easier for you to try to select the correct answer, especially if you have to guess.
- If you do not know, guess! Be sure you answer all of the questions before you finish. Unanswered questions are wrong and scored as incorrect answers. If you are unsure of an answer, make an educated guess. There is no extra penalty for incorrect answers.
- If you have time, review your answers before moving on to the next question. A word of caution: be absolutely sure before you change an answer! If you are positive that your answer is wrong, change it. However, if you are unsure and cannot explain to yourself why you need to change an answer, leave it. Most of the time, your first instinct is correct.
|
| Use a scratch pad | You will be given an erasable marker and a whiteboard or laminated paper to use during the exam. Follow these tips for using the scratch pad: - Immediately after the exam starts, write down anything that could be a useful reference during the exam. This is the time to remember what you studied on your review sheet. The information on the review sheet should be fresh in your mind because you just did a quick review. Write lists, reference tables, and any other vital information on the paper. Do not spend a lot of time, just a minute or two, writing down reference material. The list of information will save you time as you answer the questions.
- While answering questions, use the scratch pad to draw diagrams. A question may be easier to answer after you see a diagram.
|
| Retake an exam | If you do not pass the exam: - Use the score report on your transcript to identify the areas to focus further study.
- Think carefully about the exam and make notes about the questions that you could not answer. Do this as soon as possible after taking the exam. Look up the correct answers in your study materials. You may get the same or similar questions the next time.
- Do not wait too long to retake the exam. You already know much of the material and may forget what you know if you wait too long.
|
