CompTIA CySA+ Certification Guide

Level up from Security+ to hands-on threat detection and response.

What Is CompTIA CySA+?

CompTIA CySA+ (Cybersecurity Analyst) is an intermediate-level cybersecurity certification that validates your ability to detect, analyze, and respond to security threats. Where Security+ proves you understand foundational security concepts, CySA+ proves you can apply those concepts in a Security Operations Center (SOC) — triaging alerts, hunting for threats, analyzing logs, and managing vulnerabilities.

The current exam is CS0-003, released by CompTIA in June 2023. CySA+ is vendor-neutral, meaning the skills it validates apply regardless of whether your employer uses Splunk, Microsoft Sentinel, Wazuh, or another SIEM platform.

CySA+ is approved under the U.S. Department of Defense Directive 8570/8140 at the IAT Level II and CSSP Analyst levels. This means it satisfies requirements for analyst-level government and defense contractor cybersecurity positions — a step above the roles Security+ qualifies you for.

Source: CompTIA official certification page at comptia.org and DoD 8570.01-M approved products list (verified March 2026)

Who Should Take CySA+?

CySA+ is designed for professionals who are moving beyond foundational security knowledge into hands-on analyst work. The strongest candidates include:

Security+ holders ready to advance. If you have passed Security+ and spent time building practical skills through labs, home lab environments, or an entry-level security role, CySA+ is the logical next certification on the CompTIA pathway.

Aspiring SOC Analysts (Tier 2 and above). While Security+ can help you land a Tier 1 SOC Analyst position, CySA+ demonstrates the deeper analytical skills that Tier 2 roles require — correlating events across data sources, investigating complex alerts, and making response decisions.

Threat analysts and incident responders. If your career direction points toward threat intelligence, detection engineering, or incident response, CySA+ covers the analytical foundations these specializations build on.

Career changers with Security+ and lab experience. CompTIA recommends 4 or more years of hands-on information security experience before attempting CySA+. However, career changers who have completed Security+, built a home lab, and practiced extensively with SIEM tools and log analysis can succeed with dedicated study. The recommendation is a guideline, not a hard prerequisite.

Exam Details

Detail	CS0-003
Exam code	CS0-003
Number of questions	Maximum 85
Question types	Multiple choice and performance-based questions (PBQs)
Time allowed	165 minutes
Passing score	750 on a scale of 100-900
Testing provider	Pearson VUE (in-person or online proctored)
Cost	~$404 USD (as of March 2026, verify at comptia.org)
Validity	3 years from passing date
Recommended experience	4+ years in information security (CompTIA recommendation)

The 165-minute time limit is significantly longer than Security+‘s 90 minutes. This reflects the complexity of CySA+ performance-based questions, which may require you to analyze log data, interpret vulnerability scan output, or walk through incident response scenarios in a simulated environment.

Exam details source: comptia.org/certifications/cybersecurity-analyst (verified March 2026). CompTIA may update exam format at any time — always verify current details before scheduling.

Exam Domains

The CS0-003 exam is organized into four domains. The percentage indicates how much of the exam each domain represents:

Domain	Weight	What It Covers
1.0 Security Operations	33%	SIEM configuration, log analysis, threat hunting, automation, detection techniques
2.0 Vulnerability Management	30%	Vulnerability scanning, risk prioritization, remediation strategies, validation
3.0 Incident Response Management	20%	Detection and analysis, containment, eradication, recovery, post-incident review
4.0 Reporting and Communication	17%	Metrics, stakeholder communication, compliance reporting, process improvement

CySA+ Exam Domains (CS0-003)

4 domains weighted by percentage

33%Security Operations

SIEM Analysis

Threat Hunting

Log Monitoring

Automation

30%Vulnerability Mgmt

Scanning

Prioritization

Remediation

Validation

20%Incident Response

Detection

Containment

Eradication

Recovery

17%Reporting

Metrics

Communication

Compliance

Improvement

Idle

Key observation for study planning: Security Operations and Vulnerability Management together make up 63% of the exam. These two domains cover the daily work of a cybersecurity analyst — monitoring alerts, investigating threats, scanning for vulnerabilities, and deciding what to fix first. Prioritize these heavily in your study plan.

Download the exam objectives PDF from comptia.org for free. Print it and use it as a checklist. Every question on the exam maps to a specific objective in that document.

Domain weights source: CompTIA CySA+ CS0-003 Exam Objectives (verified March 2026)

CySA+ vs Security+

Understanding the difference between these two certifications helps you decide when you are ready to pursue CySA+:

Aspect	Security+ (SY0-701)	CySA+ (CS0-003)
Level	Entry-level / foundational	Intermediate / analyst-focused
Focus	Broad security concepts across five domains	Deep dive into detection, analysis, and response
Question style	Conceptual understanding	Analytical and scenario-based
Typical role	SOC Analyst Tier 1, Junior Security Analyst	SOC Analyst Tier 2, Threat Analyst
DoD 8570 level	IAT Level II	IAT Level II, CSSP Analyst
Time allowed	90 minutes	165 minutes

The progression: Security+ teaches you what threats exist and how defenses work. CySA+ teaches you how to find threats in your environment and what to do when you find them. Think of Security+ as learning the rules of the road and CySA+ as learning to drive in traffic.

The natural certification path is: Security+ then CySA+ then CASP+ (or specialized certifications like CISSP, depending on your career direction).

Study Plan: 10-14 Week Timeline

This plan assumes you have Security+ knowledge or equivalent and can study 10-15 hours per week:

Period	Focus	Activities
Weeks 1-4	Security Operations (33%)	SIEM fundamentals, log analysis techniques, threat hunting methodology, detection rule writing, security automation concepts
Weeks 5-8	Vulnerability Management (30%)	Vulnerability scanning tools (Nessus, OpenVAS), CVSS scoring, risk prioritization frameworks, remediation planning, validation testing
Weeks 9-11	Incident Response (20%)	IR lifecycle phases, detection and analysis techniques, containment strategies, eradication procedures, recovery planning, lessons learned
Weeks 12-14	Reporting, review, and practice	Communication and compliance reporting, full practice exams, weak-area review, PBQ practice

Weeks 1-4 deserve the most time because Security Operations is the largest domain and the most hands-on. Spend time in a SIEM environment writing queries and analyzing real log data during this phase, not just reading about it.

How to know you are ready: When you consistently score 80% or above on full-length practice exams from at least two different sources, you are ready to schedule the real exam. The CySA+ PBQs are scenario-heavy, so hands-on lab experience matters more here than for Security+.

Best Study Resources

Free and low-cost resources:

CompTIA CySA+ exam objectives PDF — free download from comptia.org. Your master study checklist.
TryHackMe SOC-related rooms — the SOC Level 1 and SOC Level 2 learning paths cover SIEM analysis, log investigation, and threat detection with hands-on browser-based labs. Free tier available.
Cybrary CySA+ course — free tier available with video content covering exam objectives.

Paid resources worth considering:

Jason Dion’s CySA+ CS0-003 course — available on Udemy, frequently on sale for <$20. Includes practice exams and scenario walkthroughs. Dion’s courses are consistently well-reviewed for CompTIA certification preparation.
CompTIA CertMaster Learn + Labs — official study platform with integrated hands-on labs. The most structured option, but also the most expensive. Check comptia.org for current pricing.
CompTIA CySA+ Study Guide (Sybex, by Mike Chapple and David Seidl) — comprehensive textbook covering all CS0-003 objectives. Good for learners who prefer reading over video.
Professor Messer’s CySA+ practice exams — if available for the current version, Messer’s practice tests are among the most exam-realistic options.

You do not need all of these. A solid preparation plan combines one primary course (video or textbook), one set of practice exams, and hands-on SIEM lab time. The lab component is not optional for CySA+ — the exam tests applied analytical skills.

Hands-On Skills to Build

CySA+ performance-based questions test practical skills, not just theoretical knowledge. Build proficiency in these areas before exam day:

SIEM query writing. Learn to write queries in at least one SIEM platform. Splunk’s Search Processing Language (SPL) and Microsoft Sentinel’s Kusto Query Language (KQL) are the most marketable. TryHackMe and Splunk’s free training resources offer guided practice.

Log analysis and correlation. Practice reading and correlating logs from multiple sources — firewall logs, authentication logs, DNS query logs, and endpoint detection logs. The ability to trace an attack across data sources is a core CySA+ skill.

Vulnerability scan interpretation. Run scans using tools like Nessus (free Essentials edition) or OpenVAS, then practice interpreting the results. Understand CVSS scores, how to prioritize findings by business impact, and how to write remediation recommendations.

Incident response playbook execution. Walk through IR scenarios step by step: detection, analysis, containment, eradication, recovery, and lessons learned. Document each phase as you would in a real SOC environment.

Threat intelligence analysis. Understand STIX/TAXII formats, MITRE ATT&CK framework mapping, and how to consume threat feeds. Practice mapping indicators of compromise (IOCs) to ATT&CK techniques.

# Commands relevant to CySA+ exam concepts

# Log analysis (Domain 1 - Security Operations)
journalctl --since "1 hour ago" --priority=err   # Check recent error logs
grep -i "failed password" /var/log/auth.log       # Hunt for brute force attempts

# Network monitoring (Domain 1)
tcpdump -i eth0 -w capture.pcap                   # Capture network traffic
tshark -r capture.pcap -Y "http.request"          # Filter HTTP requests

# Vulnerability management (Domain 2)
nmap -sV --script vuln 192.168.1.0/24             # Basic vulnerability scan

Career Impact

CySA+ positions you for analyst-level roles that require hands-on detection and response skills:

SOC Analyst Tier 2 — investigating escalated alerts, performing deeper analysis, and making containment decisions
Threat Analyst — analyzing threat intelligence, mapping adversary techniques, and improving detection capabilities
Vulnerability Analyst — managing vulnerability scanning programs, prioritizing findings, and tracking remediation
Incident Responder — executing IR playbooks, coordinating containment and recovery, and documenting findings
Security Operations Center roles — any position requiring SIEM proficiency and analytical skills

According to CyberSeek.org, cybersecurity analyst roles — the primary target for CySA+ holders — show strong demand across the United States. Salary ranges for these mid-level positions typically fall between $70,000 and $100,000 USD annually, depending on location, employer, and experience level.

Salary data is approximate and based on industry sources including CyberSeek.org and the Bureau of Labor Statistics. Individual results vary based on location, employer, experience, and market conditions. This guide does not guarantee employment outcomes.

Certification Renewal

CySA+ is valid for three years from the date you pass. To maintain the certification, you must earn Continuing Education (CE) credits during that period. Options include:

Passing a higher-level CompTIA certification (such as CASP+), which automatically renews CySA+ and all lower certifications
Completing approved training courses and webinars
Attending industry conferences and events
Publishing security-related content or teaching

CompTIA charges an annual CE fee (approximately $50/year as of March 2026). Verify current renewal requirements and fees at comptia.org. Letting the certification lapse requires retaking the current exam.

Exam objectives, pricing, retake policies, and renewal requirements are subject to change. Always verify current information directly at comptia.org before purchasing exam vouchers or making study decisions.

Individual results vary based on location, experience, market conditions, and effort invested. This guide provides general guidance and does not guarantee employment outcomes.

Technical content verified in March 2026 against CompTIA CySA+ CS0-003 official exam objectives, CompTIA certification policies, and DoD 8570.01-M/8140 approved certification lists.

CySA+ builds on everything you learned in Security+. This tracker helps you map both certifications into one continuous study plan so you can see exactly where you are in the progression.

Career Roadmap & Study TrackerAvailable Now

Step-by-step roadmap with study tracker worksheets and certification decision framework.

Get the Guide → $27

Frequently Asked Questions

Is CySA+ harder than Security+?

Yes, CySA+ is a significant step up from Security+. It assumes you already understand Security+ concepts and tests your ability to apply analytical skills in realistic scenarios. The performance-based questions require hands-on experience with SIEM tools, log analysis, and vulnerability management. Most candidates find the 10-14 week study timeline appropriate after having Security+ knowledge.

Do I need Security+ before CySA+?

CompTIA has no formal prerequisites for CySA+, so you can technically take it without Security+. However, CySA+ builds directly on Security+ concepts. Attempting CySA+ without Security+ knowledge or equivalent experience would be very difficult. The recommended path is Security+ first, then CySA+ after gaining some hands-on experience.

How long does it take to study for CySA+?

With Security+ knowledge and studying 10-15 hours per week, plan for 10-14 weeks. Career changers should add extra time for hands-on lab practice with SIEM tools, which is essential for the performance-based questions. Those with active SOC experience may need less preparation time.

What jobs can I get with CySA+?

CySA+ qualifies you for mid-level roles including SOC Analyst Tier 2, Threat Analyst, Vulnerability Analyst, and Incident Responder. These roles typically pay $70,000-$100,000 annually in the United States, though salary varies significantly by location, employer, and experience. Individual results vary.

Is CySA+ worth it for career changers?

CySA+ is worth pursuing once you have Security+ and some hands-on experience. It demonstrates analyst-level skills that move you beyond entry-level positions. For career changers who have invested in lab practice and can demonstrate SIEM proficiency, CySA+ significantly strengthens your candidacy for Tier 2 SOC roles.

How much does the CySA+ exam cost?

As of March 2026, the CySA+ CS0-003 exam voucher costs approximately $404 USD. Students may qualify for academic discounts. Check comptia.org for current pricing and available bundles that include retake options.

What is the passing score for CySA+?

The CySA+ CS0-003 exam requires a score of 750 on a scale of 100-900. The exam includes up to 85 questions (multiple choice and performance-based) with a 165-minute time limit.

Does CySA+ satisfy DoD 8570 requirements?

Yes, CySA+ appears on the DoD 8570.01-M and 8140 approved certifications list. It satisfies IAT Level II and CSSP Analyst requirements, qualifying you for analyst-level government and defense contractor cybersecurity positions.

What should I study after CySA+?

Common next steps include CompTIA CASP+ for advanced security architecture, CISSP for security management (requires 5 years of experience), or specialized certifications like GIAC GCIH for incident handling. Cloud security certifications (AWS, Azure) are also valuable as organizations move workloads to the cloud.

How long is CySA+ valid?

CySA+ is valid for three years from the date you pass. Renew by earning Continuing Education credits or by passing a higher-level certification like CASP+, which automatically renews CySA+ and all lower CompTIA certifications. CompTIA charges an annual CE fee of approximately $50.