CySA+ Test Cheat Sheet 2026

The 30 highest-yield CySA+ Test facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.

85 questions
165 min time limit
83.00% to pass
  1. Which file system artifact on NTFS records the last 26 characters typed into the Windows Run dialog, even after a user clears the run history? Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
  2. What is multi-factor authentication (MFA)? Requiring two or more verification methods to confirm identity
  3. What is a zero-day vulnerability? A security flaw unknown to the vendor with no available patch
  4. An analyst wants to determine whether a new threat-hunting playbook improved detection of lateral movement. Which comparison approach is most appropriate? Measure true-positive lateral movement detections before and after playbook deployment
  5. Which of the following BEST describes a drag-and-drop question on the CySA+ exam? A scenario where candidates move labeled items to correct positions
  6. What is the CIA triad in information security? Confidentiality, Integrity, Availability
  7. Which NIST SP 800-61 document revision provides guidance on computer security incident handling? NIST SP 800-61 Rev 2
  8. Which HIPAA rule establishes national standards for the protection of electronically protected health information (ePHI)? HIPAA Security Rule
  9. Which security tool provides real-time analysis of security alerts generated by network hardware and applications? SIEM
  10. An analyst discovers a scheduled task running every 30 minutes that executes a script from a hidden directory. What MITRE ATT&CK tactic does this represent? Persistence
  11. What is a zero-day vulnerability? A security flaw unknown to the vendor with no available patch
  12. A company performing a gap analysis against ISO 27001 identifies missing controls. What document defines the scope of controls selected for implementation? Statement of Applicability (SoA)
  13. Which technique helps analysts determine the true difficulty of the CySA+ exam before sitting for it? Completing official CompTIA practice exams and hands-on lab simulations
  14. Which of the following is TRUE regarding the CySA+ exam retake policy after a second failed attempt? Candidates must wait 14 days before each subsequent attempt
  15. Which metric measures the time from when an incident is detected to when it is fully resolved? Mean Time to Respond (MTTR)
  16. An analyst identifies malware that modifies the Master Boot Record (MBR). Which malware classification BEST fits this behavior? Bootkit
  17. A threat intelligence analyst identifies that two separate intrusion sets share the same C2 infrastructure and tooling. What can be inferred from this overlap? The intrusion sets may be operated by the same threat actor or affiliate
  18. Under GDPR, what is the maximum timeframe for notifying a supervisory authority after discovering a personal data breach? 72 hours
  19. A CySA+ analyst is reviewing an IAM report and finds several accounts that have not been used in 90 days. What should be the FIRST action taken? Disable the accounts pending review and notify account owners
  20. A CySA+ analyst uses a disassembler to examine malware without executing it. This is an example of which analysis type? Static analysis
  21. A candidate scores consistently low in the Threat and Vulnerability Management domain during practice tests. What should their next step be? Review study materials and retake targeted quizzes on this domain
  22. Which NIST SP 800-53 control family addresses audit and accountability requirements? AU — Audit and Accountability
  23. Which risk concept describes the probability that a given threat will exploit a specific vulnerability within a defined time period? Threat likelihood
  24. An analyst is performing triage on 50 simultaneous alerts. Which approach BEST prioritizes response efforts? Prioritize by asset criticality and potential business impact
  25. A threat analyst is mapping an adversary campaign to the Diamond Model. Which four features are core to this model? Actor, capability, infrastructure, victim
  26. A forensic analyst is reviewing Windows Security event logs and sees Event ID 4624 with Logon Type 3 from an external IP. What does this indicate? A network logon, such as accessing a shared folder
  27. SOC 2 Type II reports differ from SOC 2 Type I reports primarily because Type II reports evaluate: Controls over a period of time, not just a point in time
  28. OAuth 2.0 is primarily used to provide which of the following capabilities? Delegated authorization allowing third-party apps to access resources on behalf of a user
  29. What is the purpose of a kill chain analysis in threat intelligence? To map attacker actions to stages in order to identify defensive intervention points
  30. What does the term 'residual risk' refer to in a risk management context? Risk remaining after controls have been applied