CySA+ Test Cheat Sheet 2026
The 30 highest-yield CySA+ Test facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
85 questions
165 min time limit
83.00% to pass
- Which file system artifact on NTFS records the last 26 characters typed into the Windows Run dialog, even after a user clears the run history? → Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
- What is multi-factor authentication (MFA)? → Requiring two or more verification methods to confirm identity
- What is a zero-day vulnerability? → A security flaw unknown to the vendor with no available patch
- An analyst wants to determine whether a new threat-hunting playbook improved detection of lateral movement. Which comparison approach is most appropriate? → Measure true-positive lateral movement detections before and after playbook deployment
- Which of the following BEST describes a drag-and-drop question on the CySA+ exam? → A scenario where candidates move labeled items to correct positions
- What is the CIA triad in information security? → Confidentiality, Integrity, Availability
- Which NIST SP 800-61 document revision provides guidance on computer security incident handling? → NIST SP 800-61 Rev 2
- Which HIPAA rule establishes national standards for the protection of electronically protected health information (ePHI)? → HIPAA Security Rule
- Which security tool provides real-time analysis of security alerts generated by network hardware and applications? → SIEM
- An analyst discovers a scheduled task running every 30 minutes that executes a script from a hidden directory. What MITRE ATT&CK tactic does this represent? → Persistence
- What is a zero-day vulnerability? → A security flaw unknown to the vendor with no available patch
- A company performing a gap analysis against ISO 27001 identifies missing controls. What document defines the scope of controls selected for implementation? → Statement of Applicability (SoA)
- Which technique helps analysts determine the true difficulty of the CySA+ exam before sitting for it? → Completing official CompTIA practice exams and hands-on lab simulations
- Which of the following is TRUE regarding the CySA+ exam retake policy after a second failed attempt? → Candidates must wait 14 days before each subsequent attempt
- Which metric measures the time from when an incident is detected to when it is fully resolved? → Mean Time to Respond (MTTR)
- An analyst identifies malware that modifies the Master Boot Record (MBR). Which malware classification BEST fits this behavior? → Bootkit
- A threat intelligence analyst identifies that two separate intrusion sets share the same C2 infrastructure and tooling. What can be inferred from this overlap? → The intrusion sets may be operated by the same threat actor or affiliate
- Under GDPR, what is the maximum timeframe for notifying a supervisory authority after discovering a personal data breach? → 72 hours
- A CySA+ analyst is reviewing an IAM report and finds several accounts that have not been used in 90 days. What should be the FIRST action taken? → Disable the accounts pending review and notify account owners
- A CySA+ analyst uses a disassembler to examine malware without executing it. This is an example of which analysis type? → Static analysis
- A candidate scores consistently low in the Threat and Vulnerability Management domain during practice tests. What should their next step be? → Review study materials and retake targeted quizzes on this domain
- Which NIST SP 800-53 control family addresses audit and accountability requirements? → AU — Audit and Accountability
- Which risk concept describes the probability that a given threat will exploit a specific vulnerability within a defined time period? → Threat likelihood
- An analyst is performing triage on 50 simultaneous alerts. Which approach BEST prioritizes response efforts? → Prioritize by asset criticality and potential business impact
- A threat analyst is mapping an adversary campaign to the Diamond Model. Which four features are core to this model? → Actor, capability, infrastructure, victim
- A forensic analyst is reviewing Windows Security event logs and sees Event ID 4624 with Logon Type 3 from an external IP. What does this indicate? → A network logon, such as accessing a shared folder
- SOC 2 Type II reports differ from SOC 2 Type I reports primarily because Type II reports evaluate: → Controls over a period of time, not just a point in time
- OAuth 2.0 is primarily used to provide which of the following capabilities? → Delegated authorization allowing third-party apps to access resources on behalf of a user
- What is the purpose of a kill chain analysis in threat intelligence? → To map attacker actions to stages in order to identify defensive intervention points
- What does the term 'residual risk' refer to in a risk management context? → Risk remaining after controls have been applied
Turn these facts into recall: