1. Home
  2. CompTIA
  3. CS0-002

CompTIA CS0-002 Online Practice Questions and Exam Preparation

CS0-002 Exam Details

  • Exam Code
    :CS0-002
  • Exam Name
    :CompTIA Cybersecurity Analyst (CySA+)
  • Certification
    :CompTIA Certifications
  • Vendor
    :CompTIA
  • Total Questions
    :1059 Q&As
  • Last Updated
    :May 30, 2026

CompTIA CS0-002 Online Questions & Answers

  • Question 201:

    During a routine review of firewall logs, an analyst identified that an IP address from the organization's server subnet had been connecting during nighttime hours to a foreign IP address, and had been sending between 150 and 500 megabytes of data each time. This had been going on for approximately one week, and the affected server was taken offline for forensic review. Which of the following is MOST likely to drive up the incident's impact assessment?

    A. PII of company employees and customers was exfiltrated.
    B. Raw financial information about the company was accessed.
    C. Forensic review of the server required fall-back on a less efficient service.
    D. IP addresses and other network-related configurations were exfiltrated.
    E. The local root password for the affected server was compromised.

  • Question 202:

    A Chief Information Officer wants to implement a BYOD strategy for all company laptops and mobile phones. The Chief Information Security Officer is concerned with ensuring all devices are patched and running some sort of protection against malicious software. Which of the following existing technical controls should a security analyst recommend to BEST meet all the requirements?

    A. EDR
    B. Port security
    C. NAC
    D. Segmentation

  • Question 203:

    A company recently experienced similar network attacks. To determine whether the attacks were identical, the company should gather a list of IPs domains, and files and use:

    A. behavior data.
    B. the Diamond Model of Intrusion Analysis.
    C. the attack kill chain.
    D. the reputational data.

  • Question 204:

    A threat hurting team received a new loC from an ISAC that follows a threat actor's profile and activities. Which of the following should be updated NEXT?

    A. The whitelist
    B. The DNS
    C. The blocklist
    D. The IDS signature

  • Question 205:

    An analyst suspects a large database that contains customer information and credit card data was exfiltrated to a known hacker group in a foreign country. Which of the following incident response steps should the analyst take FIRST?

    A. Immediately notify law enforcement, as they may be able to help track down the hacker group before customer information is disseminated.
    B. Draft and publish a notice on the company's website about the incident, as PCI regulations require immediate disclosure in the case of a breach of PII or card data.
    C. Isolate the server, restore the database to a time before the vulnerability occurred, and ensure the database is encrypted.
    D. Document and verify all evidence and immediately notify the company's Chief Information Security Officer (CISO) to better understand the next steps.

  • Question 206:

    A security analyst is concerned the number of security incidents being reported has suddenly gone down. Daily business interactions have not changed, and no following should the analyst review FIRST?

    A. The DNS configuration
    B. Privileged accounts
    C. The IDS rule set
    D. The firewall ACL

  • Question 207:

    An organization prohibits users from logging in to the administrator account. If a user requires elevated permissions. the user's account should be part of an administrator group, and the user should escalate permission only as needed and on a temporary basis. The organization has the following reporting priorities when reviewing system activity:

    1.

    Successful administrator login reporting priority - high

    2.

    Failed administrator login reporting priority - medium

    3.

    Failed temporary elevated permissions - low

    4.

    Successful temporary elevated permissions - non-reportable

    A security analyst is reviewing server syslogs and sees the following:

    Which of the following events is the HIGHEST reporting priority?

    A. 2 2020-01-10T20:36:01.010Z financeserver sudo 201 32001 - BOM 'sudo vi users.txt' success
    B. 2 2020-01-10T21:18:34.002Z adminserver sudo 201 32001 - BOM 'sudo more /etc/passwords' success
    C. 2 2020-01-10T19:33:48.002Z webserver su 201 32001 - BOM 'su' success
    D. 2 2020-01-10T21:53:11.002Z financeserver su 201 32001 - BOM 'su vi syslog.conf failed for joe

  • Question 208:

    A security analyst has created an image of a drive from an incident. Which of the following describes what the analyst should do NEXT?

    A. The analyst should create a backup of the drive and then hash the drive.
    B. The analyst should begin analyzing the image and begin to report findings.
    C. The analyst should create a hash of the image and compare it to the original drive's hash.
    D. The analyst should create a chain of custody document and notify stakeholders.

  • Question 209:

    When reviewing a compromised authentication server, a security analyst discovers the following hidden file:

    Further analysis shows these users never logged in to the server.

    Which of the following types of attacks was used to obtain the file and what should the analyst recommend to prevent this type of attack from reoccurring?

    A. A rogue LDAP server is installed on the system and is connecting passwords. The analyst should recommend wiping and reinstalling the server.
    B. A password spraying attack was used to compromise the passwords. The analyst should recommend that all users receive a unique password.
    C. A rainbow tables attack was used to compromise the accounts. The analyst should recommend that future password hashes contains a salt.
    D. A phishing attack was used to compromise the account. The analyst should recommend users install endpoint protection to disable phishing links.

  • Question 210:

    The incident response team is working with a third-party forensic specialist to investigate the root cause of a recent intrusion An analyst was asked to submit sensitive network design details for review The forensic specialist recommended

    electronic delivery for efficiency but email was not an approved communication channel to send network details Which of the following BEST explains the importance of using a secure method of communication during incident response?

    A. To prevent adversaries from intercepting response and recovery details
    B. To ensure intellectual property remains on company servers
    C. To have a backup plan in case email access is disabled
    D. To ensure the management team has access to all the details that are being exchanged

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CompTIA exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CS0-002 exam preparations and CompTIA certification application, do not hesitate to visit our Vcedump.com to find your solutions here.