1. Home
  2. CompTIA
  3. CS0-002

CompTIA CS0-002 Online Practice Questions and Exam Preparation

CS0-002 Exam Details

  • Exam Code
    :CS0-002
  • Exam Name
    :CompTIA Cybersecurity Analyst (CySA+)
  • Certification
    :CompTIA Certifications
  • Vendor
    :CompTIA
  • Total Questions
    :1059 Q&As
  • Last Updated
    :May 30, 2026

CompTIA CS0-002 Online Questions & Answers

  • Question 451:

    A security analyst is reviewing a web application. If an unauthenticated user tries to access a page in the application, the user is redirected to the login page. After successful authentication, the user is then redirected back to the original page. Some users have reported receiving phishing emails with a link that takes them to the application login page but then redirects to a fake login page after successful authentication.

    Which of the following will remediate this software vulnerability?

    A. Enforce unique session IDs for the application.
    B. Deploy a WAF in front of the web application.
    C. Check for and enforce the proper domain for the redirect.
    D. Use a parameterized query to check the credentials.
    E. Implement email filtering with anti-phishing protection.

  • Question 452:

    SIMULATION

    Malware is suspected on a server in the environment.

    The analyst is provided with the output of commands from servers in the environment and needs to review all output files in order to determine which process running on one of the servers may be malware.

    INSTRUCTIONS

    Servers 1, 2, and 4 are clickable. Select the Server and the process that host the malware.

    If at any time you would like to bring back the initial state of the simulation, please click the Reset All button. When you have completed the simulation, please select the Done button to submit. Once the simulation is submitted, please select

    the Next button to continue.

    Hot Area:

  • Question 453:

    A team of security analysts has been alerted to potential malware activity. The initial examination indicates one of the affected workstations is beaconing on TCP port 80 to five IP addresses and attempting to spread across the network over port 445. Which of the following should be the team's NEXT step during the detection phase of this response process?

    A. Escalate the incident to management, who will then engage the network infrastructure team to keep them informed.
    B. Depending on system criticality, remove each affected device from the network by disabling wired and wireless connections.
    C. Engage the engineering team to block SMB traffic internally and outbound HTTP traffic to the five IP addresses.
    D. Identify potentially affected systems by creating a correlation search in the SIEM based on the network traffic.

  • Question 454:

    A threat intelligence analyst who works for a financial services firm received this report:

    "There has been an effective waterhole campaign residing at www.bankfinancecompsoftware.com. This domain is delivering ransomware. This ransomware variant has been called "LockMaster" by researchers due to its ability to overwrite the MBR, but this term is not a malware signature. Please execute a defensive operation regarding this attack vector."

    The analyst ran a query and has assessed that this traffic has been seen on the network. Which of the following actions should the analyst do NEXT? (Select TWO).

    A. Advise the firewall engineer to implement a block on the domain
    B. Visit the domain and begin a threat assessment
    C. Produce a threat intelligence message to be disseminated to the company
    D. Advise the security architects to enable full-disk encryption to protect the MBR
    E. Advise the security analysts to add an alert in the SIEM on the string "LockMaster"
    F. Format the MBR as a precaution

  • Question 455:

    After examine a header and footer file, a security analyst begins reconstructing files by scanning the raw data bytes of a hard disk and rebuilding them. Which of the following techniques is the analyst using?

    A. Header analysis
    B. File carving
    C. Metadata analysis
    D. Data recovery

  • Question 456:

    A security administrator uses FTK to take an image of a hard drive that is under investigation. Which of the following processes are used to ensure the image is the same as the original disk? (Choose two.)

    A. Validate the folder and file directory listings on both.
    B. Check the hash value between the image and the original.
    C. Boot up the image and the original systems to compare.
    D. Connect a write blocker to the imaging device.
    E. Copy the data to a disk of the same size and manufacturer.

  • Question 457:

    A software assurance lab is performing a dynamic assessment on an application by automatically generating and inputting different, random data sets to attempt to cause an error/failure condition. Which of the following software assessment capabilities is the lab performing AND during which phase of the SDLC should this occur? (Select two.)

    A. Fuzzing
    B. Behavior modeling
    C. Static code analysis
    D. Prototyping phase
    E. Requirements phase
    F. Planning phase

  • Question 458:

    A company wants to update its acceptable use policy (AUP) to ensure it relates to the newly implemented password standard, which requires sponsored authentication of guest wireless devices. Which of the following is MOST likely to be incorporated in the AUP?

    A. Sponsored guest passwords must be at least ten characters in length and contain a symbol.
    B. The corporate network should have a wireless infrastructure that uses open authentication standards.
    C. Guests using the wireless network should provide valid identification when registering their wireless devices.
    D. The network should authenticate all guest users using 802.1x backed by a RADIUS or LDAP server.

  • Question 459:

    Using a heuristic system to detect an anomaly in a computer's baseline, a system administrator was able to detect an attack even though the company signature based IDS and antivirus did not detect it. Further analysis revealed that the attacker had downloaded an executable file onto the company PC from the USB port, and executed it to trigger a privilege escalation flaw. Which of the following attacks has MOST likely occurred?

    A. Cookie stealing
    B. Zero-day
    C. Directory traversal
    D. XML injection

  • Question 460:

    An analyst is detecting Linux machines on a Windows network. Which of the following tools should be used to detect a computer operating system?

    A. whois
    B. netstat
    C. nmap
    D. nslookup

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CompTIA exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CS0-002 exam preparations and CompTIA certification application, do not hesitate to visit our Vcedump.com to find your solutions here.