CompTIA CySA+ Practice Test 2025 – CS0-003 Exam Prep

Question 1: A security analyst notices repeated failed login attempts on an admin account followed by a successful login from an unusual geographic location. Which incident response phase should the analyst prioritize FIRST?

• 
  
  Eradication
  
• 
  
  Containment
  
• 
  
  Recovery
  
• 
  
  Post-Incident Activity
  

Question 2: Which threat intelligence indicator would BEST help an analyst identify command-and-control (C2) activity on the network?

• 
  
  A list of known vulnerable software versions
  
• 
  
  A set of IP addresses and domains associated with known malware
  
• 
  
  A database of historical CVE scores
  
• 
  
  A log of all inbound web requests
  

Question 3: A SIEM dashboard shows a spike in DNS queries to a single external domain from one internal host. This pattern most likely suggests:

• 
  
  A routine Windows update
  
• 
  
  DNS tunneling or beaconing to a C2 server
  
• 
  
  An authorized cloud backup process
  
• 
  
  A misconfigured network printer