CompTIA CySA+ exam (CSO-002) 2020 update: What you need to know

January 1, 2023 by Fakhar Imam

The new CompTIA Cybersecurity Analyst (CySA+) CS0-002 certification has been updated to meet the changes to the IT industry as well as cater to the need for security professionals to ensure software security while allowing them to be proactive with defense and threat intelligence.

Broadly speaking, the CySA+ CS0-002 exam is available for security analysts who apply behavioral analytics to IT devices and networks in order to prevent, detect and address cybersecurity threats and attacks through continual security surveillance. Increasingly, behavioral analytics is used as a replacement for traditional signature-based solutions such as antivirus software and firewalls. 

The new CySA+ CS0-002 has been active since April 21, 2020. The previous version (CS0-001) of this exam was introduced on February 15, 2017. The new version brings several changes to domains, languages and recommended experience. In this article, we will explore the new CySA+ (CS0-002) exam in detail.

Retirement of CySA+ CS0-001

Candidates who are preparing for the previous CySA+ (CS0-001) exam should know the English version will retire on October 21, 2020, and Simple Chinese and Japanese versions will retire on April 23, 2021.

According to CompTIA, the new CySA+ (CS0-002) exam is usually expected to be retired three years after its launch.

CySA+ experience and passing score

Both versions of the CySA+ (CS0-001 and CS0-002) exam required Security+, Network+ or equivalent knowledge. The sole difference is that the old version (CS0-001) requires a minimum of 3 to 4 years of hands-on experience in the realm of information security or related experience. A new version (CS0-002) requires a minimum of 4 years of hands-on experience about information security or related experience.

To become CySA+-certified, a student must obtain a score of 750 on a scale of 100-900. The timeframe to complete the exam is 165 minutes.

CySA+ changes to the new exam

The new CySA+ (CS0-002) exam is available in Japanese, English and other languages to be determined. The previous exam CySA+ (CS0-001) was specific to Japanese, English and Simplified Chinese.

Changes to CySA+ exam domains (objectives)

Exam objectives are the course material that students need to prepare to pass the exam. The CySA+ (CS0-002) exam introduces several changes to meet the ever-growing and current requirements of the cybersecurity landscape. 

The cybersecurity industry requires CompTIA to update its certification exams every three years to ensure that employers have the right recruitments that have requisite skills for the job. Before taking a deep dive into domain changes, you need to look at domains of both old and current exam, which are given below: 

CySA+ CS0-001 domains (objectives)

Domains Exam Percentage
1: Threat Management 27%
2: Vulnerability Management 26%
3: Cyber Incident Response 23%
4: Security Architecture and Tools Sets 24%
Total 100%

CySA+ CS0-002 domains (objectives)

Domains Exam Percentage
1: Threat and Vulnerability Management 22%
2: Software and Systems Security 18%
3: Security Operations and Monitoring 25%
4: Incident Response 22%
5: Compliance and Assessment 13%
Total: 100%

Change #1: Combining threat management and vulnerability management domains

The previous exam paid more attention to “Threat Management” and “Vulnerability Management” and created two separate domains for them. The exam percentages for the former and latter are 27% and 26% respectively. However, the CySA+ new exam (CS0-002) merges these domains with a “Threat and Vulnerability Management” domain with an exam percentage of 22%, which is much lower than the combined values of their previous version, 53%.

In the “Threat Management” domain, the CySA+ (CS0-001) exam covers environmental reconnaissance techniques, analyzes the results of a network reconnaissance, countermeasures, and various security practices, including penetration testing, reverse engineering, training and exercises, and risk evaluation. 

In the “Vulnerability Management” domain, the CySA+ (CS0-001) exam covers information security vulnerability management process, analyze the output resulting from a vulnerability scan; compare and contrast common vulnerabilities found in the targets within an organization (e.g., servers, endpoints, mobile devices, VPNs, SCADA devices and so on). 

On the contrary, in its new “Threat and Vulnerability Management” domain, the CySA+ (CS0-002) exam covers the importance of threat data and intelligence, usage of threat intelligence, performing vulnerability management activities, analyzing the output from common vulnerability assessment tools, explaining threats and vulnerabilities associated with specialized technology and cloud and implementing controls to mitigate attacks and software vulnerabilities. 

Change #2: Software and systems security

Since the release of the previous exam in 2017, the IT industry has realized that software and systems vulnerabilities can pose serious risks to networks, workstations, databases and other critical infrastructure. To meet the demand of the IT industry, CompTIA added a new domain — namely “Software and Systems Security ” — to their CySA+ (CS0-002) exam objectives.

The previous exam only spells out application security best practices while participating in the Software Development Life Cycle (SDLC). 

The new exam’s “Software and Systems Security” domain covers various security solutions for infrastructure management (e.g., asset management, change management, IAM and so on); software and hardware assurance best practices, which are much more detailed than that of the previous exam. 

It is essential to detect software vulnerabilities not only during the runtime but also during SDLC or coding. To this end, the new job title (Application Security Analyst) has been created, whose role is to mitigate software vulnerabilities and ensure adherence to best practices for SDLC. The new CySA+ supports this job title through its software and systems security domain. 

Change #3: Security operations and monitoring

Security Operations and Monitoring is the third domain of the CySA+ (CS0-002) exam. It is not included in the previous CySA+ (CS0-001) version. 

This domain introduces many essential concepts that are necessary for organizational security. For example, it thoroughly covers email analysis, log reviews, endpoint security, network security, log reviews and Security Information and Event Management (SIEM) solutions. SIEM is a very effective security tool in Security Operation Centers (SOC) today. 

Various other security solutions are also introduced in this domain, such as: 

  • Permissions
  • Blacklisting 
  • Whitelisting
  • Firewall
  • Data Loss Prevention (DLP)
  • Intrusion Prevention System (IPS)
  • Sinkholing 
  • Network Access Control (NAC)
  • Endpoint Detection and Response (EDR) sandboxing 
  • Port security 
  • Malware signatures 

The concept of proactive threat hunting is also introduced in CySA+ (CS0-002). Why? Today’s cybersecurity demands a proactive security approach that acts before the occurrence of the incident. Threat hunting iteratively and proactively searches through systems and networks to detect and isolate cybersecurity threats that evade existing security solutions. Traditional signature-based security solutions such as firewalls and antivirus programs are less effective in today’s digital age where cybersecurity threats and attacks are very fast and sophisticated. 

You will also learn automation concepts and technologies that include Application Programming Interfaces (API), automated malware signature creation, threat feed combination, use of automation protocols and standards, continuous integration and deployment and the Security Orchestration, Automation, and Response (SOAR) solution. SOAR is also very effective in SOC today. According to the State of SOAR Report, 2019, “SOAR tools comprised a healthy and growing percentage of common tools used for every lifecycle stage (ranging from 28% to roughly 34%).” 

This domain supports two more job roles: 

  1. Threat hunters 
  2. Threat analyst 

Change #4: Expanding the Incident Response domain

The previous CySA+ exam includes an incident response domain but it is not very comprehensive. The new CySA+ (CS0-002) exam further expands incident response capabilities because these skills are necessary to effectively respond to cybersecurity incidents. 

In terms of incident response, the previous exam doesn’t pay much attention to specialized technologies such as the Internet of Things (IoT), Real-time Operating System (RTOS), System-on-Chip (SoC), field programmable gate array (FPGA), vehicles and drones and so forth. On the other hand, the new CySA+ exam incorporates all these technologies, as well as complete incident response process procedure and potential Indicators of Compromise (IoC) that may lead to an incident. 

According to Gartner, “the enterprise and automotive Internet of Things (IoT) market will grow to 5.8 billion endpoints in 2020, a 21% increase from 2019.” Despite the widespread adoption of IoT devices, IoT security is not up to the mark and provides massive opportunities to bad guys. That is why the new exam also includes incident response capabilities associated with IoT devices. 

The CySA+ (CS0-002) exam also supports another secondary job role, which is the incident response handler. 

Change #5: Compliance and Assessment

The CySA+ (CS0-002) exam introduces a new domain: Compliance and Assessment. The compliance section requires security professionals to understand regulations such as PCI DSS, HIPAA and GDPR. These regulatory bodies affect the day-to-day work of security professionals as well as organizations. Non-compliant organizations have to suffer massive penalties and reputational damage. For example, GDPR imposes 4% of annual revenue or the higher amount of €20,0000,000 to non-compliant organizations.

Using the compliance section, security professionals and CySA+ candidates can understand regulations and how to apply them to their job. This section also supports the secondary job role: Compliance Analyst. This role performs internal audits, risk management and regulation monitoring. 

In addition, you will also learn the importance of data privacy and protection and various security concepts that help to mitigate organizational risk. 

CySA+ CS0-002 proposed software and hardware list

The CySA+ software and hardware list will help candidates to better prepare for the exam. Below is the list of both software and hardware components.

Software lists

  • Linux operating system (e.g., Parrot OS, Kali, Security Onion)
  • Windows Server
  • Windows client such as Commando VM
  • VM images for attack targets
  • Security Information and Event Management (SIEM) solutions such as Splunk, ELK and Graylog
  • Access to cloud instances such as GCP, AWS and Azure
  • Vulnerability scanners such as Nessus and OpenVAS
  • Metasploitable
  • pfSense
  • UTM Appliance
  • Chrome OS

Hardware lists

  • Workstation with ability to run Virtual Machine (VM)
  • Servers
  • IoT devices
  • WAP
  • VoIP phone
  • Mobile devices
  • Firewalls
  • Managed switch

The CySA+ CS0-002 Renewal Policy

The CompTIA CySA+ CS0-002 exam is good for three years. The validity of the exam starts from the date of the candidate’s exam. The CompTIA’s Continuing Education (CE) program allows candidates to extend their certification in three-year intervals through training and activities related to candidates’ exam objectives. 

The CySA+ exam requires 60 Continuing Education Units (CEUs) in three years. Once the student uploads 60 CEUs in his CompTIA certification account, his CySA+ exam would automatically be renewed.


The new CySA+ (CS0-002) certification exam has come into effect as of April 21, 2020. CompTIA, the vendor for the CySA+ certification, introduced several changes to domains, the recommended experience and the languages of the new exam.

Fresh candidates should prepare using the new CySA+ exam objectives, as this will ensure your certification is recognized for the longest period of time. 

Posted: January 1, 2023
Fakhar Imam
View Profile

Fakhar Imam is a professional writer with a master’s program in Masters of Sciences in Information Technology (MIT). To date, he has produced articles on a variety of topics including on Computer Forensics, CISSP, and on various other IT related tasks.