CySA+ Domain #3: Security operations and monitoring

Greg Belding
September 14, 2021 by
Greg Belding

CompTIA’s Cybersecurity Analyst+, or CySA+, is an intermediate-level cybersecurity certification intended for those with several years of experience. Working in a security operations center (SOC) and monitoring cyber threats is an essential duty for many cybersecurity analysts. That’s why security operations and monitoring, the third domain of CySA+, makes up 25% of the CySA+ exam

Typical responsibilities performed by cybersecurity analysts include security monitoring, data analysis, configuring security controls, and applying appropriate threat hunting techniques and automation concepts and technologies. All of these topics are covered in domain 3 of the CySA+ certification exam. 

This article explores what has changed since the last exam edition (CS0-001), how the material will help your career, and what is covered by CySA+ domain 3.

Earn your CySA+, guaranteed!

Earn your CySA+, guaranteed!

Get hands-on experience and live expert, instruction. Enroll now to claim your Exam Pass Guarantee!

CySA+ CS0-002: What has changed since CS0-001

There have been quite a few changes made to the CySA+ knowledge domains. Below is a high-level view of what has changed:

  • CS0-002 has followed the cybersecurity market trend of “going on the offense with defense,” an essential element of threat intelligence.
  • CS0-002 focuses more on software security than systems security.
  • Incident response has become more of a focus.
  • There is more content on the cybersecurity regulatory environment to reflect the growing number of cybersecurity regulations.

As a result, CompTIA reworked the CySA+ exam domains and added a fifth domain.

CS0-001 domains

Domain % of the exam

1.0 Threat management 27%

2.0 Vulnerability management 26%

3.0 Cyber incident response 23%

4.0 Security architecture and tool sets 24%


CS0-002 domains

Domain % of the exam

1.0 Threat and vulnerability management 22%

2.0 Software and systems security 18%

3.0 Security operations and monitoring 25%

4.0 Incident response 22%

5.0 Compliance and assessment 13%

How CySA+ domain 3 will help your career

CySA+ domain 3 covers many of the daily responsibilities around security operations and monitoring that cybersecurity analysts will perform. Having a blueprint for what you want to do, or even an instruction manual, can set you up for success.

This domain will likely be an invaluable on-the-job resource for these role responsibilities and should be referred to when needed.

What’s included in CySA+ domain 3?

Below is a rundown of domain 3 of the new edition of the CySA+ (CS0-002) exam. It contains four objectives along with several sub-objectives. Download the complete list of CySA+ exam objectives here.

3.1 Given a scenario, analyze data as part of security monitoring activities

  • Heuristics
  • Trend analysis
  • Endpoint
    • Malware
      • Reverse engineering
    • Memory
    • System and application behavior
      • Known-good behavior
      • Anomalous behavior
      • Exploit techniques
    • File system
    • User and entity behavior analytics (UEBA)

  • Network
    • Uniform Resource Locator (URL) and domain name system (DNS) analysis
      • Domain generation algorithm
    • Flow analysis
    • Packet and protocol analysis
      • Malware

  • Log review
    • Event logs
    • Syslog
    • Firewall logs
    • Web application firewall (WAF)
    • Proxy
    • Intrusion detection system (IDS)/Intrusion prevention system (IPS)

  • Impact analysis
    • Organization impact vs. localized impact
    • Immediate vs. total

  • Security information and event management (SIEM) review
    • Rule writing
    • Known-bad internet protocol (IP)
    • Dashboard

  • Query writing
    • String search
    • Script
    • Piping

  • E-mail analysis
    • Malicious payload
    • Domain Keys Identified Mail (DKIM)
    • Domain-based Message Authentication, Reporting and Conformance (DMARC)
    • Sender Policy Framework (SPF)
    • Phishing
    • Forwarding
    • Digital signature
    • E-mail signature block
    • Embedded links
    • Impersonation
    • Header

3.2 Given a scenario, implement configuration changes to existing controls to improve security

  • Permissions
  • Allow list (previously known as whitelisting)
  • Blocklist (previously known as blacklisting)
  • Firewall
  • Intrusion prevention system (IPS) rules
  • Data loss prevention (DLP)
  • Endpoint detection and response (EDR)
  • Network access control (NAC)
  • Sinkholing
  • Malware signatures
    • Development/rule writing
  • Sandboxing
  • Port security

3.3 Explain the importance of proactive threat hunting

  • Establishing a hypothesis
  • Profiling threat actors and activities
  • Threat hunting tactics
    • Executable process analysis
  • Reducing the attack surface area
  • Bundling critical assets
  • Attack vectors
  • Integrated intelligence
  • Improving detection capabilities

3.4 Compare and contrast automation concepts and technologies

  • Workflow orchestration
    • Security Orchestration, Automation and Response (SOAR)
  • Scripting
  • Application programming interface (API) integration
  • Automated malware signature creation
  • Data enrichment
  • Threat feed combination
  • Machine learning
  • Use of automation protocols and standards
    • Security Content Automation Protocol (SCAP)
  • Continuous integration
  • Continuous deployment/delivery

Earn your CySA+, guaranteed!

Earn your CySA+, guaranteed!

Get hands-on experience and live expert, instruction. Enroll now to claim your Exam Pass Guarantee!


The new edition of the CySA+ certification exam has been revamped to reflect the most in-demand cybersecurity analysts’ skills and job requirements. The new security operations and monitoring domain is largely made up of new material and demonstrates the shift to software security over systems security, in addition to threat hunting. 

Earning your CySA+ certification can help boost your salary by validating these in-demand skills for potential employers.

Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.