CySA+ Domain #4: Incident Response

Greg Belding
September 15, 2021 by
Greg Belding

Cyber Security Analyst Plus, or CySA+, is an intermediate-level CompTIA cybersecurity analyst certification. This certification is intended for cybersecurity analysts and related professionals who have 3-4 years of hands-on experience in the field. This certification is on its second version, CS0-002. There have been some changes to the Domains of knowledge both in content and number of Domains. This article will detail Domain #4, Incident Response, which is one of the new Domains in this cert’s common body of knowledge (CBK). It will give a high-level view of what has changed since the last exam and will explore how this domain will help you in your career and what this domain covers.

Earn your CySA+, guaranteed!

Earn your CySA+, guaranteed!

Get hands-on experience and live expert, instruction. Enroll now to claim your Exam Pass Guarantee!

CySA+ CS0-002 – what has changed since CS0-001

CS0-002 has undergone several changes since the last exam version, with the most relevant for this article being the addition of Domain 4, Incident Response. Below is a high-level view of what has changed, followed by a comparison of the domains in CS0-001 and CS0-002.

  • CS0-002 has followed the cybersecurity market trend of “going on the offense with defense” with threat hunting, an essential element of threat intelligence
  • CS0-002 focuses more on software security than systems security
  • Incident response has become more of a focus
  • More content on the cybersecurity regulatory environment has also been added in response to the growing number of cybersecurity regulations
  • These changes have amounted to some material being shifted around into other domains and an entirely new domain
  • Domain 4 of CS0-002 is largely new material, and some material from the previous exam edition has been merged into this domain as well

CS0-001 Domains

Domain Percentage of Examination

1.0 Threat Management 27%

2.0 Vulnerability Management 26%

3.0 Cyber Incident Response 23%

4.0 Security Architecture and Tool Sets 24%


CS0-002 Domains

Domain Percentage of Examination

1.0 Threat and Vulnerability Management 22%

2.0 Software and Systems Security 18%

3.0 Security Operations and Monitoring 25%

4.0 Incident Response 22%

5.0 Compliance and Assessment 13%

How CySA+ Domain 4 will help you in your career

The CySA+ cert has had its domain line up changed to keep up with the ever-changing field of cybersecurity analysis. To make the certification exam material more up-to-date, the hosting organization added Incident Response as a new domain. Certification candidates and holders should see this as a great opportunity to add a strong dose of career-boosting, practical knowledge and expertise to their cybersecurity skill toolbox. Remember, the CySA+ certification has a hands-on driven approach and mastering the knowledge in this domain will make you both a more useful and more effective cybersecurity analyst going forward.

What is covered in CySA+ Domain 4?

Below is a rundown of what is covered in domain 4 of the new edition of the CySA+ (CS0-002) certification exam. It contains four objectives, with several sub-objectives included in each objective.

4.1 Explain the importance of the incident response process

  • Communication plan
    • Limiting communication to trusted parties
    • Disclosing based on regulatory/legislative requirements
    • Preventing inadvertent release of information
    • Using a secure method of communication
    • Reporting requirements

  • Response coordination with relevant entities
    • Legal
    • Human resources
    • Public relations
    • Internal and external
    • Law enforcement
    • Senior leadership
    • Regulatory bodies

  • Factors contributing to data criticality
    • Personally identifiable information (PII)
    • Personal health information (PHI)
    • Sensitive personal information (SPI)
    • High-value asset
    • Financial information
    • Intellectual property
    • Corporate information

4.2 Given a scenario, apply the appropriate incident response procedure

  • Preparation
    • Training
    • Testing
    • Documentation of procedures

  • Detection and analysis
    • Characteristics contributing to severity level classification
    • Downtime
    • Recovery time
    • Data integrity
    • Economic
    • System process criticality
    • Reverse engineering
    • Data correlation

  • Containment
    • Segmentation
    • Isolation

  • Eradication and recovery
    • Vulnerability mitigation
    • Sanitization
    • Reconstruction/reimaging
    • Secure disposal
    • Patching
    • Restoration of permissions
    • Reconstitution of resources
    • Restoration of capabilities and services
    • Verification of logging/communications to security monitoring

  • Post-incident activities
    • Evidence retention
    • Lessons learned report
    • Change control process
    • Incident response plan update
    • Incident summary report
    • IoC generation
    • Monitoring

4.2 Given an incident, analyze potential indicators of compromise

  • Network-related
    • Bandwidth consumption
    • Beaconing
    • Irregular peer-to-peer communication
    • Rogue device on the network
    • Scan/sweep
    • Unusual Traffic spike
    • Common protocol over a non-standard port

  • Host-related
    • Processor consumption
    • Memory consumption
    • Drive capacity consumption
    • Unauthorized software
    • Malicious process
    • Unauthorized change
    • Unauthorized privilege
    • Data exfiltration
    • Abnormal OS process behavior
    • File system change or anomaly
    • Unauthorized scheduled task

  • Application-related
    • Anomalous activity
    • Introduction of new accounts
    • Unexpected output
    • Unexpected outbound communication
    • Service interruption
    • Application log

4.4 Given a scenario, utilize basic digital forensics techniques

  • Network
    • Wireshark
    • tcpdump

  • Endpoint
    • Disk
    • Memory
  • Mobile
  • Cloud
  • Virtualization
  • Legal hold
  • Procedures
  • Hashing
    • Changes to binaries
  • Carving
  • Data acquisition

Earn your CySA+, guaranteed!

Earn your CySA+, guaranteed!

Get hands-on experience and live expert, instruction. Enroll now to claim your Exam Pass Guarantee!

Preparing for the incident response domain

CySA+ is a certification intended for cybersecurity analysts (and related roles), which has recently debuted a new exam version, CS0-002. This new exam version introduces a new domain of knowledge Domain #4: Incident Response. Certification holders and candidates alike will find the knowledge in this domain to be especially relevant in today’s world of cybersecurity that has been incorporating Incident Response techniques and concepts into the cybersecurity analyst role more and more lately. 



Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.