CompTIA Cybersecurity Analyst (CySA+) Ultimate Cheat Sheet
Your Quick Reference Study Guide
This cheat sheet covers the core concepts, terms, and definitions you need to know for the CompTIA Cybersecurity Analyst (CySA+). We've distilled the most important domains, topics, and critical details to help your exam preparation.
💡 Note: While this study guide highlights essential concepts, it's designed to complement—not replace—comprehensiv e learning materials. Use it for quick reviews, last-minute prep, or to identify areas that need deeper study before your exam.
About This Cheat Sheet: This study guide covers core concepts for CompTIA Cybersecurity Analyst (CySA+). It highlights key terms, definitions, common mistakes, and frequently confused topics to support your exam preparation.
Use this as a quick reference alongside comprehensive study materials.
CompTIA Cybersecurity Analyst (CySA+)
Cheat Sheet •
About This Cheat Sheet: This study guide covers core concepts for CompTIA Cybersecurity Analyst (CySA+). It highlights key terms, definitions, common mistakes, and frequently confused topics to support your exam preparation.
Use this as a quick reference alongside comprehensive study materials.
Security Operations
33%Linux Auth: sudo & /etc/passwd Forensics
Use /var/log/auth.log sudo entries plus /etc/passwd to detect privilege use and map UIDs for investigations.
Key Insight
Sudo lines show USER, TTY, PID and COMMAND — grep 'sudo:' in /var/log/auth.log and map UID/GID in /etc/passwd; hashes live in /etc/shadow.
Often Confused With
Common Mistakes
- Don't treat /etc/passwd as password storage; hashes are stored in /etc/shadow.
- /etc/passwd is a static account database, not a session or login log.
- No auth.log entry ≠ no activity — logs can rotate, be forwarded, or be tampered with.
Network Firewall — Layered Rule Control
Rule-based traffic gate between network zones; can be packet, stateful, or application-layer and produces logs for alert
Key Insight
Firewalls enforce policy: rule order/first-match and implicit-deny matter; encrypted (TLS) traffic hides payloads unless SSL inspection is enabled.
Often Confused With
Common Mistakes
- Don't assume a firewall replaces endpoint AV — combine perimeter and endpoint defenses.
- TLS isn't inspected by default — you need SSL/TLS inspection or a proxy to see payloads.
- One perimeter firewall doesn't provide full segmentation; internal controls and microsegmentation are required.
IDS (Intrusion Detection System): Detect, Don't Block
Monitors hosts/networks for signature or anomaly matches and raises alerts for correlation—not guaranteed blocking.
Key Insight
An IDS alert is telemetry, not proof of compromise — always correlate IDS metadata with host logs, timelines, and threat intel.
Often Confused With
Common Mistakes
- Assuming an IDS alert equals a successful compromise.
- Expecting full request payloads—many IDS store only metadata/signature IDs.
- Thinking an IDS will block traffic automatically (that's an IPS/WAF).
XSS (Cross‑Site Scripting): Client‑Side Script Injection
Attacker-supplied scripts run in victims' browsers (reflected, stored, or DOM), enabling session theft, defacement, or w
Key Insight
Differentiate reflected, stored, and DOM XSS — where the payload is output/storage dictates how to detect and fix it.
Often Confused With
Common Mistakes
- Believing HTTPS/TLS prevents XSS — it doesn't stop injected client-side scripts.
- Relying only on server-side validation; DOM/reflected XSS require correct output encoding.
- Thinking CSP or sanitization alone guarantees no XSS — apply layered defenses (encode, sanitize, CSP).
NetFlow/IPFIX/sFlow — Host Communications
Aggregated flow metadata (src/dst, ports, protocol, bytes) to find top talkers, anomalies, and pivot hosts.
Key Insight
Flows are metadata summaries (often sampled/aggregated) — corroborate with pcaps/logs and account for NAT/proxies.
Often Confused With
Common Mistakes
- Treating flow records like packet captures — flows contain metadata, not payloads.
- Expecting precise per-packet ordering/timestamps — flows are aggregated and may be sampled.
- Equating high byte/connection counts automatically with data exfiltration (context matters).
Wireshark Packet Analysis (pcap)
Capture and inspect packets (headers, payloads, timestamps) to profile beaconing, confirm protocols, and prove behavior.
Key Insight
Encrypted traffic hides payloads unless you have keys or endpoint logs; use correct capture filters and multiple vantage points.
Often Confused With
Common Mistakes
- Expecting readable TLS/HTTPS payloads without decryption keys or endpoint secrets.
- Using display filters to limit what was captured — display filters only change view, not recorded data.
- Assuming a single-host/interface capture contains all relevant enterprise traffic.
Threat Intel Feeds — Tactical IOCs for the SOC
Operational, short‑term IOCs/TTPs validated and enriched, then pushed to SIEM/YARA/blocklists for detection.
Key Insight
Feeds are time‑sensitive tactical data — always validate, enrich, map to detections, and set TTLs before blocking.
Often Confused With
Common Mistakes
- Blocking feed IOCs immediately without validation
- Relying on automated ingestion/blocking to replace analyst review
- Treating feed IOCs as evergreen; ignoring expiration/context
Indicators of Compromise (IoC) — Observables to Hunt
Observable artifacts or behaviors (IPs, hashes, registry keys, anomalous traffic) that suggest suspicious activity.
Key Insight
An IoC is evidence for suspicion, not proof — correlate with source confidence, timeline, and other telemetry.
Often Confused With
Common Mistakes
- Assuming one IoC alone proves a compromise
- Treating IoCs as only static artifacts (ignore behavioral indicators)
- Not weighting IoC reliability by source and confidence
SOC Ops & Continuous Monitoring
Daily collection, tuning, and analyst-led review of logs/telemetry to detect and escalate security events.
Key Insight
Right logs + tuned thresholds + review loops = reliable detections; more data without tuning reduces signal.
Often Confused With
Common Mistakes
- Assuming more logs = better — excessive noise hides true alerts.
- Treating monitoring as incident response — monitoring detects; IR runs playbooks.
- Relying on SIEM/EDR as a silver bullet — they need config, tuning, and analyst validation.
SIEM Ingestion & Normalization Check
Use a known test event to confirm transmission, parsing, timestamp normalization, and field mapping for correlation.
Key Insight
Validate with a known-event: confirm raw receipt, parser success, correct timestamps, and mapped schema for detections.
Often Confused With
Common Mistakes
- Expecting no data loss during normalization — always verify raw fields remain accessible.
- Using a universal schema without custom mappings — causes semantic mismatches across sources.
- Trusting parsed timestamps and types blindly — validate them with the known event.
Linux Auth: sudo & /etc/passwd Forensics
Use /var/log/auth.log sudo entries plus /etc/passwd to detect privilege use and map UIDs for investigations.
Key Insight
Sudo lines show USER, TTY, PID and COMMAND — grep 'sudo:' in /var/log/auth.log and map UID/GID in /etc/passwd; hashes live in /etc/shadow.
Often Confused With
Common Mistakes
- Don't treat /etc/passwd as password storage; hashes are stored in /etc/shadow.
- /etc/passwd is a static account database, not a session or login log.
- No auth.log entry ≠ no activity — logs can rotate, be forwarded, or be tampered with.
Network Firewall — Layered Rule Control
Rule-based traffic gate between network zones; can be packet, stateful, or application-layer and produces logs for alert
Key Insight
Firewalls enforce policy: rule order/first-match and implicit-deny matter; encrypted (TLS) traffic hides payloads unless SSL inspection is enabled.
Often Confused With
Common Mistakes
- Don't assume a firewall replaces endpoint AV — combine perimeter and endpoint defenses.
- TLS isn't inspected by default — you need SSL/TLS inspection or a proxy to see payloads.
- One perimeter firewall doesn't provide full segmentation; internal controls and microsegmentation are required.
IDS (Intrusion Detection System): Detect, Don't Block
Monitors hosts/networks for signature or anomaly matches and raises alerts for correlation—not guaranteed blocking.
Key Insight
An IDS alert is telemetry, not proof of compromise — always correlate IDS metadata with host logs, timelines, and threat intel.
Often Confused With
Common Mistakes
- Assuming an IDS alert equals a successful compromise.
- Expecting full request payloads—many IDS store only metadata/signature IDs.
- Thinking an IDS will block traffic automatically (that's an IPS/WAF).
XSS (Cross‑Site Scripting): Client‑Side Script Injection
Attacker-supplied scripts run in victims' browsers (reflected, stored, or DOM), enabling session theft, defacement, or w
Key Insight
Differentiate reflected, stored, and DOM XSS — where the payload is output/storage dictates how to detect and fix it.
Often Confused With
Common Mistakes
- Believing HTTPS/TLS prevents XSS — it doesn't stop injected client-side scripts.
- Relying only on server-side validation; DOM/reflected XSS require correct output encoding.
- Thinking CSP or sanitization alone guarantees no XSS — apply layered defenses (encode, sanitize, CSP).
NetFlow/IPFIX/sFlow — Host Communications
Aggregated flow metadata (src/dst, ports, protocol, bytes) to find top talkers, anomalies, and pivot hosts.
Key Insight
Flows are metadata summaries (often sampled/aggregated) — corroborate with pcaps/logs and account for NAT/proxies.
Often Confused With
Common Mistakes
- Treating flow records like packet captures — flows contain metadata, not payloads.
- Expecting precise per-packet ordering/timestamps — flows are aggregated and may be sampled.
- Equating high byte/connection counts automatically with data exfiltration (context matters).
Wireshark Packet Analysis (pcap)
Capture and inspect packets (headers, payloads, timestamps) to profile beaconing, confirm protocols, and prove behavior.
Key Insight
Encrypted traffic hides payloads unless you have keys or endpoint logs; use correct capture filters and multiple vantage points.
Often Confused With
Common Mistakes
- Expecting readable TLS/HTTPS payloads without decryption keys or endpoint secrets.
- Using display filters to limit what was captured — display filters only change view, not recorded data.
- Assuming a single-host/interface capture contains all relevant enterprise traffic.
Threat Intel Feeds — Tactical IOCs for the SOC
Operational, short‑term IOCs/TTPs validated and enriched, then pushed to SIEM/YARA/blocklists for detection.
Key Insight
Feeds are time‑sensitive tactical data — always validate, enrich, map to detections, and set TTLs before blocking.
Often Confused With
Common Mistakes
- Blocking feed IOCs immediately without validation
- Relying on automated ingestion/blocking to replace analyst review
- Treating feed IOCs as evergreen; ignoring expiration/context
Indicators of Compromise (IoC) — Observables to Hunt
Observable artifacts or behaviors (IPs, hashes, registry keys, anomalous traffic) that suggest suspicious activity.
Key Insight
An IoC is evidence for suspicion, not proof — correlate with source confidence, timeline, and other telemetry.
Often Confused With
Common Mistakes
- Assuming one IoC alone proves a compromise
- Treating IoCs as only static artifacts (ignore behavioral indicators)
- Not weighting IoC reliability by source and confidence
SOC Ops & Continuous Monitoring
Daily collection, tuning, and analyst-led review of logs/telemetry to detect and escalate security events.
Key Insight
Right logs + tuned thresholds + review loops = reliable detections; more data without tuning reduces signal.
Often Confused With
Common Mistakes
- Assuming more logs = better — excessive noise hides true alerts.
- Treating monitoring as incident response — monitoring detects; IR runs playbooks.
- Relying on SIEM/EDR as a silver bullet — they need config, tuning, and analyst validation.
SIEM Ingestion & Normalization Check
Use a known test event to confirm transmission, parsing, timestamp normalization, and field mapping for correlation.
Key Insight
Validate with a known-event: confirm raw receipt, parser success, correct timestamps, and mapped schema for detections.
Often Confused With
Common Mistakes
- Expecting no data loss during normalization — always verify raw fields remain accessible.
- Using a universal schema without custom mappings — causes semantic mismatches across sources.
- Trusting parsed timestamps and types blindly — validate them with the known event.
Vulnerability Management
30%Credentialed vs Non‑Credentialed — Internal vs External
Credentialed (inside) vs unauthenticated (attacker) scans and internal vs external origins give different risk views —用B
Key Insight
Credentialed/internal scans reveal config and lateral paths; unauthenticated/external show real attacker-facing exposure — both are needed to triage.
Often Confused With
Common Mistakes
- Assuming authenticated scans find every vulnerability (privilege/coverage gaps exist).
- Relying on external scans alone to represent attacker exposure.
- Treating internal-only findings as automatically low priority.
Vulnerability Assessment (Vuln Analysis)
Process to discover, validate, and prioritize weaknesses; produces validated findings and escalation decisions, not just
Key Insight
Automated scanner output is leads — exam answers expect manual validation, evidence collection, accurate prioritization, and clear criteria for pen‑te
Often Confused With
Common Mistakes
- Treating one automated scan as exhaustive — repeat and validate with other techniques.
- Assuming every scanner finding is a true positive without verification.
- Confusing vulnerability assessments with penetration tests (scope, evidence, authorization differ).
Web App DAST — OWASP Mapping
Automated dynamic scans of web pages/APIs to detect OWASP-style flaws; map findings to Top 10 to prioritize fixes.
Key Insight
DAST finds runtime I/O and injection issues but misses many business-logic/auth problems — OWASP tag = type, not severity; context matters.
Often Confused With
Common Mistakes
- Assuming DAST finds all business-logic flaws; manual workflow testing is required.
- Treating an OWASP Top 10 label as technical severity; severity needs context and exploitability analysis.
- Expecting each scanner finding to map cleanly to one OWASP category; many findings span categories.
Port & Service Enumeration — Reachability vs Exploitability
Discover open/filtered TCP/UDP ports, parse banners and fingerprints to ID services, then assess reachability and real‑w
Key Insight
Open ≠ exploitable; filtered usually signals firewalls/ACLs; banners can be spoofed — always verify with safe probes and context.
Often Confused With
Common Mistakes
- Assuming an open port is immediately exploitable; validate service, version, auth and access controls.
- Trusting service banners/version strings as authoritative; perform fingerprinting and active checks.
- Interpreting 'filtered' as closed; it often indicates firewall/ACL interference or rate limiting.
CVSS — Score + Vector (Base / Temporal / Environmental)
0.0–10.0 standardized severity score with a compact vector; Base = technical severity, use Temporal/Environmental forkaa
Key Insight
Base = technical severity; Temporal = exploit/patch maturity; Environmental = asset context — base alone ≠ real-world risk
Often Confused With
Common Mistakes
- Assuming a high base score automatically makes it the top remediation priority
- Treating the base score as real-world exploit likelihood instead of technical impact
- Ignoring Temporal/Environmental metrics — they can materially change adjusted priority
Severity×Count Triage (weighted counts)
Prioritize by severity-weighted counts plus asset criticality, exploit availability, and de-duplication — not raw totals
Key Insight
Many low-severity findings on a test box rarely outrank one critical vuln on production — weight by severity and asset value and collapse duplicates
Often Confused With
Common Mistakes
- Picking the asset with the highest total count regardless of severity or asset criticality
- Trusting scanner counts as proof of exploitability without validation or verification
- Assuming all same-severity findings need identical urgency; ignore duplicates/root causes at your peril
SQL Injection — Parameterize, Don't Rely on WAF
Untrusted input in SQL queries that can exfiltrate or modify DB data; exam focus: detect and fix with parameterized SQL.
Key Insight
Prevent with parameterized queries/prepared statements + least‑privilege DB accounts; WAFs are stopgaps, not code fixes.
Often Confused With
Common Mistakes
- Relying solely on a WAF — it's a band‑aid, not a code fix.
- Using input escaping instead of parameterized/prepared statements.
- Assuming ORMs or stored procedures automatically prevent injection.
Change Control Types — Routine, Priority, Emergency, Pre‑approved
Classifies changes with approvals, tests, rollback plans and maintenance windows — exam focus: justified deviations and必
Key Insight
Emergency changes may bypass schedule but still require risk assessment, rollback plans, approval records, and post‑change review.
Often Confused With
Common Mistakes
- Assuming maintenance windows forbid all out‑of‑window security fixes.
- Expecting full system downtime during windows; rolling/live updates exist.
- Applying emergency patches without testing, documented approval, or rollback plans.
Risk Response: Mitigate / Accept / Transfer / Avoid
Four post-assessment choices: reduce likelihood/impact, document & monitor, shift liability, or stop the activity.
Key Insight
Mitigation lowers likelihood/impact (not elimination); acceptance requires documented monitoring; transference shifts cost/legal burden but leaves
Often Confused With
Common Mistakes
- Assuming mitigation eliminates the risk entirely.
- Treating acceptance as ignoring — it requires documentation, monitoring, contingency.
- Believing transference (insurance/contracts) removes all responsibility.
NIST Impact Categories — Functional & Asset Prioritization
Use functional impact + asset criticality to prioritize incidents, set SLAs/SLOs, and order remediation.
Key Insight
Prioritize by operational/business impact first; CVSS, sensitivity and exposure adjust priority — update classifications after system or business‑flow
Often Confused With
Common Mistakes
- Treating all assets equally; ignoring criticality and business impact.
- Assuming DMZ/publicly exposed systems always have highest impact.
- Not updating impact classifications after system or business changes.
Incident Response Management
20%MITRE ATT&CK — Tactics → Techniques
Community catalog of observed adversary tactics, techniques and procedures used to map detections and telemetry.
Key Insight
Descriptive catalog — map alerts to ATT&CK techniques to find telemetry gaps, not a prescriptive controls list.
Often Confused With
Common Mistakes
- Treating ATT&CK as a prescriptive controls checklist
- Assuming ATT&CK == Kill Chain (they differ in scope/structure)
- Believing mapping to a technique guarantees future detection
Attack Lifecycle / Kill Chain
Phase-based model that maps intrusion stages to techniques and telemetry for detection and response planning.
Key Insight
Stages are not strictly linear — they can overlap, repeat, or be skipped; map techniques across stages to choose telemetry.
Often Confused With
Common Mistakes
- Treating stages as always linear and sequential
- Thinking a unified model replaces ATT&CK or LM Kill Chain
- Expecting every attack to include all stages (exfiltration may be absent)
IR Lifecycle — Detect→Contain→Recover
Phased process to detect, contain, eradicate, and recover incidents; exam focus: NIST steps and evidence handling.
Key Insight
Preserve volatile evidence immediately; use selective containment to limit impact; detection starts the investigation.
Often Confused With
Common Mistakes
- Delaying evidence collection until after eradication — destroys forensics.
- Performing full network isolation by default — breaks services and wastes time.
- Treating detection as the endpoint and skipping analysis/remediation.
Detection & Analysis — Triage + IPS Tuning
Collect and correlate alerts, logs, telemetry and intel; triage by asset/impact and tune IPS signatures to reduce noise.
Key Insight
Alerts are signals, not verdicts: triage with context (asset, IOC, impact), add telemetry, and tune IPS/signatures before escalation.
Often Confused With
Common Mistakes
- Escalating every alert into a full incident response.
- Assuming SIEM/IDS detects all threats without tuning or extra telemetry.
- Relying only on system logs; skipping network, endpoint, and external intel.
SIEM — Central Correlation & Forensics
Centralizes, normalizes, correlates and stores telemetry for detection, alerting and forensic queries — needs tuning.
Key Insight
SIEM = raw events + indexed storage + correlation rules; alerts are hypotheses that require analyst validation.
Often Confused With
Common Mistakes
- Expecting out-of-box detection — SIEMs require tuned rules, baselines, and use case mapping
- Treating every SIEM alert as a confirmed incident — validate before escalating
- Assuming alerts replace raw events — preserve raw logs and chain-of-custody for forensics
Post-Incident Lessons (RCA & Action Plan)
Structured, post‑containment review that collects timelines/evidence, finds root and contributing causes, and assigns/pr
Key Insight
Incidents usually have multiple causes; separate symptom from root cause and convert lessons into prioritized, measurable fixes.
Often Confused With
Common Mistakes
- Stopping at the first symptom — don't mistake observable failure for root cause
- Running RCA during active response — wait until containment to gather complete evidence
- Relying only on a quick '5 Whys' for complex incidents — use fishbone/fault-tree when needed
Reporting and Communication
17%TVM Lifecycle — Threat & Vulnerability Management
End-to-end process to discover, prioritize, remediate, verify vulnerabilities using threat intel and KPIs.
Key Insight
Prioritize with context: asset value, threat intel, exploitability, and verified mitigation — not CVSS alone.
Often Confused With
Common Mistakes
- Using CVSS base score as the sole remediation priority
- Assuming published exploit equals active exploitation or automatic highest priority
- Treating verification as 'ticket closed' instead of confirmed risk reduction
Remediation Prioritization Matrix — Factors That Matter
Rank and schedule fixes by severity, exploitability, asset criticality, compensating controls, and remediation SLOs.
Key Insight
Matrix scores are adjustable — weight exploitability, business impact, and controls to reflect your organization's risk appetite.
Often Confused With
Common Mistakes
- Relying solely on CVSS or severity score to schedule fixes
- Equating exploitability with current active exploitation
- Treating compensating controls as permanent remediation
Targeted Incident Communication — Limit • Secure • Tailor
Tailor reports by audience; restrict recipients, use encrypted channels, and avoid public disclosure.
Key Insight
Send minimal, audience‑appropriate detail over secure channels; place all technical evidence in appendices for investigators.
Often Confused With
Common Mistakes
- Putting full forensic details in the executive summary.
- Broadcasting the incident to everyone instead of limiting recipients.
- Using one identical report for all stakeholders or omitting appendices/evidence.
Incident Response Metrics & KPIs
Track MTTD/MTTR, detection coverage and alert accuracy; tie metrics to business impact and SLAs.
Key Insight
Prioritize actionable KPIs (time-to-detect/recover, detection accuracy, coverage) and show distributions, not just averages.
Often Confused With
Common Mistakes
- Treating every collected metric as a KPI.
- Assuming lower values always mean better performance without context.
- Relying on raw alert counts instead of accuracy/effectiveness and MTTR.
Certification Overview
Cheat Sheet Content
Similar Cheat Sheets
- CCNA Exam v1.1 (200-301) Cheat Sheet
- AWS Certified Cloud Practitioner (CLF-C02) Cheat Sheet
- AWS Certified AI Practitioner (AIF-C01) Cheat Sheet
- Exam AI-900: Microsoft Azure AI Fundamentals Cheat Sheet
- Google Cloud Professional Cloud Architect Cheat Sheet
- Google Cloud Security Operations Engineer Exam Cheat Sheet