CompTIA - The Computing Technology Industry Association

CompTIA CySA+ Certification Course - Virtual Classroom

The CompTIA Cybersecurity Analyst (CySA+) is a globally recognised certification that validates your ability to proactively capture, monitor and respond to network security threats. By undertaking this course, you'll gain critical knowledge of cybersecurity threats, security architecture, risk management, and incident response.

Choosing to study in our instructor-led virtual classrooms provides a rich, immersive learning environment that not only equips you with essential theoretical knowledge, but also allows for practical, hands-on experience.

Our instructors are industry experts who bring a wealth of real-world experience to the table, ensuring you receive up-to-date and relevant knowledge. The interactive nature of our virtual classrooms encourages active participation and enables you to gain insights from your instructors and peers alike.

In a rapidly evolving digital world, cybersecurity skills are in high demand. With the CySA+ certification under your belt, you'll be well-positioned to step up your career in the dynamic field of cybersecurity.

Key features
  • One-on-one after course coaching available
  • Highly acclaimed trainers with industry as well as academic experience
  • 5 day instructor-led training course
  • Official CySA+ exam included
  • CompTIA approved CySA+ training materials
  • CySA+ exam preparation guide with practice questions tied to exam objectives

Select your date

Inc. VAT
Add to Cart Divide Buy 0% Finance Options From per month
Try a Soft Search now Fast check - will not affect your credit rating.
Free course advice
Key features
  • One-on-one after course coaching available
  • Highly acclaimed trainers with industry as well as academic experience
  • 5 day instructor-led training course
  • Official CySA+ exam included
  • CompTIA approved CySA+ training materials
  • CySA+ exam preparation guide with practice questions tied to exam objectives
Course Details

The CompTIA CySA+ training and certification course is designed for individuals who are keen to delve into the stimulating world of cyber security. It serves as the perfect stepping stone for those aiming to build a prosperous career in this rapidly growing field, especially for individuals who are already working in IT and wish to transition towards cyber security.

For those who are new to the IT industry, we recommend a structured learning journey. Commence with the CompTIA A+ to familiarise yourself with the foundational concepts, progress to the CompTIA Network+ to gain valuable networking skills, and then move on to the CompTIA Security+ to understand essential security principles. Once you have mastered these areas, ideally with some experience in the field, you are then sufficiently equipped to take on the CySA+ course, which will amplify your understanding and application of cyber security techniques.

The CompTIA CySA+ certification opens doors to a range of rewarding job roles in Cyber Security.

Each role involves unique responsibilities, and salaries vary depending on experience and expertise.

Here are some potential job roles, from entry-level to senior positions, along with their average UK salaries*:

IT Technician: An entry-level role involving basic IT support tasks. Average salary: £20,000 to £30,000 per annum.

Cyber Security Analyst: This role involves protecting IT infrastructure through threat analysis and mitigation. Average salary: £30,000 to £50,000 per annum.

Information Security Analyst: This position involves planning and implementing security measures. Average salary: £35,000 to £55,000 per annum.

Network Security Specialist: This role involves protecting an organisation's network from threats. Average salary: £45,000 to £65,000 per annum.

Cyber Security Engineer: This role involves designing, implementing, and managing secure IT systems. Average salary: £50,000 to £80,000 per annum.

Cyber Security Manager: A leadership role, overseeing an organisation's cyber security strategy and team. Average salary: £60,000 to £100,000 per annum.

Chief Information Security Officer (CISO): A senior leadership role, responsible for an organisation's information and data security. Average salary: £80,000 to £150,000 per annum.

*Source Payscale

 Our CompTIA CySA+ Cyber Security Analyst course syllabus is comprehensive, covering a range of topics and concepts essential to the role of a Cyber Security Analyst. When you enrol on our course, you can expect to learn:

  • Security Analytics: Understanding and applying the principles of security analytics, and using these to identify potential threats and vulnerabilities.

  • Threat Management: Learning to identify, assess, and manage threats to IT infrastructure.

  • Appropriate Tools: Selecting and utilising the right tools for threat detection, vulnerability management, and cyber incident responses.

  • Identity and Access Management: Implementing effective identity and access management strategies to safeguard sensitive information.

  • Software Development Lifecycle: Understanding the software development lifecycle and how security considerations should be integrated at each stage.

  • Threat Detection Tools: Gaining competencies in using threat detection tools to identify and mitigate cyber threats.

  • Appropriate Forensics Tools: Picking and using the appropriate forensics tools to investigate and analyse cyber incidents.

  • Review Security Architecture: Reviewing and enhancing security architecture to improve overall security posture.

  • Performance Data Analysis: Analysing performance data to identify potential security issues and improve systems' resilience.

  • Security Issues Related: Identifying and addressing security issues related to networking, applications, and systems.

  • Post Incident Response Process: Learning to effectively manage the post-incident response process, including documentation, analysis, and implementation of preventative measures.

  • Network Vulnerabilities and Access Management: Identifying network vulnerabilities and implementing appropriate access management measures to maintain security.

Module 1: Threat and Vulnerability Management

1.1 Explain the importance of threat data and intelligence.

Intelligence sources

  • Open-source intelligence

  • Proprietary/closed-source intelligence

  • Timeliness

  • Relevancy

  • Accuracy

Indicator management

  • Structured Threat Information eXpression (STIX)

  • Trusted Automated eXchange of Indicator Information (TAXII)

  • OpenIoC

Threat classification

  • Known threat vs unknown threat

  • Zero-day

  • Advanced persistent threat

Threat actors

  • Nation-state

  • Hacktivist

  • Organised crime

  • Insider threat

  • Intentional

  • Unintentional

Intelligence cycle

  • Requirements

  • Collection

  • Analysis

  • Dissemination

  • Feedback

Commodity malware

Information sharing and analysis communities

  • Healthcare

  • Financial

  • Aviation

  • Government

  • Critical infrastructure

1.2 Given a scenario, utilise threat intelligence to support organisational security.

Attack frameworks


  • The Diamond Model of Intrusion Analysis

  • Kill chain

Threat research

  • Reputational

  • Behavioural

  • Indicator of compromise (IoC)

  • Standard vulnerability scoring system (CVSS)

Threat modelling methodologies

  • Adversary capability

  • Total attack surface

  • Attack vector

  • Impact

  • Likelihood

Threat intelligence sharing with supported functions

  • Incident response

  • Vulnerability management

  • Risk management

  • Security engineering

  • Detection and monitoring

1.3 Given a scenario, perform vulnerability management activities.

Vulnerability identification

  • Asset criticality

  • Active vs passive scanning

  • Mapping/enumeration


  • True positive

  • False positive - True negative

  • False-negative


  • Configuration baseline

  • Patching

  • Hardening

  • Compensating controls

  • Risk acceptance

  • Verification of mitigation

Scanning parameters and criteria

  • Risks associated with scanning activities

  • Vulnerability feed

  • Scope

  • Credentialed vs non-credentialed

  • Server-based vs agent-based

  • Internal vs external

  • Special considerations

  • Types of data

  • Technical constraints

  • Workflow

  • Sensitivity levels

  • Regulatory requirements

  • Segmentation

  • Intrusion prevention system (IPS), intrusion detection system (IDS), and firewall settings

Inhibitors to remediation

  • Memorandum of understanding (MOU)

  • Service-level agreement (SLA)

  • Organisational governance

  • Business process interruption

  • Degrading functionality

  • Legacy systems

1.4 Given a scenario, analyse the output from standard vulnerability assessment tools.

Web application scanner

  • OWASP Zed Attack Proxy (ZAP)

  • Burp suite

  • Nikto

  • Arachni

Infrastructure vulnerability scanner

  • Nessus

  • OpenVAS

  • Qualys

Software assessment tools and techniques

  • Static analysis

  • Dynamic analysis

  • Reverse engineering

  • Fuzzing


  • Nmap

  • hoping

  • Active vs passive

  • Responder

Wireless assessment tools

  • Aircrack-ng

  • Reaver

  • oclHashcat

Cloud Infrastructure assessment tools

  • ScoutSuite

  • Prowler

  • Pacu

1.5 Explain the threats and vulnerabilities associated with specialised technology.


Internet of Things (IoT)


Real-time operating system (RTOS)

System-on-Chip (SoC)

Field programmable gate array (FPGA)

Physical access control

Building automation systems

Vehicles and drones

  • CAN bus

Workflow and process automation systems

Industrial control system

Supervisory control and data acquisition (SCADA)

  • Modbus

1.6 Explain the threats and vulnerabilities associated with operating in the cloud.

Cloud service models

  • Software as a Service (SaaS)

  • Platform as a Service (PaaS)

  • Infrastructure as a Service (IaaS)

Cloud deployment models

  • Public

  • Private

  • Community

  • Hybrid

Function as a Service (FaaS)/ serverless architecture

Infrastructure as code (IaC)

Insecure application programming interface (API)

Improper key management

Unprotected storage

Logging and monitoring

  • Insufficient logging and monitoring

  • Inability to access

1.7 Given a scenario, implement controls to mitigate attacks and software vulnerabilities.

Attack types

  • Extensible markup language (XML) attack

  • Structured query language (SQL) injection

  • Overflow attack

    • Buffer

    • Integer

    • Heap

  • Remote code execution

  • Directory traversal

  • Privilege escalation

  • Password spraying

  • Credential stuffing

  • Impersonation

  • Man-in-the-middle attack

  • Session hijacking

  • Rootkit

  • Cross-site scripting

    • Reflected

    • Persistent

    • Document object model (DOM)


  • Improper error handling

  • Dereferencing

  • Insecure object reference

  • Race condition

  • Broken authentication

  • Sensitive data exposure

  • Insecure components - Insufficient logging and monitoring - Weak or default configurations - Use of insecure functions - strcpy

2.0 Software and Systems Security

2.1 Given a scenario, apply security solutions for infrastructure management.

Cloud vs on-premises

Asset management

  • Asset tagging


  • Physical

  • Virtual

  • Jumpbox

  • System isolation

  • Air gap

Network architecture

  • Physical

  • Software-define

  • Virtual private cloud (VPC)

  • Virtual private network (VPN)

  • Serverless

Change management


  • Virtual desktop infrastructure (VDI)


Identity and access management

  • Privilege management

  • Multifactor authentication (MFA)

  • Single sign-on (SSO)

  • Federation

  • Role-based

  • Attribute-based

  • Mandatory

  • Manual review

Cloud access security broker (CASB)


Monitoring and logging


Certificate management

Active defence

2.2 Explain software assurance best practices.


  • Mobile

  • Web application

  • Client/server

  • Embedded

  • System-on-chip (SoC)

  • Firmware

Software development life cycle (SDLC) integration


Software assessment methods

  • User acceptance testing

  • Stress test application

  • Security regression testing

  • Code review

Secure coding best practices

  • Input validation

  • Output encoding

  • Session management

  • Authentication

  • Data protection

  • Parameterised queries

Static analysis tools

Dynamic analysis tools

Formal methods for verification of critical software

Service-oriented architecture

  • Security Assertions Markup Language (SAML)

  • Simple Object Access Protocol (SOAP)

  • Representational State Transfer (REST)

  • Microservices

2.3 Explain hardware assurance best practices.

Hardware root of trust

  • Trusted platform module (TPM)

  • Hardware security module (HSM)


Unified Extensible Firmware Interface (UEFI)

Trusted foundry

Secure processing

  • Trusted execution

  • Secure enclave

  • Processor security extensions

  • Atomic execution


Self-encrypting drive

Trusted firmware updates

Measured boot and attestation

Bus encryption

3.0 Security Operations and Monitoring

3.1 Given a scenario, analyse data as part of security monitoring activities.


Trend analysis


  • Malware

  • Reverse engineering

  • Memory

  • System and application behaviour

  • Known-good behaviour

  • Anomalous behaviour

  • Exploit techniques

  • File system

  • User and entity behaviour analytics (UEBA)


  • Uniform Resource Locator (URL) and domain name system (DNS) analysis

  • Domain generation algorithm

  • Flow analysis

  • Packet and protocol analysis

  • Malware

Log review

  • Event logs

  • Syslog

  • Firewall logs

  • Web application firewall (WAF)

  • Proxy

  • Intrusion detection system (IDS)/ Intrusion prevention system (IPS)

Impact analysis

  • Organisational impact vs localised impact

  • Immediate vs total

Security information and event management (SIEM) review

  • Rule writing

  • Known-bad Internet protocol (IP)

  • Dashboard

Query writing

  • String search

  • Script

  • Piping

E-mail analysis

  • Malicious payload

  • Domain Keys Identified Mail (DKIM)

  • Domain-based Message Authentication, Reporting, and Conformance (DMARC)

  • Sender Policy Framework (SPF)

  • Phishing

  • Forwarding

  • Digital signature

  • E-mail signature block

  • Embedded links

  • Impersonation

  • Header

3.2 Given a scenario, implement configuration changes to existing controls to improve security.





Intrusion prevention system (IPS) rules

Data loss prevention (DLP)

Endpoint detection and response (EDR)

Network access control (NAC)


Malware signatures

  • Development/rule writing


Port security

3.3 Explain the importance of proactive threat hunting

Establishing a hypothesis

Profiling threat actors and activities

Threat hunting tactics

  • Executable process analysis

Reducing the attack surface area

Bundling critical assets

Attack vectors

Integrated intelligence

Improving detection capabilities

3.4 Compare and contrast automation concepts and technologies.

Workflow orchestration

  • Security Orchestration, Automation, and Response (SOAR)


Application programming interface (API) integration

Automated malware signature creation

Data Enrichment

Threat feed combination

Machine learning

Use of automation protocols and standards

  • Security Content Automation Protocol (SCAP)

Continuous integration

Continuous deployment/delivery

4.0 Incident Response

4.1 Explain the importance of the incident response process.

Communication plan

  • Limiting communication to trusted parties

  • Disclosing based on regulatory/ legislative requirements

  • Preventing inadvertent release of information

  • Using a secure method of communication

  • Reporting requirements

Response coordination with relevant entities

  • Legal Human resources

  • Public relations

  • Internal and external

  • Law enforcement

  • Senior leadership

  • Regulatory bodies

Factors contributing to data criticality

  • Personally identifiable information (PII)

  • Personal health information (PHI)

  • Sensitive personal information (SPI)

  • High-value asset

  • Financial information

  • Intellectual property

  • Corporate information

4.2 Given a scenario, apply the appropriate incident response procedure.


  • Training

  • Testing

  • Documentation of procedures

Detection and analysis

  • Characteristics contributing to severity level classification

  • Downtime

  • Recovery time

  • Data integrity

  • Economic

  • System process criticality

  • Reverse engineering

  • Data correlation

  • Containment

  • Segmentation

  • Isolation

Eradication and Recovery

  • Vulnerability mitigation

  • Sanitisation

  • Reconstruction/reimaging

  • Secure disposal

  • Patching

  • Restoration of permissions

  • Reconstitution of resources

  • Restoration of capabilities and services

  • Verification of logging/ communication to security monitoring

Post-incident activities

  • Evidence retention

  • Lessons learned report

  • Change control process

  • Incident response plan update

  • Incident summary report

  • IoC generation

  • Monitoring

4.3 Given an incident, analyse potential indicators of compromise.


  • Bandwidth consumption

  • Beaconing

  • Irregular peer-to-peer communication

  • The rogue device on the network

  • Scan/sweep

  • Unusual traffic spike

  • Common protocol over a non-standard port


  • Processor consumption

  • Memory consumption

  • Drive capacity consumption

  • Unauthorised software

  • Malicious process

  • Unauthorised change

  • Unauthorised privilege

  • Data exfiltration

  • Abnormal OS process behaviour

  • File system change or anomaly

  • Registry change or anomaly

  • Unauthorised scheduled task


  • Anomalous activity

  • Introduction of new accounts

  • Unexpected output

  • Unexpected outbound communication

  • Service interruption

  • Application log

4.4 Given a scenario, utilise basic digital forensics techniques.


  • Wireshark

  • tcpdump


  • Disk

  • Memory




Legal hold



  • Changes to binaries


Data acquisition

5.0 Compliance and Assessment

5.1 Understand the importance of data privacy and protection.

Privacy vs security

Non-technical controls

  • Classification

  • Ownership

  • Retention

  • Data types

  • Retention standards

  • Confidentiality

  • Legal Requirements

  • Data sovereignty

  • Data minimisation

  • Purpose limitation

  • A non-disclosure agreement (NDA)

Technical controls

  • Encryption

  • Data loss prevention (DLP)

  • Data masking

  • Deidentification

  • Tokenisation

  • Digital rights management (DRM)?

  • Watermarking

  • Geographic access requirements

  • Access controls

5.2 Given a scenario, apply security concepts to support organisational risk mitigation.

Business impact analysis

Risk identification process

Risk calculation

  • Probability

  • Magnitude

Communication of risk factors

Risk prioritisation

  • Security controls -

  • Engineering tradeoffs

Systems assessment

Documented compensating controls

Training and exercises

  • Red team

  • Blue team

  • White team

  • Tabletop exercise

Supply chain assessment

  • Vendor due diligence

  • Hardware source authenticity

5.3 Explain the importance of frameworks, policies, procedures, and controls.


  • Risk-based

  • Prescriptive

Policies and procedures

  • Code of conduct/ethics

  • Acceptable use policy (AUP)

  • Password policy

  • Data Ownership

  • Data retention

  • Account management

  • Continuous monitoring

  • Work product retention


  • Managerial

  • Operational

  • Technical

Control type

  • Preventative

  • Detective

  • Corrective

  • Deterrent

  • Compensating

  • Physical

Audits and assessments

  • Regulatory

  • Compliance


CompTIA CySA+ CS0-003 Exam Details

  • Exam Code: CS0-003

  • Certification: CompTIA Cybersecurity Analyst (CySA+)

  • Exam Duration: 165 minutes

  • Number of Questions: Maximum of 85 questions

  • Question Type: Multiple Choice and Performance-Based

  • Passing Score: 750 (on a scale of 100-900)

  • Language: English

  • Exam Purpose: The CySA+ exam verifies the successful candidate has the knowledge and skills required to apply threat detection techniques, perform data analysis, and interpret the results to identify vulnerabilities, threats, and risks to an organisation with the end goal of securing and protecting applications and systems within an organisation.

Please note that CompTIA certification exams, policies and procedures are subject to change, so please check the official CompTIA website for the most current information before your exam.

We're Trusted by
Hundreds of thousands of individuals, small businesses and large corporations continuously put their trust in e-Careers.​
We are proud to have trained individuals who work for some of the world’s largest companies, including:​
Trusted by Trusted by