Text preview & study summary
CompTIA CySA+ CS0-003 - All Domains Security Operations Vulnerability Management IR
A free sample of 5 questions from this quiz, shown in full with answer choices and explanations. No interactivity — everything is visible on this page for study and review.
Want to test your knowledge? Launch the Interactive Exam Simulator
Question 1
A vulnerability assessment reveals a server running software with a CVSS base score of 7.5. However, a threat intelligence feed indicates this CVE is being actively exploited in the wild by nation-state actors targeting your industry. How does this intelligence affect prioritization?
Explanation
CVSS base scores don't account for active exploitation context. CISA's Known Exploited Vulnerabilities (KEV) catalog tracks CVEs actively exploited in the wild. Intelligence showing targeted exploitation by relevant threat actors dramatically elevates practical risk beyond what CVSS indicates.
Question 2
A SOC analyst receives a SIEM alert for a successful brute-force login to an admin account. The login came from an IP address in Russia, while the legitimate admin works from the US. Which action should the analyst take FIRST?
Explanation
Confirmed brute-force success from an anomalous location requires immediate containment. Disabling the compromised account stops ongoing unauthorized access. Preserving logs ensures forensic evidence. Contacting the admin should happen during investigation, but account containment comes first.
Question 3
An analyst is reviewing a vulnerability scan report. A critical vulnerability (CVSS 9.8) is found on a server with no internet access, protected by a firewall, requiring authenticated access from an IP-restricted management VLAN. What should the analyst recommend?
Explanation
Contextual risk analysis uses environmental score modifications. A CVSS 9.8 vulnerability in an isolated environment with multiple compensating controls has lower actual exploitability. However, it should still be patched in a planned maintenance window. Permanent risk acceptance for a critical CVE is inappropriate.
Question 4
A security analyst is investigating a compromise and runs the command `netstat -ano` on a Windows system. What information does this provide for the investigation?
Explanation
`netstat -ano` shows all network connections (-a), numerically (-n), and the owning process ID (-o). This is critical for incident response: investigators correlate suspicious outbound connections (to C2 IPs) with the PID, then identify the process in Task Manager to find malware.
Question 5
An analyst wants to understand the scope of a potential insider threat by analyzing which files a specific user accessed over the past 30 days. Which data source is MOST relevant?
Explanation
Windows Security Event ID 4663 (An attempt was made to access an object) logs when files/objects are accessed, by which user, from which process, when. Combined with file auditing enabled on sensitive shares, this provides a complete audit trail of file access for insider threat investigations.
