Comptia CySA + Review

I recently sat for the Comptia CySA+ exam, and was pleasantly surprised at the technical material covered.

What is it?

Comptia started offering a new certification in June of 2017 that focuses on Blue Team/defensive information security and incident response.  The CySA+ was recently recognized by the DOD to cover the Cyber Security Provider (CSSP) requirement that indicates the certificate holder is ready for the DOD Information Assurance (IA) workforce.

The following topics are covered in the certification:

  • Defending Against Cybersecurity Threats
  • Reconnaissance and Intelligence Gathering
  • Designing a Vulnerability Management Program
  • Analyzing Vulnerability Scans
  • Building an Incident Response Program
  • Analyzing Symptoms for Incident Response
  • Performing Forensic Analysis
  • Recovery and Post-Incident Response
  • Policy and Compliance
  • Defense-in-Depth Security Architectures
  • Identity and Access Management Security
  • Software Development Security
  • Cybersecurity Toolkit

You should know:

The test was very technical and I had to be very comfortable with log analysis from multiple operating systems.  The expertise from a command line perspective with each operating system needed 70% Linux, 20% Win, and 10% Network.

Example of a possible scenario question: You get the output of some security commands and logs from a group of servers.  You would then be responsible for determining what server may be compromised and why.

Someone who earns this certification will know how to recognize well known attacks from log analysis. They will also know how to make critical decisions during incident response situations. CySA+ holders will be comfortable with all major OS and have basic hands on experience of many well known security tools. Last, they will understand how to design defence-in-depth security architectures, and maintain confidentiality, integrity, and availability of information systems.

I would feel comfortable tasking a CySA+ holder with log analysis, security tool deployment, incident response, and intermediate system administration of Windows and Linux.


Compared to the Security+?

The CySA+ is a step above the Sec+ from a process and framework perspective, but the Sec+ doesn’t get into any technical specifics required when working directly in security. Where the CySA+ shines is in the focus on tasks you will be expected to perform as a Security Analyst. Examples are: How and when to use security tools, what to look for during investigations/ log analysis, and incident response.  During your studies for the CySA+ you will walk away with technical skills you can directly apply to working in information security.

Compared to the CISSP?

The CISSP does cover many more areas of security, and the CISSP expects the technical parts of CySA+ to already be known from experience of doing security work full-time. So while the CISSP exam would ask questions that required the understanding of log analysis, the CySA+ would have you explain exactly what the log means and what you, as a security analyst, should do about it. The mindset during the CySA+ is no longer from a management perspective, as it is with the CISSP. You are expected to answer with actions to detect, analyze, contain, eradicate and recover from an incident.


Overall, the CySA+ is a great technical exam. I recommend those looking to break into security or currently working in information security get certified.  The material was fun to review, and helped to solidify some of my weaknesses in incident response.

Well, off to some cloud security certifications.  Stay safe in the Trenches of IT!

Leave a Reply