The CySA+ knowledge domains


Launched in 2017, The Cyber Security Analyst certification, or CySA+ is one of the latest cybersecurity certifications to join the pack of career-boosting certs. Hosted by CompTIA, this certification verifies that the certification holder is competent to identify threats, configure and use a variety of threat detection tools and to perform data analysis. This is all done with the goal of securing an organization’s systems and applications. 

This article will detail the four knowledge domains of the CySA+ certification exam and what material you can expect to be covered on the exam. We will close with some CySA+ tips to help you get started down the road to this cybersecurity certification.

CySA+ certification exam background

The CySA+ certification exam is divided into four general categories of knowledge domains — Threat Management, Vulnerability Management, Cyber Incident Response and Security Architecture and Tool Sets. These four general categories of knowledge domains can be further broken down into smaller domains, but these will be explored in subsequent articles.

Interested in another course? Check out our course page. We offer a wide range of high-quality courses spread across 15 vendors and 80+ certifications.

1.0 Threat Management

One of the chief objectives of cybersecurity analysts is to protect information (and information systems) confidentiality, integrity and availability. Getting there takes a defense-in-depth approach to information security that requires the use of overlapping security controls — not to mention a thorough understanding of the organization’s particular threat environment so they can develop a set of controls that can effectively respond to said threats. 

Below is a summary of this knowledge domain’s content.

1.1 Given a scenario, apply environmental reconnaissance techniques using appropriate tools and processes

  • Procedures and common tasks associated with environmental reconnaissance
  • Environmental reconnaissance variables
  • Environmental reconnaissance tools

1.2 Given a scenario, analyze the results of a network reconnaissance 

  • Point-in-time data analysis related to network reconnaissance
  • Network reconnaissance data correlation and analytics
  • Network reconnaissance data output
  • Relevant network reconnaissance tools

1.3 Given a network-based threat, implement or recommend the appropriate response and countermeasure

  • Network segmentation
  • Honeypot
  • Endpoint security
  • Group policy
  • ACLs
  • Hardening
  • Network Access Control (NAC)

1.4 Explain the purpose of practices used to secure a corporate environment 

  • Penetration testing
  • Reverse engineering
  • Training and exercises for the corporate environment
  • Risk evaluation

2.0 Vulnerability Management

Cybersecurity is commonly viewed a sort-of cat and mouse game where cybersecurity analysts combat attackers’ exploitation of new vulnerabilities. Cybersecurity analysts use vulnerability management programs to identify, prioritize and remediate vulnerabilities to prevent cyberattackers from exploiting them. 

This knowledge domain will cover the following:

  • Identifying vulnerability management requirements
  • Establish scanning frequency
  • Configure tools to perform scans according to organization specification
  • Execute scanning
  • Generate reports
  • Vulnerability remediation
  • Ongoing scanning/continuous monitoring

2.2 Given a scenario, analyze the output resulting from a vulnerability scan

  • Analyze reports from a vulnerability scan
  • Validate reports and correlate other data points

2.3 Compare and contrast common vulnerabilities found in targets within an organization

  • Servers
  • Endpoints
  • Network infrastructure
  • Network appliances
  • Virtual infrastructure
  • Mobile devices
  • Interconnected networks
  • Virtual Private Networks (VPN)
  • Industrial Control Systems (ICS)
  • SCADA devices

3.0 Cyber Incident Response

All organizations suffer information security incidents that compromise information confidentiality, integrity and availability from time to time. The recommended course of action organizations should take in these situations is to follow a coordinated and methodical incident response plan. This plan should be decided upon by business leaders, cybersecurity experts and technology leaders and should be a well-thought-out response to relevant situations the organization may face. 

3.1 Given a scenario, distinguish threat data or behavior to determine the impact of an incident

  • Threat classification
  • Factors contributing to incident severity and prioritization

3.2 Given a scenario, prepare a toolkit and use appropriate forensics tools during an investigation

  • Forensics toolkits
  • Forensic investigation suite

3.3 Explain the importance of communication during the incident response process

  • Explaining the incident response process to stakeholders
  • The purpose of communication processes
  • Role-based responsibilities

3.4 Given a scenario, analyze common symptoms to select the best course of action to support incident response

  • Common network-related symptoms
  • Common host-related symptoms
  • Common application-related Symptoms

3.5 Summarize the incident recovery and post-incident response process

  • Containment techniques
  • Eradication techniques
  • Validation
  • Corrective actions
  • Incident summary report

4.0 Security Architecture and Tool Sets

Policy is the sound foundation that organizations must base their cybersecurity programs upon. Some organizations choose to base their policy upon industry best practice frameworks, including the National Institute of Standards and Technology (NIST); others are governed by an external compliance regulations. 

The policy material that this domain will cover is:

4.1 Explain the relationship between frameworks, common policies, controls and procedures

  • Regulatory compliance
  • Frameworks
  • Policies
  • Controls
  • Procedures
  • Verifications and quality control

4.2 Given a scenario, use data to recommend remediation of security issues related to identity and access management

  • Security issues associated with context-based authentication
  • Security Issues associated with identities
  • Security Issues associated with identity repositories
  • Security Issues associated with federation and single sign-on
  • Exploits

4.3 Given a scenario, review security architecture and make recommendations to implement compensating controls

  • Security data analytics
  • Manual review
  • Defense-in-depth

4.4 Given a scenario, use application security best practices while participating in the software development life cycle

  • Best practices during software development
  • Secure coding best practices

4.5 Compare and contrast the general purpose and reasons for using various cybersecurity tools and technologies

Please note that the intent of this objective is not to test specific vendor product feature sets.

  • Preventive
  • Collective
  • Analytical
  • Exploit
  • Forensics


Getting to any destination, including a passing score on a certification exam, requires the use of a good road map. The CySA+ certification comprises four general knowledge domains which form the road you need to ride to earn this solid cybersecurity certification. 


  1. CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives, CompTIA
  2. CompTIA CySA+, CompTIA

Read more…

Anastasis Vasileiadis

PC Technical || Penetration Tester || Ethical Hacker || Cyber Security Expert || Cyber Security Analyst || Information Security Researcher || Malware analyst || Malware Investigator || Reverse Engineering

SC ProDefence SRL - Cyber Security Services