Threat Investigation — CompTIA CySA+ (CS0-003) Practice Questions
Threat investigation in CySA+ refers to the structured process of collecting, correlating, and analyzing evidence to understand the scope, origin, and impact of a potential security incident. Analysts examine logs, network traffic, endpoint artifacts, and threat intelligence feeds to reconstruct attacker activity and determine whether an event is a true positive. The CS0-003 exam tests candidates on investigation methodologies, evidence preservation, and the use of SIEM and other tooling to support timely, accurate conclusions. A rigorous investigation process is foundational to effective incident response and prevents misclassification that could leave threats unaddressed.
Free questions on threat investigation
An analyst reviewing network traffic captures detects a large outbound transfer of data to an external IP address that matches no approved egress policy. What is the NEXT step?
Free question · medium · full answer + explanation
More threat investigation questions in the full bank
- How should a security analyst respond to a high number of failed authentication attempts from a single internal IP address? Unlock answer & explanation →
- An analyst identifies that a specific application server has significantly higher inbound traffic than similar systems and is communicating with unknown external IPs. What is the MOST appropriate initial investigation? Unlock answer & explanation →
- How to investigate anomalous communication? Unlock answer & explanation →