Why Security+ alone no longer gets you into the SOC

Security+ is the industry's most recognised entry-level security cert, but hiring managers for analyst and SOC roles increasingly treat it as a prerequisite rather than a differentiator. The question they want answered is whether you can work in a live threat environment — correlate alerts from a SIEM, assess the severity of a vulnerability scan, contain an active incident, and write a report that non-technical leadership can act on. That is exactly the gap CySA+ was designed to fill.

CS0-003, released in June 2023, is the third version of the exam and the most practically oriented yet. CompTIA expanded coverage of cloud-native detection (AWS CloudTrail, Azure Sentinel, GCP Chronicle), added Software Bill of Materials (SBOM) analysis to the vulnerability domain, and elevated Security Orchestration, Automation and Response (SOAR) from a footnote to a first-class exam topic. The update reflects where SOC tooling has actually moved: fewer manual alert reviews, more automation playbooks, and a growing expectation that analysts understand both the data pipeline feeding their SIEM and the cloud workloads generating those events.

The CySA+ mental model

Think of every exam question as a scenario your L1 or L2 SOC analyst might face on a Tuesday morning: an anomalous spike in authentication failures, a vulnerability scanner report with 400 findings to triage, a potential data exfiltration alert, or a post-incident stakeholder briefing. CySA+ tests whether you can prioritise, investigate, and act — not just identify that a threat exists.

The four exam domains

CompTIA publishes the CS0-003 exam objectives at comptia.org. The four domains and their weightings are:

Domain 1 — Security Operations (33%)

The largest domain by weight tests your ability to work within a day-to-day SOC workflow. It covers the tools and methodologies analysts use to detect and investigate threats in real time.

  • SIEM analysis: Querying log sources, correlating events, writing detection rules, and tuning alert thresholds to reduce false positives without missing true positives. Know the difference between a log aggregator and a full SIEM, and understand how UEBA (User and Entity Behaviour Analytics) layers on top.
  • Threat intelligence: Consuming and applying threat feeds, understanding MITRE ATT&CK tactics and techniques, and using Indicators of Compromise (IoCs) to enrich alerts. Know the difference between strategic, tactical, and operational intelligence.
  • SOAR platforms: Playbook-driven automation for alert triage, ticket creation, and initial containment. CS0-003 expects you to understand how a SOAR platform reduces analyst workload and where human judgement is still required.
  • Cloud-native logging: AWS CloudTrail (API call logging), AWS GuardDuty (threat detection), Azure Sentinel/Microsoft Defender for Cloud, and GCP Chronicle. Cloud workloads generate logs in different formats than on-premises systems — you need to know where to look for evidence of compromise in each environment.
  • Network traffic analysis: Using tools like Wireshark, Zeek, and NetFlow to identify anomalous communication patterns. Know what a C2 (command-and-control) beacon looks like in a traffic capture and how DNS tunnelling appears in log data.

Domain 2 — Vulnerability Management (30%)

This domain tests your ability to run, interpret, and act on vulnerability assessments — from scanner configuration to remediation prioritisation to compliance reporting.

  • Scanning tools and techniques: Authenticated vs unauthenticated scans (authenticated scans find far more), credentialed agent-based scanning for continuous visibility, and the difference between a vulnerability scanner (Nessus, Qualys, Rapid7) and a penetration test. Know when each is appropriate.
  • CVSS scoring: Base, Temporal, and Environmental metrics. The exam will give you a CVSS vector string and ask you to assess severity. Know that a CVSS 9.8 vulnerability on a development server behind no internet exposure is not your first priority — context (exploitability, asset criticality) always matters.
  • Prioritisation frameworks: SSVC (Stakeholder-Specific Vulnerability Categorisation) and KEV (CISA Known Exploited Vulnerabilities catalogue) as prioritisation inputs beyond raw CVSS scores. Patch the ones actively exploited in the wild first.
  • SBOM and supply-chain risk: CS0-003 added Software Bill of Materials analysis to help analysts identify vulnerable third-party libraries embedded in software packages — a direct response to incidents like Log4Shell and SolarWinds.
  • Remediation tracking: Risk acceptance, compensating controls, and patch management workflows. Know how to communicate remediation timelines to asset owners and escalate past-due critical findings.

Domain 3 — Incident Response and Management (20%)

This domain covers the full incident lifecycle: preparation, detection, containment, eradication, recovery, and lessons learned. It is the most scenario-rich domain in the exam.

  • IR phases: NIST SP 800-61 defines the four-phase model (Preparation, Detection & Analysis, Containment/Eradication/Recovery, Post-Incident Activity). Know what happens in each phase and which team roles are responsible.
  • Containment strategies: Network isolation (segmentation, VLAN changes, firewall rules), endpoint isolation (disabling network adapters without shutting down to preserve volatile memory), and cloud-native containment (AWS Security Groups, Azure NSG rules, IAM policy quarantine).
  • Digital forensics basics: Order of volatility (collect RAM before disk), chain of custody, write blockers, and forensic imaging tools. CySA+ does not require deep forensics expertise but expects you to preserve evidence correctly during the first response window.
  • Malware analysis: Static analysis (strings, file hashes, PE header inspection) vs dynamic analysis (sandbox detonation). Know the indicators each approach surfaces and when you would escalate to a malware reverse engineer.
  • Tabletop exercises and playbooks: Designing and executing tabletop exercises to test team readiness, writing runbooks for common incident types (ransomware, phishing, insider threat, DDoS), and integrating SOAR automation into the response workflow.

Domain 4 — Reporting and Communication (17%)

The smallest domain by weight is often where candidates lose the most marks, because it tests soft skills that are easy to overlook during technical preparation.

  • Executive reporting: Translating technical findings into business-risk language. A C-suite audience needs to know the potential impact and cost of a finding, not the CVE number. Practice rewriting technical alert summaries as one-paragraph business narratives.
  • Metrics and KPIs: Mean Time to Detect (MTTD), Mean Time to Respond (MTTR), false positive rate, patch compliance rate. Know how to interpret trends in these metrics and what deterioration signals about SOC health.
  • Vulnerability disclosure and compliance: Responsible disclosure timelines, regulatory notification requirements (GDPR 72-hour breach notification, SEC incident disclosure rules), and how findings feed into compliance frameworks like PCI-DSS, HIPAA, and NIST CSF.
  • Post-incident reviews: Writing blameless postmortems, identifying root cause vs contributing factors, and tracking remediation commitments with owners and deadlines.
The most common CySA+ trap: treating it like Security+. Security+ rewards broad recall. CySA+ rewards applied judgement — choosing the right next action in a scenario, not the textbook definition of a term. Practice with scenario-based questions from the start, not just after reading the content.

Where CySA+ sits in the CompTIA pathway

CompTIA positions CySA+ as the intermediate rung between Security+ and the advanced CASP+ (CAS-004). In practice, most candidates come to CySA+ from one of three directions: they hold Security+ and want a SOC or analyst role; they are already working in a SOC and want to formalise their skills with a credential; or they are pursuing a DoD 8570.01-M IAT Level II or CSSP Analyst designation, which CySA+ satisfies directly.

The exam has no formal prerequisites — CompTIA recommends Security+ or Network+ plus three to four years of hands-on security experience, but neither is mandatory to sit the exam. Realistically, candidates without some operational security exposure will struggle with Domain 1 and Domain 3, which are heavily scenario-based. The sweet spot for self-study is candidates who hold Security+ and have at least a year of exposure to security monitoring tools, even if only in a junior capacity.

Why it matters for cert candidates

CySA+ CS0-003 is the cert that converts Security+ into a job offer for analyst and SOC roles. Employers looking for L1/L2 SOC analysts, threat hunters, and vulnerability analysts use it as a meaningful screening signal precisely because it tests applied skill rather than recall. It is DoD 8570.01-M approved at the CSSP Analyst level, which makes it a hard requirement for many government contractor and federal civilian roles. Average study time for Security+ holders with some operational exposure is 6–10 weeks. Focus your lab time on SIEM query writing and vulnerability scanner interpretation — those two skills account for the majority of Domain 1 and Domain 2 scenarios and are the areas most candidates underestimate going in.

Ready to test your CySA+ knowledge? Practice with scenario-based questions covering SIEM analysis, vulnerability triage, incident response, and SOC reporting — timed, randomised, and free.

Start CySA+ Practice Questions →