Cybersecurity Analyst+
Practice Test
Practice for CompTIA CySA+ with cybersecurity analyst review topics, video walkthroughs, a free PDF and online mock exam access.
Heads up: the app and the web exam use separate accounts — a web unlock and an in-app purchase do not carry over. Buy on the web to practice on the web.
Cybersecurity Analyst+ exam — full Q&A walkthrough
Every question read aloud with the answer explained. Play it on your commute, then test yourself.
Cybersecurity Analyst+ sample questions
Tap any question below to reveal the answer and a plain-English explanation.
Incident Response And Management Which type of attack, as defined by NIST, uses massive volumes of invalid traffic to overwhelm and obstruct access to a web application?
A. Phishing
B. Insider Threat
C. Advanced Persistent Threat
D. Attrition ✓
Correct — D. Answer: Attrition NIST classifies attacks that use high volumes of invalid traffic to obstruct services as attrition. An example of this is a DDoS attack, which aims to overwhelm a web application through brute force methods. Phishing involves attempting to acquire sensitive information through deceptive emails or websites. An insider threat refers to a malicious threat to an organization's security from within. An advanced persistent threat describes a prolonged and sophisticated cyber attack that aims to remain undetected within the target's system.
Security Operations Which of the following elements should a cybersecurity analyst ensure is current on their network devices, such as switches and routers, when conducting regular maintenance?
A. Operating system
B. Backup software
C. Firmware ✓
D. Anti-virus
Correct — C. Answer: Firmware When performing routine maintenance on network devices such as switches and routers, it is essential to verify that the firmware is up-to-date. Firmware updates often include important security patches and improvements. Typically, these network devices will not require anti-virus software, a complete operating system, or backup software to function correctly.
Vulnerability Management Which protocol facilitates communication between various industrial devices in a manufacturing setting without the need for a central controller?
A. RTOS
B. FTP
C. Profinet ✓
D. MODBUS
Correct — C. Answer: Profinet Profinet is a protocol used to facilitate communication between various industrial devices such as sensors, actuators, and controllers in a manufacturing setting without the need for a central controller. It is designed to ensure real-time communication and interoperability. MODBUS is a communication protocol used by PLCs. A real-time operating system (RTOS) is used to manage hardware resources in systems requiring low-latency. FTP is a standard network protocol for the transfer of files between computers on a TCP/IP network.
Reporting And Communication The Health Insurance Portability and Accountability Act (HIPAA) highlights three primary safeguards for protecting patient information. Which of the following is NOT one of the three primary safeguards defined by HIPAA?
A. Technical Safeguards
B. Operational Safeguards ✓
C. Administrative Safeguards
D. Physical Safeguards
Correct — B. Answer: Operational Safeguards HIPAA does not define Operational Safeguards among its primary categories. The primary safeguards defined by HIPAA are Administrative Safeguards, Physical Safeguards, and Technical Safeguards.
Incident Response And Management An IT technician needs to view active network connections and the ports on which the computer is listening. Which command should the technician use from the Linux terminal to accomplish this?
A. ifconfig -a
B. nslookup
C. traceroute
D. netstat -tuln ✓
Correct — D. Answer: netstat -tuln. By running the netstat -tuln command, the technician can view all active connections along with the ports on which the computer is listening. The ifconfig -a command displays all IP configuration information, nslookup queries DNS information, and traceroute shows the hops a packet takes to its destination.
Security Operations Identify the two main components of a rule in a Suricata IDS configuration.
A. Protocol and port
B. Rule header and rule options ✓
C. Signature and action
D. Source IP and destination IP
Correct — B. Answer: Rule header and rule options In Suricata IDS, each rule consists of a rule header and rule options. The rule header specifies the action, protocol, and IP addresses, while the rule options define additional details such as payload content.
Vulnerability Management An incident response team is preparing for a tabletop exercise to simulate a potential cybersecurity incident. During the preparation meeting, they discuss elements such as the exercise's schedule, the scenarios to be tested, and whether active responses like system isolation will be performed. What term is used to describe such preparatory discussions?
A. Containment Strategy
B. Incident Timeline
C. Rules of engagement ✓
D. Scenario Planning
Correct — C. Answer: Rules of engagement The rules of engagement should be established before conducting a tabletop exercise or any incident response practice. These rules define how the exercise will be conducted, including timing, scope, authorization, communication protocols, and specific actions to be tested or avoided. During the preparation, the team ensures all members understand their roles, the sequence of events, and the expected outcomes.
Incident Response And Management An IT specialist is assembling a toolkit for incident response. To ensure evidence collected from network breaches is securely transferred and stored without tampering, which of the following should be included in the toolkit?
A. Tamper-evident bags ✓
B. Network diagram templates
C. Blank USB drives
D. Incident response guide
Correct — A. Answer: Tamper-evident bags During an incident response, it is crucial to ensure that any evidence collected is securely transported and stored to maintain the chain of custody. Tamper-evident bags are designed to show any signs of unauthorized access, thus ensuring evidence integrity. Network diagram templates help in documenting network architecture. Blank USB drives are used for data transfer but do not ensure data integrity on their own. An incident response guide provides procedural instructions and does not protect evidence integrity.
About the Cybersecurity Analyst+ test
The Cybersecurity Analyst+ measures the IT & Cybersecurity knowledge you'll actually rely on — tested the way the real exam asks it, not with trick questions. Practising real Cybersecurity Analyst+-style questions, then sitting a full timed mock exam, is the fastest way to walk in knowing you'll pass.
You will be tested on
- The core topics and terminology you'll be tested on
- Rules, standards and best-practice procedures
- Real-world scenarios and how to respond
- Common mistakes and how to avoid them
How TheoryPractice helps you pass
- Real exam-style questions with instant, detailed explanations
- Full timed mock exams that mirror the real test format
- Flashcards & quiz modes from the same question bank
- Progress tracking so you know exactly when you're ready
Topics in this question bank
The core topics and terminology you'll be tested on
Rules, standards and best-practice procedures
Real-world scenarios and how to respond
Common mistakes and how to avoid them
Full Cybersecurity Analyst+ bank + unlimited mocks
Try 30 questions free. Unlock the complete Cybersecurity Analyst+ question bank, every explanation, and unlimited timed mock exams. Practice on any device.
Unlock Cybersecurity Analyst+ →