How to prepare for the CompTIA CySA+ exam

CompTIA is known for its many vendor-neutral IT certifications, including the entry-level Security+. The association's Cybersecurity Analyst, or CySA+, is an advanced option to help more experienced cybersecurity professionals looking to further their careers.

"Having CySA+ certification can open doors to different job roles for an individual," said Troy McMillan, author of CompTIA Cybersecurity Analyst (CySA+) CS0-002 Cert Guide, published by Pearson, "especially in today's environment where security is top of mind at every company."

While the mid-level exam has no prerequisites, it is designed for professionals with three to four years of experience in cybersecurity and have successfully completed the CompTIA Security+ exam.

The current version of the exam, CSO-002, released in April 2020, focuses on five security objectives, or domains: threat and vulnerability management; software and systems security; security operations and monitoring; incident response; and compliance and assessment.

Here, McMillan offers advice to candidates on how to prepare for the CySA+ exam. Uncover the benefits of the certification, its potential career paths and which objectives of the exam McMillan says test-takers find most challenging.

Editor's note: This transcript has been edited for length and clarity.

What are the benefits associated with receiving a CompTIA CySA+ certificate for both individuals and employers?

Troy McMillan: These exams have changed over the years, and they're a better gauge today than they were 10 years ago. They're a big benefit to both job candidate and the employer.

There is a huge demand for people who understand security. The CySA+ certification is pretty respected. Being able to look at evidence from log files and make sense of it, for example, is highly valued. This certification will validate that you have experience, or at least have been introduced to it, in such a way that you can perform a role like that in an organization.

For employers, CySA+ certification can be used to cut down on the number of job applications, looking at candidates who have the needed skills. Certifications are valuable tools for employers to be provided with validation that a person is going to be able to do a particular job.

What is the career path for CySA+ certificate holders?

McMillan: It depends if they have any security job experience. If someone got the certification and doesn't really have any experience on their plate, they're probably going to have to start from the bottom. But the fact that they have the certification is going to put them on the right path. They may start working under someone who's already working in security to enhance their learning.

On the other hand, someone who has the certification and has security experience is probably going to get an analyst job. Where do they go after that? Potential job roles will include doing analysis, looking through log files and searching for indicators of compromise. People might be involved in incident response, for example, reacting to incidents where there could potentially be a crime or a policy violation.

How does CySA+ compare to other certifications? Does it complement or replace any other certifications?

McMillan: I can't think of another cert that would roughly be the same, offhand. I do know a lot of people use the CompTIA cert as a successful roadmap for other exams. For example, people will go through Security+, CySA+ and CASP+ [CompTIA Advanced Security Practitioner] on their way to get the CISSP or SANS certifications.

The CySA+ cert is unique in that it focuses on analysis. It's complementary to the CASP+, which is more about implementing things, whereas CySA+ does more analysis and investigating.

As a full-time trainer, what advice would you give people preparing for the CompTIA CySA+ exam?

McMillan: Doing some trainings is good. Some people can learn this on their own and read a book and get it, while some people really need somebody to teach them and show them. I think you need to know yourself in that regard -- understand what works for you.

In terms of studying, look closely at the CySA+ domain objectives and especially at questions that start with the words 'given a scenario.' You're not going to be asked questions straight out, like 'What is this?' Instead, you're going to be presented with a situation and asked how to deal with it.

Look for study materials that include a lab component. These are great tools that allow you to do things over and over. Mess up and make mistakes -- that's how you learn. I also recommend taking different types of practice tests. My favorite practice tests are the ones that mimic the live environment.

CompTIA Cybersecurity
Analyst (CySA+) CS0-002
Cert Guide by Troy McMillan

More on CompTIA Cybersecurity Analyst (CySA+) CS0-002 Cert Guide

Learn more about this title from Pearson.

Ready to take the exam? Try your hand at some sample CySA+ test questions to see what you know.

You mentioned the CySA+ objectives. There are five, which account for different percentages of the exam. How should people studying take this into account?

McMillan: Again, go with the practice tests; they have the ability to tell you which areas you're weakest in. Also, pay attention to how much each objective counts. For example, if you're struggling with an objective worth only 9% on the exam, maybe just concentrate on the rest of the exam, and make sure you hammer that. If it's a fairly large objective, however, don't do that.

What area of the test do you see trip up test-takers most often?

McMillan: People are weakest in cryptography -- it's a really deep subject. I dare say that even people who score OK in cryptography don't understand everything they're doing. It involves math, and people immediately get glassy-eyed when you start talking about it.

But cryptography is an important part of the exam -- it comes up over and over. Because we use encryption and hashing algorithms for so many different things, it's really important people understand it. One of the things that's helped me and a lot of my students is to make a chart and divide the different types of algorithms by type and how they work.

There is an excerpt of Chapter 4, 'Analyzing Assessment Output,' on SearchSecurity. What are the greatest challenges analysts face when analyzing assessment output?

McMillan: Output is not intuitive. It's not something you can just look at and things jump out at you. And there's no way you can understand an attack if you don't understand how networking works.

To be successful, analysts also need to know how to use specific capture tools. For example, Wireshark is very complicated; there are entire classes on how to use it. It's also challenging because someone doing a job in this field has to constantly be learning about new attacks and how they operate differently than existing attacks.

Plus, when capturing network traffic, it's amazing how much information is there. You can capture a lot in 10 seconds -- let alone five minutes. You won't need all of it, so you must know how to filter unnecessary data.

How has the increased demand on the cloud impacted these assessment tools?

McMillan: The problem with the cloud is that, when you turn your data over to a vendor, you don't have the same level of visibility that you do in your own network. You can't just go into your virtual machine and server and turn on Wireshark. Vendors don't want you to do that, so you are dependent on them.

It makes selecting the vendor and negotiating the SLA [service-level agreement] critical. Vendors will have control of your network, so you want them to do the same things you would do. That's a big challenge: We don't have control anymore; we gave that away in return for easy access.

Troy McMillan

About the author
Troy McMillan is a product developer and technical editor for Kaplan IT and a full-time trainer. He became a professional trainer 20 years ago, teaching Cisco, Microsoft, CompTIA and wireless classes. He has written or contributed to more than a dozen projects, including authoring CISSP Cert Guide (Pearson) and CompTIA Advanced Security Practitioner (CASP) CAS-003 Cert Guide (Pearson). McMillan was a prep test question writer for CCNA Wireless 640-722 Official Cert Guide (Cisco Press) and a contributing subject matter expert for CCNA Cisco Certified Network Associate Certification Exam Preparation Guide (Kaplan). He also creates certification practice tests and study guides for CyberVista. He lives in Asheville, N.C., with his wife, Heike.