CompTIA CySA+ Practice Questions: Threat Detection

7 free, exam-style CompTIA CySA+ (CS0-003) practice questions covering Threat Detection. Each question shows the correct answer and a clear explanation. Ready for the real thing? Take the full timed quiz below.

🚀 Take the full CompTIA CySA+ quiz 📘 CompTIA CySA+ study guide

Q1. What is the PRIMARY purpose of a canary token? (Q-628021)

Explanation: Canary tokens act as digital tripwires that alert when accessed. Learn more.

Q2. What is the PRIMARY purpose of a deception technology? (Q-628028)

Explanation: Deception tech (e.g., honeypots) distracts and detects attackers in decoy environments. Learn more.

Q3. Which rule format is commonly used to detect malware patterns in files or memory?

Explanation: YARA rules describe textual or binary patterns associated with malware families or suspicious files. Learn more.

Q4. Which rule format is commonly used to express SIEM detection logic in a vendor-neutral way?

Explanation: Sigma provides a generic detection rule format that can be converted to different SIEM query languages. Learn more.

Q5. A log shows powershell.exe launched with an encoded command from a user temp directory. What should an analyst suspect?

Explanation: Encoded PowerShell commands and execution from temporary paths are common suspicious indicators. Learn more.

Q6. A SOC alert references impossible travel between two countries within 15 minutes. What type of detection is this?

Explanation: Impossible travel detections identify login patterns that are inconsistent with normal physical travel constraints. Learn more.

Q7. A host repeatedly connects to a rare external domain every 60 seconds. What behavior should be suspected?

Explanation: Regular outbound callbacks to uncommon destinations can indicate malware beaconing. Learn more.

More CompTIA CySA+ practice topics