What Is CompTIA CySA+ V4
CompTIA Cybersecurity Analyst (CySA+) is an intermediate-level certification that validates your ability to detect, analyze, and respond to cybersecurity threats in real-world enterprise environments. The certification is designed for professionals working in Security Operations Centers (SOCs), vulnerability management teams, incident response, and threat detection roles. Unlike entry-level security certs like CompTIA Security+, CySA+ assumes you already understand networking and foundational security — it tests whether you can operate in a security team, not just recite terminology.
Version 4 of the exam, coded CS0-004, launches on June 23, 2026. CompTIA updated the objectives to reflect how security teams work in 2026: more cloud, more automation, more AI tooling, and far more hybrid infrastructure. The V3 exam (CS0-003) remains available for a transition period — CompTIA typically allows roughly six months of overlap — but anyone starting fresh should target V4 directly. CompTIA’s official CySA+ page confirms that V4 adds coverage of security operations, cloud and hybrid environments, and AI concepts.
The exam consists of up to 85 questions (multiple-choice and performance-based) with a 165-minute time limit. The passing score is 750 on a scale of 100–900. CompTIA recommends approximately four years of hands-on experience in a SOC analyst or vulnerability analyst role before sitting for the exam. At launch, the exam is available in English, with additional languages planned.
What Changed From V3 to V4
The domain structure shifted noticeably. V3 had four domains weighted as follows: Security Operations (33%), Vulnerability Management (30%), Incident Response and Management (20%), and Reporting and Communication (17%). V4 rebalances these weights toward the operational side of the job.
| Domain | V3 Weight | V4 Weight | Change |
|---|---|---|---|
| Security Operations | 33% | 34% | +1% |
| Vulnerability Management | 30% | 26% | -4% |
| Incident Response and Management | 20% | 24% | +4% |
| Reporting and Communication | 17% | 16% | -1% |
The two most important shifts: Incident Response gained four percentage points, reflecting the reality that detection without response capability is worthless. Vulnerability Management lost weight, but the domain itself got denser — it now expects you to understand agent-based scanning, cloud-native asset discovery, and risk-based prioritization frameworks, not just run Nessus and export a PDF.
Several entirely new topic areas appear in V4 that were absent or barely mentioned in V3:
- AI in security operations: risks of AI (hallucinations, data exposure, prompt injection), governance policies, and practical use cases like log summarization, artifact comparison, and automated correlation. This is not a theoretical discussion — the exam expects you to evaluate when AI tools help and when they introduce risk.
- Cloud and hybrid security: cloud-native architecture, containers, APIs, ZTNA, SASE, and hybrid cloud monitoring are now first-class topics rather than footnotes.
- SOAR and automation: playbook/runbook standardization, infrastructure-as-code hooks, API integrations, and alert tuning are explicitly tested.
- Modern threat hunting: hypothesis-driven hunting, MITRE ATT&CK mapping, the Pyramid of Pain, and cyber deception techniques.
The recommended experience also increased from three years (V3) to four years (V4), signaling that CompTIA considers this a genuinely intermediate certification — not something you cram for in a weekend after passing Security+. GetCertified4Less outlines the full exam transition details.
CySA+ V4 Exam Domains Breakdown
Understanding what each domain actually tests — beyond the official objective list — is critical for building an effective study plan. Here is what each domain covers in practice.
Domain 1: Security Operations (34%)
This is the largest domain and the one most directly tied to day-one SOC work. Expect questions on logging architecture (ingestion pipelines, time synchronization, retention policies, log integrity), SIEM configuration and query writing, EDR/XDR deployment and alert tuning, and packet analysis with Wireshark, tcpdump, and Suricata/Zeek. You need to identify indicators of malicious activity across network (rogue devices, unexpected ports, enumeration), host (resource spikes, LOLBins, unauthorized software), cloud (API anomalies, misconfigured storage), and identity (impossible travel, unauthorized privilege escalation). Threat intelligence platforms like OTX, MISP, and OpenCTI appear alongside tool-specific questions about YARA rules, CyberChef operations, and VirusTotal triage. The AI section tests whether you can evaluate AI-generated outputs critically — spotting hallucinations, identifying data leakage risks, and knowing when automation helps versus hurts.
Domain 2: Vulnerability Management (26%)
This domain covers the full vulnerability lifecycle: asset inventory, scan planning (credentialed vs. non-credentialed, agent vs. agentless, internal vs. external), result analysis (deduplication, validation, false positive handling), risk scoring with CVSS in business context, and remediation coordination including maintenance windows and rollback procedures. You need to understand compliance-driven scanning (PCI DSS, CIS benchmarks, ISO 27000) and how to track exceptions and compensating controls. The exam does not test a specific scanner — it tests whether you understand the process of running a vulnerability management program.
Domain 3: Incident Response and Management (24%)
Framework literacy is essential: Cyber Kill Chain, MITRE ATT&CK, and the Diamond Model. You need to walk through the full IR lifecycle (detect → analyze → contain → eradicate → recover → lessons learned) and understand evidence handling, chain of custody, escalation procedures, and root cause analysis. Tabletop exercises and BC/DR alignment are explicitly tested. Performance-based questions in this domain often present a scenario where you must identify the attack stage, select the correct containment action, and determine what evidence to preserve.
Domain 4: Reporting and Communication (16%)
The smallest domain but one that trips up technically strong candidates. You must produce stakeholder-appropriate reports: executive summaries, technical incident documentation, vulnerability dashboards with KPIs, and post-incident reviews. The exam tests whether you can translate technical findings into risk language that drives decisions — not whether you can write a 50-page forensic report.
Career Impact: Why CySA+ Matters
The cybersecurity talent gap remains massive. ISC2 reports the global cybersecurity workforce at 5.5 million, against a needed 10.2 million — leaving a shortfall of nearly 4.7 million professionals worldwide. CyberSeek data shows 514,359 open cybersecurity positions in the United States alone. The U.S. Bureau of Labor Statistics projects 33% employment growth for information security analysts from 2024 to 2034 — roughly seven times the average growth rate across all occupations. The median annual wage for information security analysts reached $124,910 in May 2024.
CySA+ sits directly in the hiring pipeline for the roles driving that demand. As we explored in our coverage of AI content appearing across IT certification exams, the industry is shifting toward practical, operations-oriented testing — and CySA+ V4 is the clearest example of that trend. Job postings for SOC analysts (Tier 1 and Tier 2), incident responders, vulnerability analysts, and cyber defense analysts frequently list CySA+ as a preferred or required credential. The certification is also approved under DoD Directive 8140/8570.01-M, making it mandatory for certain Department of Defense cybersecurity positions — a significant hiring channel that vendor-specific certifications cannot access.
In terms of salary impact, professionals holding CySA+ typically earn in the $85,000–$110,000 range in the United States, with significant upside in high-cost markets and senior roles. For context, our analysis of the hardest IT certifications worth pursuing in 2026 found that intermediate security certs like CySA+ offer some of the best return on study investment. The certification also stacks with other CompTIA credentials: earning CySA+ automatically renews Security+, Network+, and A+ — a practical benefit for maintaining multiple certifications without separate renewal efforts. As CBT Nuggets notes in their CySA+ vs SecurityX comparison, CySA+ is the direct path for hands-on security practitioners, while SecurityX serves architects and senior engineers.
Eight-Week Study Plan for CySA+ V4
This plan assumes you hold Security+ (or equivalent knowledge) and have at least two years of IT experience. Adjust timelines up or down based on your daily study capacity.
Weeks 1–2: Security Operations Foundation. Focus on logging architecture, SIEM concepts, and packet analysis. Set up a lab SIEM (Splunk Free or Elastic SIEM) and ingest logs from a Linux endpoint. Practice writing queries to identify specific event types. Work through Wireshark labs covering common attack patterns (port scans, DNS tunneling, HTTP exfiltration). Study MITRE ATT&CK framework structure — know the tactic and technique taxonomy cold.
Weeks 3–4: Threat Intelligence and Hunting. Learn the Pyramid of Pain concept and practice with threat intelligence platforms (AlienVault OTX, MISP). Build YARA rules to detect sample malware artifacts. Study cyber deception techniques (honeypots, honeytokens). Cover the new AI topics: understand prompt injection, data poisoning, and how to write an AI acceptable use policy for a SOC.
Weeks 5–6: Vulnerability Management and Incident Response. Run credentialed and non-credentialed vulnerability scans against lab targets using OpenVAS or Nessus Essentials. Practice triaging results: deduplicate, validate, score with CVSS, and create remediation plans. For IR, walk through the full lifecycle using tabletop scenarios. Build a containment playbook for ransomware, phishing, and unauthorized access incidents. Practice evidence handling and chain-of-custody documentation.
Week 7: Reporting, Communication, and Review. Write executive summaries, technical incident reports, and vulnerability dashboards. Study KPI frameworks (MTTD, MTTR, vulnerability aging). Review all domains with flashcards or a study guide. Take a full-length practice exam under timed conditions.
Week 8: Practice Exams and Weak-Spot Drills. Take at least two full-length practice exams. Score each domain separately. Spend the remaining time drilling your weakest domain. Review performance-based question (PBQ) formats — these often involve SIEM log analysis, vulnerability report interpretation, or incident timeline reconstruction.
Hands-On Labs You Must Build
Reading alone will not prepare you for CySA+ performance-based questions or for the actual job. Build these three lab environments before exam day.
Mini SOC Pipeline. Deploy a SIEM (Splunk Free or ELK Stack) on a virtual machine. Connect log sources: a Linux endpoint with auditd, a network sensor running Zeek or Suricata, and a cloud account (AWS CloudTrail or Azure Activity Logs). Configure time synchronization across all sources. Build dashboards for authentication events, network anomalies, and privilege escalation. Tune alerts to reduce false positives. This lab covers roughly 40% of the Security Operations domain.
Vulnerability Management Lab. Set up three targets: a Windows Server, a Linux server, and a containerized web application. Run credentialed scans using Nessus Essentials or OpenVAS. Run an agentless external scan from a separate network segment. Compare results. Triage findings using CVSS scores plus business context. Document a remediation plan with maintenance windows and rollback procedures. Re-scan after applying patches to verify remediation.
Incident Response Scenario Lab. Use MITRE ATT&CK to design a realistic attack scenario — for example, a phishing email that delivers a credential harvester, leading to impossible-travel login detection, session hijacking, and data exfiltration. Script the attack stages in your lab environment. Then walk through detection (SIEM queries), analysis (log correlation), containment (isolate host, revoke session), eradication (remove malware, reset credentials), recovery (restore from backup, verify integrity), and post-incident review (root cause analysis, lessons learned document). Capture screenshots at each stage — these become your study notes and your PBQ practice.
Practice Tests and Study Resources
Start with the official CompTIA exam objectives document for CS0-004 — it is the single most important resource for understanding exactly what the exam tests. Download it free from CompTIA’s certification page.
Official CompTIA resources: CertMaster Learn (structured courseware aligned to exam objectives), CertMaster Labs (hands-on virtual labs), and CertMaster Practice (adaptive practice questions). These are expensive but map directly to the exam. The Complete Learning Bundle combines all three at a discount.
Third-party training: Courses on platforms like CBT Nuggets, Udemy, and LinkedIn Learning cover the CySA+ V4 objectives. Look for courses explicitly tagged CS0-004 — V3 material will leave gaps in AI, cloud security, and SOAR topics. ExamsDigest provides a free objective-by-objective breakdown with practical examples that maps directly to the V4 blueprint.
Practice exams: Use multiple practice test sources to avoid overfitting to one question style. CompTIA’s performance-based questions differ significantly from standard multiple-choice — they require you to analyze logs, interpret scan results, or sequence incident response steps. Budget for at least two different practice exam providers. Take full-length timed exams in the final two weeks to build stamina and identify weak domains.
Free lab resources: TryHackMe and CyberDefenders offer SOC-analyst-specific learning paths that align well with CySA+ domains. Split your lab time between guided walkthroughs (to learn tools) and unstructured challenges (to build independent problem-solving). The goal is to encounter realistic log formats, alert types, and attack patterns before you see them on the exam.
References
- CompTIA CySA+ Certification — Official Page
- CySA+ V4 (CS0-004) Coming June 2026 — GetCertified4Less
- CompTIA CySA+ CS0-004 (V4) Exam Objectives — ExamsDigest
- Information Security Analysts — Bureau of Labor Statistics
- CyberSeek — Cybersecurity Supply and Demand Dashboard
- CySA+ vs SecurityX: How to Choose Your Cybersecurity Path — CBT Nuggets