Reporting and Communication for CompTIA CySA+

Sample Practice Questions

1. Question 1

   A new cybersecurity analyst is tasked with creating an executive briefing on possible threats to the organization. Which of the following will produce the data needed for the briefing?
   1. A. Firewall logs
   2. B. Indicators of compromise
   3. C. Risk assessment
   4. D. Access control lists
   Explanation

   The correct answer is: C. Risk assessment.

   A risk assessment is the right source for an executive briefing on possible threats because it consolidates the threat landscape, the assets at stake, the likelihood and impact of identified scenarios, and the resulting prioritized risks in a form that translates directly into executive language. Firewall logs are tactical event records that show what happened on the perimeter and are not structured for executive consumption. Indicators of compromise (IoCs) are technical signals — file hashes, IP addresses, and domain names — used by the SOC for detection and threat hunting rather than as the basis for a leadership briefing. Access control lists describe who can reach what resources and are configuration data, not analyses of possible threats. The risk assessment is the one artifact whose purpose is exactly the briefing the analyst is being asked to produce.

2. Question 2

   A SOC manager receives a phone call from an upset customer. The customer received a vulnerability report two hours ago: but the report did not have a follow-up remediation response from an analyst. Which of the following documents should the SOC manager review to ensure the team is meeting the appropriate contractual obligations for the customer?
   1. A. SLA
   2. B. MOU
   3. C. NDA
   4. D. Limitation of liability
   Explanation

   The correct answer is: A. SLA.

   The service level agreement (SLA) is the document the SOC manager should review because it codifies the timing commitments the MSSP made to the customer for vulnerability reporting and follow-up remediation. The SLA contains the explicit response and remediation windows that the customer is enforcing when they call to complain about the two-hour gap. A memorandum of understanding (MOU) is non-binding and rarely contains hard contractual deadlines. A non-disclosure agreement (NDA) protects confidential information exchanged between the parties and contains no service-level provisions. A limitation of liability clause caps the financial exposure of one party for damages but says nothing about how quickly the SOC must respond to findings, so it cannot be the basis for verifying contractual obligations on response time.

3. Question 3

   A cybersecurity analyst notices unusual network scanning activity coming from a country that the company does not do business with. Which of the following is the best mitigation technique?
   1. A. Geoblock the offending source country.
   2. B. Block the IP range of the scans at the network firewall.
   3. C. Perform a historical trend analysis and look for similar scanning activity.
   4. D. Block the specific IP address of the scans at the network firewall.
   Explanation

   The correct answer is: A. Geoblock the offending source country..

   Geoblocking the offending source country is the best mitigation when scanning activity originates from a country where the company does not do business because it eliminates the entire attacker population in that geography in a single rule rather than reacting to individual IPs one at a time. Geoblocking is sustainable, low-maintenance, and proportionate to the business reality that no legitimate traffic should be coming from that country. Blocking a single IP range cuts off one network block but leaves the rest of the country free to scan, which becomes a game of whack-a-mole as attackers rotate addresses. Performing historical trend analysis is a detective activity that improves understanding but does not stop the ongoing scanning. Blocking a single IP address is even more narrow than blocking a range and is easily evaded by an attacker switching addresses.

4. Question 4

   A cybersecurity team lead is developing metrics to present in the weekly executive briefs. Executives are interested in knowing how long it takes to stop the spread of malware that enters the network. Which of the following metrics should the team lead include in the briefs?
   1. A. Mean time between failures
   2. B. Mean time to detect
   3. C. Mean time to remediate
   4. D. Mean time to contain
   Explanation

   The correct answer is: D. Mean time to contain.

   Mean time to contain (MTTC) is the metric that captures how long it takes to stop the spread of malware once it has entered the network because containment is the IR phase that limits lateral movement and isolates affected systems. Including MTTC in the executive brief gives leadership a direct view into how quickly the response team can blunt an active threat. Mean time between failures (MTBF) is a reliability metric for hardware or systems and is unrelated to malware containment. Mean time to detect (MTTD) measures how quickly the threat is noticed, not how quickly it is stopped, so it precedes containment rather than measuring it. Mean time to remediate (MTTR) covers the full lifecycle through eradication and recovery and includes activities well beyond stopping the spread, so it is broader than what the executives are asking about.

5. Question 5

   Which of the following best describes the document that defines the expectation to network customers that patching will only occur between 2:00 a.m. and 4:00 a.m.?
   1. A. SLA
   2. B. LOI
   3. C. MOU
   4. D. KPI
   Explanation

   The correct answer is: A. SLA.

   A service level agreement (SLA) is the document that defines maintenance windows and the expectation that patching will only occur between specified hours such as 2:00 a.m. and 4:00 a.m. The SLA is the operative contract with internal or external customers and is where service hours, allowable downtime, and change windows are codified so all parties have a shared expectation. A letter of intent (LOI) is a preliminary, non-binding statement that two parties intend to negotiate further; it does not encode operational schedules. A memorandum of understanding (MOU) is similarly informal and not the right instrument for committed change windows. A key performance indicator (KPI) is a measurement of performance — for example, percentage of patches deployed in the maintenance window — but it is not the document that defines the expectation in the first place.

Other CompTIA CySA+ domains

• Incident Response Management (90 questions)
• Security Operations (306 questions)
• Vulnerability Management (108 questions)