JT
JT Exams
Log inStart Free Trial
SecurityCS0-003

Threat Intelligence and Vulnerability Management Explained for CompTIA CySA+

CySA+ is designed for analysts who investigate alerts, hunt threats, and manage vulnerabilities every day. The exam tests applied analysis: given a SIEM alert, a vulnerability scan output, or a threat intelligence report, what do you do? CompTIA designed CySA+ to bridge the gap between Security+ conceptual knowledge and the practical decisions security operations center (SOC) analysts make under real conditions. Understanding how to prioritize vulnerabilities based on risk, how to interpret threat intelligence, and how to correlate events across log sources is what the exam measures.

8 min
3 sections · 7 exam key points

Threat intelligence and the ATT&CK framework

Threat intelligence is information about threats, threat actors, their motivations, and their tactics that has been collected, processed, and analyzed to enable better security decisions. Strategic intelligence informs high-level risk decisions (what industries are being targeted, what types of attacks are increasing). Operational intelligence informs current security operations (active campaigns targeting your sector, new malware families in circulation). Tactical intelligence provides specific indicators of compromise (IP addresses, file hashes, domain names, URLs) used in active attacks.

MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world attack observations. It organizes attacker behavior into 14 tactics (the high-level goal, such as Initial Access or Lateral Movement) and hundreds of specific techniques underneath each tactic. When analysts investigate an incident, mapping observed behaviors to ATT&CK helps identify what the attacker is trying to accomplish and what techniques they have not yet used, enabling proactive hunting for the next step in an attack chain.

Indicators of Compromise (IoCs) are artifacts that indicate a system may have been compromised: unusual network connections to known-malicious IPs, file hashes matching known malware, registry keys created by specific malware families, or abnormal user account behavior. IoCs from threat intelligence feeds are loaded into SIEM and EDR tools to generate alerts when they appear in the environment. Indicators of Attack (IoAs) focus on behaviors rather than static artifacts: detecting lateral movement attempts or credential dumping behavior even without a matching signature.

Vulnerability management lifecycle

Vulnerability management is the ongoing process of identifying, evaluating, prioritizing, remediating, and verifying security weaknesses. The lifecycle starts with discovery: asset inventory tells you what you have, and vulnerability scanning (using tools like Nessus, Qualys, or Rapid7) identifies software versions and configurations with known vulnerabilities. Scanning should cover the entire environment: servers, workstations, network devices, cloud resources, and containerized workloads.

CVSS (Common Vulnerability Scoring System) provides a standardized way to score the severity of vulnerabilities on a scale from 0 to 10. The base score reflects the intrinsic characteristics of the vulnerability: attack vector (network, adjacent, local, physical), attack complexity, privileges required, user interaction, and the impact on confidentiality, integrity, and availability. A CVSS base score tells you how severe a vulnerability is in isolation, but remediation priority must factor in asset criticality and actual exploitability in your environment.

Not every high-CVSS vulnerability should be remediated first. Risk-based prioritization considers four factors: the CVSS score, whether the vulnerability is actively exploited in the wild (check CISA's Known Exploited Vulnerabilities catalog), the criticality of the affected asset, and the presence of compensating controls. A critical CVSS 9.8 vulnerability on an isolated lab system may be lower priority than a CVSS 7.0 vulnerability on a public-facing authentication system that is actively being exploited.

How to choose the correct answer

IoC: specific artifact indicating compromise (IP, hash, domain). IoA: behavioral indicator of attack in progress.

ATT&CK: 14 tactics (what attacker wants to achieve) with hundreds of techniques (how they achieve it). Map incidents to ATT&CK to understand attacker intent.

CVSS base score: intrinsic severity 0-10. Does not include asset criticality or environmental context.

Risk-based patching priority: CVSS score + active exploitation in wild + asset criticality + compensating controls.

CISA KEV (Known Exploited Vulnerabilities): actively exploited, highest remediation priority regardless of base score.

Vulnerability scan vs. penetration test: scanning identifies known vulnerabilities. Pen testing actively exploits them to demonstrate impact.

False positive: scanner reports vulnerability that does not exist. False negative: real vulnerability not detected. Both have costs.

Key exam facts — CS0-003

  • Threat intel types: Strategic (trends), Operational (campaigns), Tactical (IoCs like IPs and hashes).
  • MITRE ATT&CK: 14 tactics from Initial Access to Exfiltration, hundreds of techniques. Maps real attacker behavior.
  • IoC: artifact showing past compromise. IoA: behavior suggesting active attack regardless of known signatures.
  • CVSS base score: severity of vulnerability in isolation. Environmental score adjusts for your specific context.
  • Risk-based remediation: prioritize actively exploited vulnerabilities on critical assets first, not just highest CVSS.
  • CISA KEV catalog: must-patch list of vulnerabilities with confirmed real-world exploitation.
  • Vulnerability scanner: credentialed scans find more than uncredentialed. Always prefer credentialed when possible.

Common exam traps

All CVSS 9+ vulnerabilities should be patched immediately before CVSS 7 vulnerabilities.

CVSS base scores rate the intrinsic severity of a vulnerability in an ideal exploitation scenario, not your specific risk. A CVSS 9.8 vulnerability in software you do not run poses zero risk. A CVSS 7.0 vulnerability in your internet-facing login portal that is actively exploited in the wild is an emergency. Risk-based prioritization combines CVSS, exploitability, asset criticality, and compensating controls.

Vulnerability scanning and penetration testing are the same activity.

Vulnerability scanning is automated and identifies known vulnerabilities by comparing versions and configurations against databases of known issues. It reports potential vulnerabilities, including false positives. Penetration testing is a manual, adversarial exercise where skilled testers actively attempt to exploit vulnerabilities to demonstrate actual impact. Scanning tells you what might be exploitable; penetration testing tells you what is actually exploitable and what an attacker can achieve.

Threat intelligence only matters for large enterprises with dedicated threat intel teams.

Threat intelligence is valuable at any scale. Even without a dedicated team, organizations can consume free threat intel feeds (like CISA alerts or ISACs for their industry), use open-source resources like MITRE ATT&CK for understanding adversary techniques, and configure SIEM tools to automatically check IoCs against threat intel feeds. Small organizations face the same threats as large ones and benefit from knowing which threats are actively targeting their industry.

Practice this topic

CS0-003practice questions

Test yourself on CySA+ Threat & Vulnerability

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice testStart 7-Day Free Trial

No credit card · Cancel anytime

Related certification topics

Vulnerability Management

Security+CISSP

SIEM & SOC

Security+CISSP

Threat Actors

Security+CISSP

CISSP Security Domains

CISSP