In this document: - Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Analyst (CSA+) - Measuring CompTIA CSA+ Difficulty - Why Hybrid Testing Approaches Work Best - Mapping the NICE Cybersecurity Workforce Framework

1. • Threat Management: Perform network
reconnaissance, analyze results, pen test and
recommend appropriate countermeasures.
• Vulnerability Management: Implement
a vulnerability scan, analyze output
and set up a management plan.
• Cyber-Incident Response and
Forensics: Distinguish threat behavior,
communicate, use a forensics toolkit and
choose the best course of action.
• Security and Architecture Tool Sets: Perform
security analyst skills using packet sniffers,
intrusion detection systems and security
information and event managers (SIEMs).
As attackers have learned to evade traditional signature-based solutions,
an analytics-based approach has become extremely important. CompTIA
CSA+ certification applies behavioral analytics to the IT security market to
improve the overall state of IT security. Analytics have been successfully
integrated into the business intelligence, retail and financial services
industries for decades. Now they are also applied to IT security.
Security analytics greatly improves threat visibility across a broad attack
surface by focusing on network behavior, including an organization’s
interior network. Threats are better detected using analytics.
CSA+ addresses the increased diversity of knowledge, skills and abilities (KSAs) required of today’s
security analysts and validates what is currently necessary to perform effectively on the job.
CSA+ certification reflects the KSAs needed to analyze the state of security within modern IT
environments, including:
Adding Analytics to Your
Cybersecurity Toolkit
with CompTIA Cybersecurity Analyst (CSA+)
In this
document:
• Adding Analytics to
Your Cybersecurity
Toolkit with CompTIA
CSA+
• Measuring CompTIA
CSA+ Difficulty
• Why Hybrid Testing
Approaches Work
Best
• Mapping the NICE
Cybersecurity Work-
force Framework
of the exam
objectives require
application
or analysis
of domain
knowledge
71%
Measuring CSA+ Difficulty
Using Bloom’s Taxonomy as an organizing principle to discuss the difficulty level of the exam illustrates the emphasis
on the application of KSAs, rather than the simple recall of information. Looking at the exam objectives, 71 percent
require candidates to demonstrate their knowledge at Bloom’s level 3 (apply) and level 4 (analyze).
The CSA+ exam is at a higher taxonomy level because we carefully track job roles and skills in the IT industry.
We strive to make sure that the exams directly reflect industry standards and best practices.
The following table summarizes the percentage of certification exam objectives that fall into each of Bloom’s level.
1

2. Bloom’s Level and Description
Level of
Complexity
Percentage of Objectives
(Objective Numbers)
Level 1: Remembering/Recalling Information
The candidate is able to recall, restate and remember learned information.
Basic 0%
Level 2: Understanding/Explaining Ideas or Concepts
The learner grasps the meaning of information by
interpreting and translating what has been learned.
Low 29%
Level 3: Applying Knowledge and Skills
The learner makes use of information in a new situation
from the one in which it was learned.
Moderate 41%
Level 4: Analyzing
The learner breaks learned information into parts to best understand
that information in an attempt to identify evidence for a conclusion.
High 30%
Level 5: Evaluating
The learner makes decisions based on in depth
reflection, criticism and assessment.
High 0%
Level 6: Creating
The learner creates new ideas and information
using what has been previously learned.
High 0%
CSA+ Executive Summary
Why Hybrid Testing Approaches Work Best
Over the past several years, cybersecurity practitioners and educators have debated as to which of the following is more
important to validate:
1. An individual’s conceptual knowledge, as validated by “linear” multiple choice items, or
2. Performance associated with a particular job or responsibility, as validated by performance-based items.
Advocates for each of these two aspects of validation often hold one of the approaches as superior over the other, with most
individuals favoring only performance-based items.
CompTIA regards this rift in opinion as a false dilemma. Both domain knowledge expertise and practical skills are absolutely vital
and should be a part of any serious competency training and validation process. Both knowledge- and performance-based
aspects are necessary for training, and nothing can substitute for hands-on learning. The same principle applies to assessment.
This is why CompTIA adopted performance-based items into its certification exams starting in 2011.
The following CompTIA exams contain roughly 10 percent performance-based items:
On average, it takes a test taker roughly one-third of the examination time to complete these performance-
based items. The performance-based items include simulations of technology solutions and story-based
items that require advanced cognitive thinking on the part of the successful test taker.
A+ | Network+ | Security+ | Cybersecurity Analyst (CSA+) | CompTIA Advanced Security Practitioner (CASP)
2

3. Work Role Description Matching CompTIA CSA+ Objectives (Samples)
Cyber Defense
Analyst PR-DA-001
Uses data collected from a variety of cyber-
defense tools (e.g., intrusion detection system (IDS)
alerts, firewalls, network traffic logs) to analyze
events that occur within their environments
for the purposes of mitigating threats.
1.1 — Given a scenario, apply environmental
reconnaissance techniques using
appropriate tools and processes
1.2 — Given a scenario, analyze the results
of a network reconnaissance
1.3 — Given a network-based threat,
implement or recommend the appropriate
response and countermeasure
Cyber Defense
Infrastructure
Support Specialist
PR-INF-001
Tests, implements, deploys, maintains and administers
the infrastructure hardware and software.
1.4 — Explain the purpose of practices used
to secure a corporate environment
2.3 — Compare and contrast common vulnerabilities
found in the following targets within an organization
4.3 — Given a scenario, review security
architecture and make recommendations
to implement compensating controls
Cyber Defense
Incident Responder
PR-IR-001
Investigates, analyzes and responds to cyber-incidents
within the network environment or enclave.
3.1 — Given a scenario, distinguish threat data or
behavior to determine the impact of an incident
3.2 — Given a scenario, prepare a toolkit and use
appropriate forensics tools during an investigation
3.3 — Explain the importance of communication
during the incident response process
3.4 — Given a scenario, analyze common
symptoms to select the best course of
action to support incident response
3.5 — Summarize the incident recovery
and post-incident response process
Vulnerability
Assessment
Analyst PR-VA-001
Performs assessments of systems and networks
within the network environment or enclave and
identifies where those systems/networks deviate
from acceptable configurations, enclave policy or
local policy. Measures effectiveness of defense-in-
depth architecture against known vulnerabilities.
2.1 — Given a scenario, implement an information
security vulnerability management process
2.2 — Given a scenario, analyze the output
resulting from a vulnerability scan
2.3 — Compare and contrast common vulnerabilities
found in the following targets within an organization
Mapping the NICE Cybersecurity Workforce Framework
CompTIA CSA+ certification aligns with the following eight work roles of the National Initiative for Cybersecurity
Education (NICE) Cybersecurity Workforce Framework (NCWF), draft NIST special publication 800-181:
This mapping is a sample of how CompTIA’s certification standards map to key elements of the NICE framework.
CSA+ Executive Summary
• Cyber Defense Analyst, PR-DA-001
• Cyber Defense Infrastructure Support Specialist, PR-INF-001
• Cyber Defense Incident Responder, PR-IR-001
• Vulnerability Assessment Analyst, PR-VA-001
• Warning Analyst, AN-TA-001
• Cyber Crime Investigator, IN-CI-001
• Forensics Analyst, IN-FO-001
• Cyber Defense Forensics Analyst, IN-FO-002
3

4. Work Role Description Matching CompTIA CSA+ Objectives (Samples)
Warning Analyst
AN-TA-001
Develops unique cyber-indicators to maintain constant
awareness of the status of the highly dynamic
operating environment. Collects, processes, analyzes
and disseminates cyber-warning assessments.
1.1 — Given a scenario, apply environmental
reconnaissance techniques using
appropriate tools and processes
1.2 — Given a scenario, analyze the results
of a network reconnaissance
3.3 — Explain the importance of communication
during the incident response process
Cyber Crime
Investigator
IN-CI-001
Identifies, collects, examines and preserves
evidence using controlled and documented
analytical and investigative techniques.
3.1 — Given a scenario, distinguish threat data or
behavior to determine the impact of an incident
3.2 — Given a scenario, prepare a toolkit and use
appropriate forensics tools during an investigation
3.5 — Summarize the incident recovery
and post-incident response process
4.1 — Explain the relationship between frameworks,
common policies, controls and procedures
4.5 — Compare and contrast the general
purpose and reasons for using various
cybersecurity tools and technologies
Forensics Analyst
IN-FO-001
Conducts deep-dive investigations on computer-
based crimes establishing documentary or
physical evidence, to include digital media and
logs associated with cyber-intrusion incidents.
1.1 — Given a scenario, apply environmental
reconnaissance techniques using
appropriate tools and processes
3.2 — Given a scenario, prepare a toolkit and use
appropriate forensics tools during an investigation
4.5 — Compare and contrast the general
purpose and reasons for using various
cybersecurity tools and technologies
Cyber Defense
Forensics Analyst
IN-FO-002
Analyzes digital evidence and investigates computer
security incidents to derive useful information in
support of system/network vulnerability mitigation.
2.2 — Given a scenario, analyze the output
resulting from a vulnerability scan
3.1 — Given a scenario, distinguish threat data or
behavior to determine the impact of an incident
3.2 — Given a scenario, prepare a toolkit and use
appropriate forensics tools during an investigation
3.4 — Given a scenario, analyze common
symptoms to select the best course of
action to support incident response
LEARN MORE
For government inquiries contact: GovernmentSales@CompTIA.org.
For corporate inquiries contact: Jennifer Herroon at jherroon@CompTIA.org
© 2017 CompTIA Properties, LLC, used under license by CompTIA Certifications, LLC. All rights reserved. All certification programs and
education related to such programs are operated exclusively by CompTIA Certifications, LLC. CompTIA is a registered trademark of
CompTIA Properties, LLC in the U.S. and internationally. Other brands and company names mentioned herein may be trademarks or
service marks of CompTIA Properties, LLC or of their respective owners. Reproduction or dissemination prohibited without written
consent of CompTIA Properties, LLC. Printed in the U.S. 03724-Apr2017
CSA+ Executive Summary
4