The cybersecurity analyst credential for SOC roles. Behavioural analytics, threat intelligence, vulnerability management, incident response and forensic foundations.
⏱Duration: 5 days / 40 hrs
💻Format: Instructor-Led + Live SOC
🌐Delivery: On-site · Virtual · Hybrid
✅Pass rate: 96%
📅Next intake: 2 June 2026
📡
Detect, don't just defend
Move from prevention thinking to active behavioural detection
🔍
Threat intelligence applied
TTPs, IOCs, MITRE ATT&CK and threat feed analysis
🛠️
Hands-on SIEM coaching
Splunk and Sentinel queries, dashboards, alert tuning
📝
Reporting that lands
Write IR reports an executive will read and act on
What this course is
CySA+ is the SOC analyst credential.
CySA+ (CS0-003) sits between Security+ (foundation) and CASP / CISSP (architecture). It validates that you can sit in a SOC, run live detection, triage incidents and manage vulnerabilities — the day-to-day work of a Tier 2 analyst.
At Nexperts, CySA+ is delivered against a live cloud-hosted SOC stack — Splunk Enterprise Security, Microsoft Sentinel, Crowdstrike Falcon and Cortex XSOAR. You don't memorise vendors. You drive them.
A SOC analyst is judged by mean time to detect and mean time to contain. Both are measured in minutes — and minutes are what we drill.
The CS0-003 update emphasises automation, threat hunting and the analyst's role in vulnerability prioritisation. We teach all three in real workflows you'll execute on Monday morning at your job.
Who should take this course
🛡️
Security+ holders
The most logical next step. CySA+ specialises Security+ into the SOC analyst role.
🔍
SOC L1 analysts
Already triaging tickets — formalise your skills and step up to L2 / threat hunting.
📊
Vulnerability managers
Going beyond raw scan output into business-aware prioritisation.
🌐
Network engineers pivoting
Network fluency + CySA+ = a strong route into security.
CySA+ adds the operational depth CISSP candidates often lack.
Prerequisites
✓ CompTIA Security+ or equivalent foundation
✓ 4 years IT experience (3 in security recommended)
✓ Comfort with Windows event logs and Linux syslog
✓ Basic SIEM or log-search experience an advantage
→ No Security+? Ask us about our combined Security+ → CySA+ pathway.
Course Curriculum
Five domains. SOC operations end to end.
CS0-003 covers Security Operations, Vulnerability Management, Incident Response and Management, and Reporting and Communication. We deliver them as a connected SOC workflow.
Hands-On SOC
36 SOC drills. Live alerts. Live data.
Our CySA+ environment ingests live attack data from a Caldera red team, plus synthetic noise from a 200-endpoint simulation. You'll run real Splunk and Sentinel queries against real activity.
01
Sysmon to SIEM Pipeline
Build the full pipeline — Sysmon → Universal Forwarder → Splunk index → dashboards.
Pipeline
02
Living-off-the-Land Hunt
Hypothesise. Hunt. Find the persistence mechanism the red team planted last week.
Hunting
03
KQL Detection Sprint
Write 10 Sentinel KQL detections aligned to MITRE ATT&CK in 90 minutes.
Detection
04
CVSS + EPSS Triage
Receive 500 raw findings. Prioritise via EPSS, KEV and business context. Defend top-25.
Vuln Mgmt
05
Memory Forensics
Run Volatility against a captured memory image. Identify the malware family.
Forensics
06
Cloud IR — Azure
An attacker compromised a service principal. Trace, contain and rotate credentials.
Cloud IR
07
DNS Beacon Detection
Spot the DNS C2 channel hidden in 2 million queries. Ten minutes.
Hunting
08
Tabletop — Ransomware
Run a full 90-minute tabletop with C-suite, legal and PR. Document decisions.
TTX
09
Executive IR Briefing
Take a complex incident. Prepare a 5-minute executive briefing. Defend questions.
Comms
+ 27 additional SOC tasks. Splunk and Sentinel access for 60 days post-course.
Exam Information
One exam. Heavy on PBQs.
CS0-003 is dominated by performance-based questions simulating SIEM dashboards, alert triage decisions and IR workflows. Pure-theory study fails this exam.
CySA+ CS0-003 Exam
QuestionsMax 85 (MC + performance-based)
Duration165 minutes
Passing scorePass / Fail (no scaled score)
FormatPearson VUE / Online
Validity3 years (CE renewal)
Industry avg pass rate~66% first attempt
Nexperts pass rate96% first attempt
DoD 8570 / 8140 Recognition
Approved rolesCSSP Analyst, IAT Level 2
BankingRecognised across BNM-regulated entities
VoucherBundled — Pearson VUE included
RenewalCompTIA CE — 60 CEUs in 3 years
Stacks withSecurity+ → CySA+ → CASP+
Prereq waiverCounts toward CISSP experience
Career fitTier 2 / Tier 3 SOC analyst, threat hunter
Our CySA+ 3-Mock Programme
01
Diagnostic Mock
Day 2. Pinpoints weak detection patterns. Average score: 58%.
02
SIEM-Heavy Mock
Mid-course. PBQ-only — Splunk and Sentinel scenarios. Average score: 74%.
03
Final Clearance
Full timed simulation. 84%+ before booking. Average score: 88%.
0%
Pass Rate
96% of our CySA+ analysts pass on first attempt.
Industry-wide CS0-003 first-attempt rate is around 66%. Our 96% comes from a live SOC environment, dedicated KQL/SPL workshops, and an instructor who runs Tier-3 escalations for two regional SOCs every month.
Live SOC environmentSPL + KQL workshops96% first attemptMITRE ATT&CK drillsFree retake voucher
Why our pass rate is 96%
Industry average: ~66%
Most candidates fail on PBQs because they've never actually queried a SIEM under time pressure. They know the theory, not the workflow.
Nexperts: 96%
We give you 60 days of live SIEM access, force you through 90-minute SOC drills, and don't book the exam until your detection writing is fluent.
Your Certification Journey
CySA+ unlocks the Tier 2 / 3 SOC track.
From CySA+ you choose architecture (CASP+), management (CISSP) or specialisation (Threat Hunting / IR / Forensics).
Before this
Security+ SY0-701
Security fundamentals are the prerequisite. Without them, CySA+ feels conceptual.
Expected salary range after CySA+: RM 6,500 – RM 11,000/month for Tier 2 SOC and threat-hunting roles in Malaysia.
Student Reviews
What our CySA+ graduates say.
4.8
★★★★★
142 reviews
5★
87%
4★
11%
3★
2%
★★★★★
"I'd been doing SOC L1 for two years and could not pass CASP-style PBQs. CySA+ at Nexperts forced me to actually write Splunk searches under time pressure. Pattern recognition kicked in around day 3."
RY
Reza Yazid
SOC L2 · Maybank
✓ Passed first attempt
★★★★★
"The MITRE ATT&CK module is what tipped me. We mapped real threat actor TTPs to our own SIEM coverage and found three blind spots in our detection stack."
SS
Shobana Sivakumar
Threat Hunter · Standard Chartered
✓ Passed first attempt
★★★★
"Memory forensics with Volatility was new to me. I expected slides. Got six hours of hands-on memory-image investigation. Worth it."
DK
Daniel Khor
Junior IR Analyst · KPMG MY
✓ Passed first attempt
★★★★★
"The executive briefing simulation was brutal — and exactly what I needed. Two months later I delivered my first real ransomware briefing to my CIO and it landed cleanly."
HW
Halimah Wahab
Senior SOC Analyst · CIMB
✓ Passed first attempt
Copy page link
Share this course page with your team or save the URL for later.
