100 CompTIA CySA+ Terms to Know: Threat Analysis Vocabulary Explained

CompTIA CySA+ (Cybersecurity Analyst) is where the field separates doers from thinkers. It’s an intermediate-level certification designed for security analysts who don’t just respond to alerts — they investigate, correlate, hunt, and analyze. If Security+ is the vocabulary of security concepts, CySA+ is the vocabulary of security operations.

The professionals who earn CySA+ are operating in SOCs, threat intelligence teams, vulnerability management programs, and incident response functions. The terms they use every day — IOC, MITRE ATT&CK, CVSS, UEBA, SIEM correlation — aren’t just exam content. They’re the shared language of the security operations community.

We created 100 CompTIA CySA+ Terms to Know to build that vocabulary before you go deep into the technical work of the certification. Watch it below, then read on for how these terms map to the five domains that define what security analysts actually do.

Why CySA+ Vocabulary Reflects Real Security Work

CySA+ is built around what analysts actually do in security operations: they monitor, detect, investigate, and respond. The exam doesn’t test whether you’ve memorized definitions — it tests whether you can apply them to realistic scenarios. An analyst who freezes when someone mentions an IOC or doesn’t know how to read a CVSS score isn’t ready for operational security work, no matter how technically skilled they are.

The vocabulary in this video is operational vocabulary. It maps directly to tools, workflows, and conversations in SOCs and threat operations teams. Building it now means your study time goes into understanding — not translation.

Five Domains Every Security Analyst Should Know

The 100 terms in the video map to five operational domains that CySA+ tests and that real security analyst roles depend on. Understanding the domains gives you a map of what security analysis actually involves — not just what the exam covers.

1. Threat Intelligence & Hunting

IOC (Indicators of Compromise), IOA (Indicators of Attack), TTPs (Tactics, Techniques, and Procedures), threat actors, threat feeds, OSINT, STIX/TAXII, and the MITRE ATT&CK framework form the intelligence vocabulary of security analysis. Threat hunters and analysts don’t wait for alerts — they proactively search for evidence of adversary activity. Understanding how intelligence is gathered, structured, and applied is what makes that possible.

MITRE ATT&CK has become the common language between threat intelligence and detection engineering. When an analyst says “this behavior maps to T1059 — command and scripting interpreter,” everyone in the room knows exactly what adversary technique is being discussed. That’s the power of shared vocabulary in operational security.

2. Vulnerability Management

CVE (Common Vulnerabilities and Exposures), CVSS (Common Vulnerability Scoring System), OVAL, vulnerability scanning versus penetration testing, patch prioritization, risk scoring, and remediation workflows are the vocabulary of proactive security. Vulnerability management isn’t just running a scanner — it’s understanding what the results mean, how to prioritize remediation based on business context, and how to communicate risk to stakeholders who don’t speak technical. CySA+ tests all of this.

3. Security Operations & SIEM

Log analysis, correlation rules, SIEM (Security Information and Event Management), UEBA (User and Entity Behavior Analytics), alert fatigue, tuning, baselines, and anomaly detection are the operational vocabulary of the SOC. A security analyst who can’t read logs, write correlation rules, or tune a SIEM is limited in their effectiveness regardless of their certification level. CySA+ tests your ability to think analytically about security data — not just recognize that SIEM exists.

4. Incident Response

The IR lifecycle (preparation, identification, containment, eradication, recovery, lessons learned), digital forensics, chain of custody, evidence handling, memory forensics, disk imaging, and post-incident analysis form the response vocabulary of CySA+. Incident response is where the cost of imprecise language is highest — a miscommunication during active containment can allow an adversary to maintain persistence while the team debates terminology. CySA+ tests whether you can operate under pressure with clarity.

5. Software & Application Security

SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), IAST, secure SDLC, DevSecOps, code review, web application vulnerabilities (OWASP Top 10), and API security are the application-layer vocabulary of CySA+. As applications become the primary attack surface, analysts are increasingly expected to understand how software vulnerabilities are discovered, exploited, and remediated — not just at the network level, but inside the code itself.

How Cover6 Uses CySA+ in Our Training

At Cover6, CySA+ represents the transition from knowing about security to practicing it. Our SOC Analyst training and threat intelligence content is built on the assumption that professionals understand the CySA+ vocabulary layer. It’s where the conceptual knowledge from Security+ meets the operational reality of the job.

If you’re working toward CySA+ or building your skills as a security analyst, this video gives you the vocabulary foundation to make your study and your on-the-job learning faster. Watch it, share it with your team, and follow along with Cover6 for more analyst-focused breakdowns, career content, and community resources.