If you are studying for the CompTIA CySA+ right now, you have a decision to make. On 23 June 2026 CompTIA launched the new CySA+ CS0-004 (V4) exam, and the older CS0-003 (V3) version retires in English on 22 December 2026. For a few months both exams are live at the same time, which means you can still choose which one to sit, but that window is closing fast.
This guide breaks down exactly what has changed between CySA+ CS0-004 and CS0-003, whether the study notes you already have still count, and which version you should book. The short answer: unless you are within a few weeks of exam-ready on the old objectives, sit CS0-004. The differences are real but manageable, and there is no sense earning a credential built on a version that retires before the year is out.
CySA+ CS0-004 vs CS0-003 at a Glance
Both versions certify the same job role, the security operations centre (SOC) analyst, and both use the same exam engine and scoring. The headline changes in CS0-004 are a reshuffle of the domain weightings and a block of brand new content covering artificial intelligence, cloud and automation. The format itself barely moves.
| Feature | CS0-003 (V3, retiring) | CS0-004 (V4, current) |
|---|---|---|
| Launch date | June 2023 | 23 June 2026 |
| English retirement | 22 December 2026 | Current version |
| Questions | Maximum of 85 | Maximum of 85 |
| Question types | Multiple choice and PBQs | Multiple choice and PBQs |
| Length | 165 minutes | 165 minutes |
| Passing score | 750 (scale 100 to 900) | 750 (scale 100 to 900) |
| Number of domains | 4 | 4 |
| Exam price (US) | 425 USD | 425 USD |
Exam Tip: The exam format is identical. CS0-004 keeps the same maximum of 85 questions, the same 165-minute window and the same 750 out of 900 passing score as CS0-003. If you have already practised pacing on the old version, that muscle memory carries straight over.
The Domain Weightings Have Shifted
CS0-004 keeps the same four domains as CS0-003, with the same names, but the percentage each one contributes to your score has moved. The direction of travel is clear: CompTIA has pushed weight towards day-to-day security operations and incident response, and pulled it back slightly from vulnerability management.
Here is the side-by-side comparison.
| Domain | CS0-003 weight | CS0-004 weight | Change |
|---|---|---|---|
| Security Operations | 33% | 34% | +1 |
| Vulnerability Management | 30% | 26% | -4 |
| Incident Response and Management | 20% | 24% | +4 |
| Reporting and Communication | 17% | 16% | -1 |
The biggest single change is Incident Response and Management, up four points to 24 percent. Vulnerability Management drops the same four points down to 26 percent. Security Operations remains the largest domain at 34 percent, so if you were already prioritising it, keep doing so.
What this means for your study plan
If you built a plan against CS0-003, do not panic. The four domains are the same, so most of your material still applies. What changes is where you spend your marginal study hours. Under CS0-004 you should:
- Give Incident Response and Management more attention than you would have under V3. Detection, containment, eradication, recovery and the reporting that follows now carry more weight.
- Keep Security Operations as your anchor domain. At 34 percent it is still the single biggest slice of the exam.
- Do not neglect Vulnerability Management just because it dropped. At 26 percent it is still more than a quarter of your marks.
The Big New Addition: Artificial Intelligence
The most substantive content change in CS0-004 is the explicit introduction of artificial intelligence. CompTIA has added dedicated coverage of AI use cases and AI-related risk across the analyst workflow, rather than treating it as a side note.
In practice, that means CS0-004 expects you to understand how AI and machine learning are used inside a modern SOC (for example in detection, triage and automation) and also how AI introduces new attack surface and risk that an analyst has to reason about. This mirrors what CompTIA has already done across its wider 2026 portfolio, from Security+ SY0-801 to the standalone CompTIA SecAI+ certification.
Alongside AI, CS0-004 leans further into:
- Cloud and hybrid infrastructure. More of the scenarios assume you are monitoring cloud and hybrid estates, not just on-premises networks.
- Security automation. Expect more on orchestration, scripting and the tooling that reduces manual analyst toil.
- Modern SOC frameworks and technologies. The vocabulary and tooling have been refreshed to match how SOCs actually operate in 2026.
Exam Tip: If your notes come from a CS0-003 course or an older study guide, they will have little to no AI content. This is the single biggest gap you need to fill before sitting CS0-004. Treat AI use cases and AI risk as their own study topic, not an afterthought.
Does Your CS0-003 Study Still Count?
Mostly, yes. This is a version refresh, not a ground-up rebuild. The exam role, the four domains, the format and the scoring are all unchanged, so the bulk of your existing preparation transfers directly.
What you need to add or adjust:
- Fill the AI gap. This is new content with no equivalent in CS0-003. Budget dedicated hours for it.
- Rebalance towards incident response. Incident Response and Management gained four points. Give it a proportional share of your revision.
- Refresh cloud, automation and SOC tooling. The frameworks and technologies referenced have been modernised.
- Use CS0-004 practice questions. Old question banks will not reflect the new weightings or the AI content. Practise against material written for V4.
If you are already deep into CS0-003 preparation and can realistically sit it before 22 December 2026, finishing on the old version is a legitimate choice. The certification you earn is the same CySA+ credential either way. But if you are early in your study, there is no reason to aim at a retiring target.
Which Version Should You Sit?
Use these simple rules.
Sit CS0-004 if:
- You are early or midway through your studies. You have time to cover the new AI, cloud and automation content properly.
- You are booking your exam for 2027. CS0-003 will already be gone in English (it retires on 22 December 2026, with other languages following in March 2027).
- You want the most current, employer-relevant version on your CV. AI-aware SOC skills are exactly what hiring managers are screening for.
Consider finishing on CS0-003 if:
- You are within a few weeks of exam-ready on the V3 objectives and can book a slot comfortably before 22 December 2026.
- Your training materials, labs and practice tests are all V3 and re-buying is not practical.
Exam Tip: Whichever version you earn, the credential on your CV just says CompTIA CySA+. Employers do not screen for the exam code, so do not sit a retiring version out of prestige. The only reasons to finish on CS0-003 are timing and sunk study cost.
CySA+ Exam Facts You Should Know
Whichever version you sit, the fundamentals are the same. The CySA+ is an intermediate-level cybersecurity certification aimed at SOC analysts, threat hunters and incident responders.
- Questions: a maximum of 85, mixing multiple choice with performance-based questions (PBQs).
- Duration: 165 minutes.
- Passing score: 750 on a scale of 100 to 900.
- Cost: 425 USD for the exam voucher in the United States.
- Recommended experience: CompTIA suggests Network+ and Security+ (or equivalent knowledge) plus around four years of hands-on information security experience.
- Study time: most candidates need roughly 120 to 160 hours of focused study, which fits an eight-week plan at 15 to 20 hours a week.
The PBQs are where many candidates lose time. They put you in front of simulated logs, alerts and tooling and ask you to analyse them, so they take longer than a multiple-choice item. Practise them deliberately and watch the clock.
How CySA+ Fits Your Wider Path
CySA+ sits above Security+ in CompTIA's cybersecurity pathway and renews it automatically when you pass. If you are still weighing where CySA+ belongs in your plan, these comparisons help:
- CySA+ vs Security+: which CompTIA cert should you take next
- How hard is CompTIA CySA+ CS0-004, and what to expect on exam day
- How to pass the CompTIA CySA+ CS0-004 exam: an 8-week study plan
For most people, the ideal sequence is Security+ first for the foundations, then CySA+ to prove you can actually work in a SOC. From there, PenTest+ or SecurityX are natural next steps depending on whether you lean offensive or advanced-defensive.
The Bottom Line
CySA+ CS0-004 is an evolution of CS0-003, not a reinvention. The exam role, format and scoring are identical, and the four domains keep their names. What changed is the balance (more incident response, slightly less vulnerability management) and the content (a genuine block of new AI, cloud and automation material).
If you are early in your study, sit CS0-004. It is the current version, it retires nothing before you finish, and it carries the AI-aware SOC content that employers are actively hiring for. Only stick with CS0-003 if you are nearly ready and can book before it retires in English on 22 December 2026.
Ready to Start Practising?
The fastest way to know which version you are ready for is to test yourself against realistic questions. CertCrush has CySA+ CS0-004 practice questions and full mock exams that mirror the current domain weightings, including the new AI and cloud content, plus performance-based scenarios that train you for the PBQs.
Create your free CertCrush account and start practising CySA+ CS0-004 today, or browse all our certification courses to map out your full cybersecurity path. Do not aim at a retiring exam, practise against the version that will still be standing in 2027.
