Getting a Cisco firewall wrong usually shows up the hard way: blocked business apps, open management ports, noisy logs, or a policy that looks clean on paper but fails in production. A solid firewall setup is not just about letting traffic in and out. It is about enforcing security policies, reducing the attack surface, and building network security that still works when users, servers, VPNs, and cloud links all depend on it.
CompTIA Cybersecurity Analyst CySA+ (CS0-004)
Learn to analyze security threats, interpret alerts, and respond effectively to protect systems and data with practical skills in cybersecurity analysis.
Get this course on Udemy at the lowest price →Quick Answer
Setting up a Cisco firewall for network security means defining your traffic requirements, choosing the right Cisco security appliances, planning interface and routing design, building least-privilege access control policies, enabling inspection and VPN features, and validating logging and monitoring before production. For most environments, Cisco Secure Firewall provides the policy enforcement layer that protects edge, DMZ, and internal segmentation points.
Quick Procedure
- Map the network and define what the firewall must protect.
- Select the Cisco firewall platform that fits throughput, features, and licensing needs.
- Place the firewall in the correct path and document interfaces, routes, and rollback steps.
- Harden management access, accounts, and backups before allowing traffic.
- Create zones, NAT, VPN, and least-privilege access control policies.
- Enable logging, inspection, and alerting to support security operations.
- Test all traffic flows, then maintain the firewall with regular updates and reviews.
| Primary Goal | Deploy a Cisco firewall for network security and policy enforcement |
|---|---|
| Typical Platforms | Cisco Secure Firewall, virtual firewall, and centralized management components |
| Core Functions | Traffic filtering, intrusion prevention, VPN, URL filtering, and logging |
| Best Fit | Internet edge, DMZ, internal segmentation, remote access, and cloud connectivity |
| Key Risk | Poor planning that breaks applications or exposes management access |
| Maintenance Focus | Rule review, firmware updates, log monitoring, and backup validation |
| Related Skill Area | Alert analysis and response workflows taught in CompTIA Cybersecurity Analyst CySA+ (CS0-004) |
This guide walks through the job in the same order a working network team would handle it: requirements, platform choice, deployment design, configuration, testing, and maintenance. It also connects the setup process to practical operations, which matters if you are studying incident handling, log analysis, or policy tuning in the context of the CompTIA Cybersecurity Analyst CySA+ (CS0-004) course. The same concepts apply whether you are protecting a small branch, a data center, or a hybrid environment with remote access and cloud workloads.
Understand Your Network Security Requirements
Network security requirements are the business and technical rules that decide what the firewall must allow, block, inspect, and log. Start by identifying the real purpose of the deployment: internet edge protection, internal segmentation, remote access control, DMZ isolation, or all of the above. A firewall that protects user browsing traffic has a very different design from one that sits between databases and application servers.
Map the network before touching the configuration. That means documenting the Network Architecture, VLANs, WAN circuits, cloud links, remote access endpoints, and any critical trust boundaries. In practical terms, you want to know where traffic originates, where it should go, and which paths should never exist. Cisco security appliances are easiest to manage when they fit a design that is already drawn on paper and reviewed by the people who own the applications.
Identify critical assets and policy constraints
High-value systems deserve stricter rules. That usually includes identity systems, finance apps, electronic health record platforms, backup servers, and administrative interfaces. If your environment must meet retention, access logging, or segmentation requirements from PCI DSS, HIPAA, or internal governance standards, those needs should be written into the firewall design before the first rule is created. NIST Cybersecurity Framework and CIS Controls are useful references for translating business risk into technical enforcement.
Expected traffic patterns matter just as much as security requirements. If accounting uses a cloud ERP system, the firewall should allow only the required applications and destinations, not a broad “any-any” exception. If your remote workforce uses VPN or browser-based access, factor in authentication, split tunneling, and access limits before rollout. That is where a lot of Cisco firewall deployments fail: the policy is technically correct but operationally unusable.
- Protect users by controlling outbound browsing and blocking malicious destinations.
- Protect servers by allowing only approved ports and application paths.
- Protect segmentation boundaries by limiting east-west movement.
- Protect remote access by enforcing authentication and least privilege.
- Protect cloud links by treating them as monitored trust zones, not exceptions.
A firewall policy is only as good as the business map behind it. If the map is wrong, the rules will be wrong too.
Choose The Right Cisco Firewall Platform
Cisco Secure Firewall is Cisco’s current firewall family for policy enforcement, intrusion prevention, VPN, and application-aware security. The right choice depends on scale, throughput, feature depth, and where the firewall will run. For a branch site, a compact physical appliance may be enough. For a virtualized data center or cloud workload, a virtual firewall often makes more sense because it follows the workload rather than the rack.
When comparing Cisco firewall options, do not focus only on raw throughput. Security services such as intrusion prevention, SSL inspection, URL filtering, and malware controls can reduce real-world capacity long before you hit the marketed packet rate. The Cisco firewall product documentation is the right place to compare supported features, and Cisco’s licensing guidance matters because subscription services often determine whether you get advanced inspection, threat intelligence, or centralized orchestration.
Match the platform to the environment
Physical appliances work well at the internet edge and in places where dedicated hardware is preferred for performance or operational control. Virtual firewalls are better when you need flexible deployment in VMware, cloud, or private infrastructure. Cloud-delivered security components can be useful for distributed users or cloud access scenarios, but they do not replace a proper network firewall when you need strict segmentation between internal systems.
Feature set matters. If you need remote access VPN, site-to-site VPN, intrusion prevention, application control, and URL filtering, make sure the selected model and license support all of them without awkward tradeoffs. If you are also studying patch management software, symmetric vs asymmetric encryption, or MDM mobile device management, this is the point where those topics connect: the firewall becomes one piece of a broader control set that includes endpoint posture, identity, and update hygiene.
| Physical appliance | Best for dedicated edge protection, predictable hardware, and high-throughput deployments. |
|---|---|
| Virtual firewall | Best for cloud, virtualized data centers, and elastic deployments tied to workloads. |
Also think about growth. If your WAN bandwidth may double in 18 months, buy for that future, not just current usage. A firewall that runs at 40 percent load today can become a bottleneck once SSL inspection, remote access, and logging are turned on. That planning discipline is part of good network security, not just capacity management.
For formal validation of security operations and incident analysis skills, the CompTIA Cybersecurity Analyst CySA+ (CS0-004) course aligns well with log review, alert handling, and policy tuning. That is especially relevant when a firewall starts generating more events after it is placed in production.
Plan The Deployment Architecture
Deployment architecture is the placement and traffic design that determines how the firewall sits in the path of real traffic. The most common choices are internet edge, DMZ, and internal segmentation. If you do not decide this up front, you will end up redesigning routes and zones after the firewall is already connected, which is how outages happen.
Place the firewall where it can actually enforce the policy. If the goal is to protect public services, the firewall should sit between the internet and the DMZ. If the goal is to contain lateral movement, it should sit between internal VLANs or business units. For high-availability environments, design the pair or cluster before rollout so you are not improvising failover under pressure. High Availability matters when the firewall is a single choke point for revenue-generating systems.
Document interfaces, IPs, and rollback steps
Assign clear roles to each interface: outside, inside, DMZ, management, and any special transit links. Document IP addressing, VLAN tags, gateway relationships, and routing dependencies in advance. If you are using a hardware firewall, or what some teams call an hw firewall, note the exact ports, transceivers, and power redundancy requirements. If you are using a virtual deployment, document the virtual switch or cloud subnet connections with equal care.
Prepare a rollback plan that includes console access, saved configuration backups, and a known-good path back to the previous routing state. This is where a lot of teams get caught: they focus on the firewall policy but forget the path the traffic takes to reach the firewall. A Cisco firewall should be placed into a path you understand, not one you hope will work.
- Map the path from source to destination for each major traffic flow.
- Assign interfaces to the correct zones and VLANs.
- Document routes and next hops before the cutover.
- Plan redundancy if uptime is required.
- Write rollback steps that can be executed by a second admin.
If you support cloud or branch environments, also confirm how the firewall interacts with VPN termination, upstream routing, and any load balancers. The goal is to avoid hidden dependencies. A clean architecture makes it far easier to enforce security policies later without creating strange exceptions.
How Do You Perform the Initial Hardware or Virtual Setup?
You perform the initial setup by bringing up the firewall safely, confirming management access, and verifying that the platform image and base settings are correct before any production traffic is allowed. This stage is about control, not speed. It is better to spend 30 extra minutes on first access than to debug a bad hostname, wrong image, or unsecured management interface later.
For a physical device, rack, cable, and power the appliance, then use console access for the first login. For a virtual deployment, provision the firewall in the target hypervisor or cloud environment and attach the management interface first so you can reach it without exposing services. The official Cisco Secure Firewall documentation and release notes should be checked for supported versions before you start.
Establish the base system correctly
Set the hostname, domain, time zone, and administrator credentials immediately. Confirm the firmware or image version matches your intended feature set and policy model. If the firewall is going to use centralized management, verify compatibility before day one instead of discovering a version mismatch after deployment. A bad initial image choice can create later problems with URL filtering, VPN, or threat inspection.
Secure management access early. Use SSH and HTTPS only, disable anything not needed, and avoid leaving default credentials in place. This is the right time to connect the firewall to your change control process and configuration backup routine. If your organization uses MECM or patch management software for servers, use the same discipline here: controlled updates, tested changes, and rollback readiness.
Note
Do not connect a freshly built firewall to production traffic until you can log in securely, confirm the software version, and recover the config if needed. That one rule prevents a lot of avoidable outages.
Configure Management Access And Administrative Security
Administrative security is the control layer that protects the firewall itself from misuse. If attackers or careless admins can reach management from anywhere, the firewall becomes a liability instead of a defense. This is why management access should always be restricted to approved IP ranges or a dedicated management network.
Create named admin accounts, remove or disable default credentials, and assign roles carefully. A network engineer who handles interface changes does not always need full policy deletion rights. If your environment supports multi-factor authentication, enable it for all privileged access. The concept is simple: a stolen password should not be enough to change the firewall policy.
Centralized logging is essential. Record administrative logins, failed attempts, policy changes, object edits, and backups. If you are tracking this through a SIEM, make sure administrative actions are searchable by user and timestamp. This is also where your Multi-factor Authentication controls should be part of the design rather than a nice-to-have feature.
Build recoverability into administration
Back up the configuration after each major change and verify that the backup is usable. A backup that exists but cannot be restored is not a backup. Document where the backups live, who can access them, and how often restore tests are performed. Firewall recovery should be part of the same process you use for key servers and identity systems.
For governance-heavy environments, align admin controls with GRC cyber security expectations so policy, logging, and audit evidence are all tied together. That makes it easier to prove who changed what and why. It also helps during investigations, when analysts need to reconstruct the sequence of events quickly.
- Restrict access to management IPs or a management VLAN.
- Enable MFA for privileged users where supported.
- Log all changes with username, timestamp, and action.
- Back up often and test restores periodically.
- Remove defaults before connecting to production.
How Do You Define Interfaces, Zones, And Routing?
You define interfaces, zones, and routing by deciding exactly which networks each interface belongs to and how traffic should move between them. This is where the firewall becomes an enforcement device rather than just a box with cables attached. If the interface and zone design is messy, the policy will be messy too.
Assign every interface a clear function. Outside interfaces face the internet or upstream provider, inside interfaces face trusted user networks, DMZ interfaces support public services, and management interfaces carry administrative traffic only. Add VLAN tagging only when the design needs it, and verify speed, duplex, and link status before moving on. A simple interface mistake can make policy troubleshooting much harder than it needs to be.
Set routing deliberately
Routing must match the way the firewall is placed in the network. You may use static routes in smaller or simpler deployments, while larger environments may rely on dynamic routing protocols. The important part is to make sure return traffic follows the same policy path, because asymmetrical routing can produce strange drops and confusing logs. That is especially true when the firewall sits between multiple internal segments or supports VPN users.
Test interface connectivity before building complex policies. Ping the next hop, validate ARP or neighbor discovery where relevant, and confirm that the firewall sees the correct gateway. If you are segmenting traffic for internal security, a clean zone model will help later when you create rules for application servers, databases, or shared services.
- Assign interfaces to their intended zones.
- Configure addressing and VLAN tags.
- Build routes that match the design.
- Verify neighbors, gateways, and link state.
- Confirm path symmetry for return traffic.
Many Cisco firewall deployments also become the point where teams clean up old assumptions about internal trust. That is a good thing. Internal segmentation is one of the most effective ways to limit blast radius when a host is compromised.
How Do You Build Access Control Policies?
Access control policies are the rules that decide which traffic is allowed, denied, or inspected. The best policy follows the principle of least privilege: allow only what is needed, from the right source, to the right destination, using the right application. Anything else should be denied by default or at least logged for review.
Start with the business applications that must work. Then write rules that permit only those flows, preferably using object groups or address groups to reduce repetitive rule entries. A rule that allows all traffic from a user subnet to a server subnet is usually too broad. A better rule permits a specific application, specific port, and specific destination set. That makes audits easier and reduces the chance of accidental exposure.
Explicit deny rules are useful when they document intent, especially for high-risk segments. For example, you might deny user VLANs from reaching server administration ports, or deny guest networks from touching internal resources. If you are studying Firewall Configuration as a concept, this is the heart of it: clear policy objects, clean ordering, and consistent review.
Keep the policy readable
Good policy structure matters more than raw rule count. Group related rules together by application, business unit, or zone pair, and keep comments on every non-obvious exception. If the firewall is supporting users and servers, split those use cases. A policy that is easy to read today will be much easier to maintain during an incident six months from now.
One practical caution: do not solve every problem with “any-to-any” rules during testing and promise to tighten them later. That almost never happens cleanly. A Cisco firewall earns its keep when it becomes a consistent enforcement point, not a temporary bypass.
- Permit only required ports and applications.
- Use object groups to simplify repeated references.
- Document exceptions with a clear business reason.
- Place denies strategically for risky or sensitive paths.
- Review rules regularly for unused or overly broad entries.
Enable Security Inspection And Threat Protection
Security inspection is the layer that checks traffic beyond simple source, destination, and port matching. Stateful inspection, intrusion prevention, application awareness, URL filtering, and malware controls give the firewall context about what traffic is actually doing. That context matters because many modern attacks hide inside allowed protocols.
Turn on the features your license and model support, but do it with performance in mind. Deep inspection improves visibility, yet it can also add latency or reduce throughput. Tune inspection levels so you get useful protection without breaking business applications. The right balance depends on your traffic mix, not on an idealized best-practice chart.
Use Cisco’s official documentation for feature behavior and supported inspection profiles, and pair that with threat intelligence sources such as MITRE ATT&CK to understand attacker techniques. A firewall that sees an outbound connection to a suspicious domain may not stop every attack, but it gives analysts the evidence they need to investigate and respond.
A firewall with threat inspection is not just filtering packets. It is collecting context that security teams can use to detect abuse, lateral movement, and command-and-control traffic.
After deployment, watch for false positives and legitimate traffic that gets flagged. This is a normal part of tuning. If you are used to studying low orbit ion cannon traffic patterns, morris worm history, or the basics of what a VPN is used for, you already know why visibility matters: attackers and legitimate users both traverse the same network paths, and the firewall has to tell the difference.
If you also need to think about symmetric vs asymmetric encryption, remember that VPN and inspection settings often depend on those cryptographic choices. The specific encryption key algorithm settings you choose for tunnels and authentication must match the platform’s support matrix and your organization’s policy.
Set Up NAT And Internet Access Rules
Network Address Translation is the function that rewrites IP addresses so internal systems can reach the internet or public users can reach approved services. On Cisco firewalls, source NAT or PAT is typically used for outbound access, while destination NAT or port forwarding is used for inbound publishing of services. This is one of the most common places where a simple rule can accidentally create a large exposure.
For outbound traffic, define which inside networks should translate to the outside address and whether all users share one public IP or a pool of addresses. For inbound traffic, expose only the services that are truly needed, such as a public web server or mail gateway. Every exposed service should have a business owner, a purpose, and a review date.
Check for policy and routing conflicts
NAT should work with routing, not against it. If the firewall translates traffic but the return path bypasses it, sessions fail or become hard to trace. Validate that NAT rules do not overlap, conflict, or undermine access control policies. The firewall should still enforce the correct permit or deny behavior after translation.
Once you change NAT, test internet access and inbound reachability immediately. A working ping is not enough. Check DNS resolution, web browsing, application logins, and any published service that relies on ports 80, 443, or another explicit rule. If your environment uses web-facing systems, remember that a tightly controlled firewall setup is often safer than relying on application owners to self-manage exposure.
- Create outbound PAT for user and server subnets.
- Build inbound NAT only for approved services.
- Confirm return routing stays on the firewall path.
- Test application reachability after every change.
- Review exposed services for unnecessary risk.
Configure VPN For Remote Or Site-To-Site Connectivity
VPN is a secure tunnel that lets users or sites communicate over untrusted networks. On a Cisco firewall, remote-access VPN is common for users who need protected entry to internal resources, while site-to-site VPN is used to connect branches, partners, or cloud networks. The first decision is whether you need one type or both, because each has different authentication and policy requirements.
Choose authentication methods carefully. Remote users often need stronger identity controls than a simple shared secret, and site-to-site tunnels should use approved crypto settings that match both endpoints. The safest design limits access through the tunnel to only the subnets, ports, or applications that are actually needed. A VPN that drops users into the whole internal network is convenient, but it is rarely a good security choice.
When you configure the tunnel, document the peer IPs, encryption parameters, split-tunnel rules, and any failover behavior. If you are thinking about what is VPNs used for in practical terms, this is it: secure remote connectivity, controlled partner access, and encrypted inter-site transport. The firewall is the policy gate that decides what each tunnel can touch.
Warning
Do not assume a VPN is secure just because the tunnel comes up. If the post-login policy is too broad, the tunnel becomes a fast path into systems that should never be reachable.
Test tunnel stability under normal use and failover conditions. Check whether DNS, authentication, and access permissions behave correctly when the primary path is unavailable. If you manage both remote-access and site-to-site VPNs, keep the policies distinct so troubleshooting does not become a guessing game.
Implement Logging, Monitoring, And Alerting
Logging is the record of what the firewall allowed, blocked, inspected, or changed. Without logging, you are flying blind. Without usable logs, you are only slightly better off. Send firewall logs to a centralized syslog server, SIEM, or monitoring platform so they can be correlated with endpoint, identity, and server events.
Track denied connections, VPN events, administrative actions, intrusion alerts, and configuration changes. Set alert thresholds carefully so routine noise does not drown out the important events. A firewall that generates hundreds of low-value alerts a day will be ignored, which defeats the purpose. Good alerts are specific, actionable, and tied to a response owner.
For broader context, Verizon Data Breach Investigations Report and IBM Cost of a Data Breach both reinforce the value of early detection and fast containment. In practical terms, that means logs should help you answer who, what, when, and where without forcing you to dig through raw packet data for every incident.
Use logs to tune the policy
Review recurring denies to find misconfigured applications, legacy dependencies, or risky user behavior. If you see repeated blocks from a business application, the answer may be a missing rule or a bad object definition. If you see repeated outbound connections to suspicious infrastructure, the answer may be an infection or an endpoint control gap. This is where the firewall becomes part of incident detection, not just perimeter filtering.
- Alert on admin changes immediately.
- Track denied outbound traffic for suspicious patterns.
- Monitor VPN logins for unusual geography or time patterns.
- Correlate IDS events with endpoint and identity logs.
- Review trends weekly to tune rules and reduce noise.
How Do You Test the Firewall Before Full Production Use?
You test the firewall by proving that the intended traffic works and the unintended traffic does not. This means checking inbound, outbound, and inter-zone flows, plus application logins, DNS resolution, VPN behavior, and any public-facing services. A firewall that has not been tested is not ready, even if the configuration looks clean.
Start with positive tests. Confirm that business applications open, users can browse, mail flows, and remote access works as designed. Then run negative tests to verify that unauthorized access is blocked. For example, a user VLAN should not reach a database port directly, and a guest network should not touch internal file shares. If an application needs a temporary exception, document it and set a review date immediately.
Measure latency and throughput so the firewall does not become a bottleneck. If the device is dropping sessions or slowing SSL-heavy traffic, you may need to adjust inspection features, add capacity, or redesign the deployment. Use the results as evidence, not assumptions.
- Validate permitted flows for core applications.
- Confirm blocked traffic stays blocked.
- Test authentication paths for users and VPN clients.
- Measure performance under realistic load.
- Fix and retest before calling the deployment complete.
Document every failure and every exception. That record becomes the baseline for future changes and incident response. It also helps with audit questions because you can show exactly what was tested, when it was tested, and what the result was.
How Do You Maintain, Update, And Optimize The Firewall?
You maintain a Cisco firewall by treating it like a living control, not a set-and-forget device. Firmware, signatures, rules, VPN entries, and logs all age over time. Regular maintenance keeps the firewall aligned with threat changes, business changes, and performance realities.
Schedule firmware and signature updates based on vendor guidance and your change calendar. Review unused rules, stale objects, old NAT entries, and abandoned VPN configurations. If the firewall has not been cleaned up in months, it will eventually contain rules that nobody remembers owning. That is a security and operational problem at the same time.
Audit configuration changes against internal standards, and compare them with frameworks such as ISO 27001 or NIST guidance when your organization needs formal evidence. The NIST publications library is useful when you need a structured reference point for control reviews and security baselines. A good maintenance process also includes configuration backup testing and periodic restore validation so you know recovery actually works.
Use traffic trends to guide optimization
Firewall tuning should be driven by data. If one application generates most of the denied traffic, the rulebase may need a clean exception or a redesign. If a branch link is consistently near capacity, the firewall may need additional throughput headroom or a new traffic path. This is where patch management software, endpoint controls, and the firewall support each other instead of overlapping badly.
Teams that only react to outages spend more time fixing than improving. Teams that review firewall trends on a schedule reduce noise, sharpen policy, and catch problems before users complain. That is the difference between maintenance and firefighting.
- Update firmware on a controlled schedule.
- Prune stale rules and unused objects.
- Verify backups and restore procedures.
- Review logs and trends for recurring issues.
- Adjust policies as the business changes.
Key Takeaway
- A Cisco firewall is most effective when it is placed into a documented network design with clear traffic boundaries.
- Least-privilege access control is stronger than broad allow rules that are “temporary” in name only.
- Logging, alerting, and admin controls are part of the firewall itself, not optional extras.
- VPN, NAT, and inspection features must be tested together because they interact in production.
- Firewall maintenance is ongoing work that includes updates, rule review, backups, and validation.
How to Verify It Worked
Verification means proving the firewall is enforcing the intended policy without breaking business traffic. The clearest sign of success is that approved applications work, blocked traffic stays blocked, and logs show exactly what happened. If users report random outages, unexpected prompts, or timeouts, the deployment is not finished.
Start with the firewall status. Confirm the interfaces are up, the routes are correct, and the zones are mapped as planned. Then check policy hits, NAT translations, VPN status, and log forwarding. If you are using centralized monitoring, confirm the firewall is visible in the dashboard and that alerts are arriving where they should.
Common success indicators and failure symptoms
Successful verification usually looks boring. Users reach approved apps, remote-access VPN users land on the right subnet, inbound services respond only from approved sources, and denied traffic appears in the logs. Common failure symptoms include asymmetric routing, NAT conflicts, stale DNS records, overly broad denies, or a management lockout caused by bad access control on the admin interface.
| Success indicator | Approved traffic works and logs show correct permits, denies, and translations. |
|---|---|
| Failure symptom | Users cannot reach key apps, VPN sessions fail, or the firewall logs show unexpected drops. |
If you need a practical checkpoint, use this rule: a firewall is verified only when it is secure, reachable, monitored, and recoverable. Anything less is an incomplete deployment.
CompTIA Cybersecurity Analyst CySA+ (CS0-004)
Learn to analyze security threats, interpret alerts, and respond effectively to protect systems and data with practical skills in cybersecurity analysis.
Get this course on Udemy at the lowest price →Conclusion
Setting up a Cisco firewall for network security is a process, not a single configuration screen. You start by defining what the firewall must protect, choose the right Cisco security appliances for the environment, place the firewall correctly in the architecture, and then build rules, VPN, NAT, and inspection policies that match the business. After that, logging, testing, and maintenance keep the control effective.
The biggest mistakes are predictable: weak planning, overly broad access rules, poor management security, and no verification. The best deployments avoid those mistakes by documenting traffic requirements, using least privilege, and reviewing changes carefully. That approach also fits the workflow taught in CompTIA Cybersecurity Analyst CySA+ (CS0-004), where alert review and policy tuning are part of everyday defense work.
If you are implementing a Cisco firewall now, treat the first deployment as the baseline for the next review cycle. Test thoroughly, document every change, keep the policy readable, and schedule maintenance before problems force your hand. That is how firewall setup turns into durable network security instead of a one-time project.
Cisco® and Cisco Secure Firewall are trademarks of Cisco Systems, Inc. CompTIA® and CySA+™ are trademarks of CompTIA, Inc.