CompTIA CySA+ (CS0-003) · Domain 3 · 20% of exam

Incident Response and Management

Drill 20 practice questions focused entirely on Incident Response and Management for the CompTIA CS0-003 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

A CySA+ analyst is asked to build a repeatable methodology for classifying observed adversary behaviors during an active intrusion. The goal is to map each discrete action an attacker takes on a compromised host—such as dumping credentials, creating scheduled tasks, and disabling logging—to a standardized catalog of techniques and sub-techniques, so detection engineers can later measure coverage gaps. Which attack methodology framework is the MOST appropriate choice for this specific purpose?

Reviewed for accuracy · Report an issue
Question 2 of 20

During an active ransomware incident, an analyst confirms that a file server in the finance VLAN is encrypting shares and attempting SMB connections to hosts in other VLANs. Management insists the finance department must retain read-only access to already-encrypted backups on a separate storage appliance while the response team works. The team wants to stop lateral spread without fully powering down the affected server (to preserve volatile evidence). Which containment action BEST meets these constraints?

Reviewed for accuracy · Report an issue
Question 3 of 20

During the analysis phase of an incident, a SOC analyst confirms a workstation is infected with credential-harvesting malware. Before recommending containment actions, the incident lead insists the team first determine which other systems the compromised account accessed, what data was reachable, and whether the malware spread laterally. Which incident response activity is the lead prioritizing?

Reviewed for accuracy · Report an issue
Question 4 of 20

During a ransomware incident, the IR team has isolated three infected workstations and confirmed the malware achieved kernel-level persistence and dropped multiple unknown binaries. Anti-malware scans now report the machines as 'clean.' Business leadership is pressing to return the machines to production quickly. As the analyst leading the eradication phase, what is the MOST appropriate course of action?

Reviewed for accuracy · Report an issue
Question 5 of 20

A security team has finished eradicating a ransomware infection across the affected file servers. Systems have been rebuilt from known-good images, patched, and reconnected to the production network. The incident commander now wants to formally complete the recovery phase before transitioning to lessons learned. Which action is MOST important to perform during this recovery phase?

Reviewed for accuracy · Report an issue
Question 6 of 20

A SOC analyst receives three simultaneous alerts during a busy shift: (1) a single failed login from a marketing user's workstation, (2) unusual outbound traffic from a database server holding customer PII that is also communicating with a known malicious IP, and (3) an antivirus quarantine event on an isolated test VM that has no network connectivity. The organization's incident classification matrix rates impact by data sensitivity, system criticality, and scope. Which alert should the analyst escalate and prioritize first according to sound incident triage practice?

Reviewed for accuracy · Report an issue
Question 7 of 20

During a ransomware investigation, an analyst images an infected workstation's hard drive and stores the image on an evidence server. Legal has indicated the case may result in prosecution of an insider. Which action is MOST important to ensure the disk image will be admissible in court?

Reviewed for accuracy · Report an issue
Question 8 of 20

During an active ransomware incident, the SOC lead confirms that customer payment data may have been accessed. The incident response team is executing containment, but individual analysts have begun emailing partners and posting status updates in a public Slack channel. The CISO is concerned about inconsistent messaging and potential legal exposure. Which element of incident response preparation should have been established to govern who communicates what, to whom, and when during this incident?

Reviewed for accuracy · Report an issue
Question 9 of 20

A ransomware incident has been contained: affected hosts are isolated on a quarantine VLAN, and the C2 domains are blocked at the perimeter. The IR lead wants to move from containment to eradication. Before the team begins eradication activities, which action is MOST important to complete first?

Reviewed for accuracy · Report an issue
Question 10 of 20

During an active ransomware incident, the IR team has isolated three infected file servers from the network to stop encryption from spreading. Business leadership demands that critical shared drives be restored within hours to continue operations, but the team has not yet determined how the malware entered the environment. Which containment approach should the IR team implement next to balance operational needs with the ongoing investigation?

Reviewed for accuracy · Report an issue
Question 11 of 20

During a security team meeting, an analyst reviews recent activity. A threat intelligence feed reports that a hacktivist group has publicly announced plans to target the company's industry over the next month due to a controversial policy decision. Separately, the SIEM has flagged repeated failed authentication attempts against the VPN gateway from foreign IP ranges within the last hour. According to the incident response lifecycle, how should the analyst classify these two pieces of information?

Reviewed for accuracy · Report an issue
Question 12 of 20

A SOC analyst receives an automated alert indicating a workstation contacted a known malicious IP. Before escalating to the incident response team, the analyst wants to reduce the chance of escalating a benign event and provide responders with enough context to act quickly. Which action during the detection and analysis phase BEST accomplishes this?

Reviewed for accuracy · Report an issue
Question 13 of 20

An analyst has fully contained a ransomware incident affecting several file servers. Malware artifacts and attacker persistence mechanisms have been identified and documented, and forensic images have been collected. The incident commander now asks what the team should do NEXT before allowing users to reconnect to the restored file servers. Which action best represents the correct next step in the incident response lifecycle?

Reviewed for accuracy · Report an issue
Question 14 of 20

During the analysis phase of an incident, a CySA+ analyst must acquire a forensic copy of a compromised server's hard drive that may later be used as evidence in litigation. The analyst connects the source drive through a hardware device and creates a bit-for-bit copy. To later prove in court that the acquired image is identical to the original disk and has not been altered, which action must the analyst take during acquisition?

Reviewed for accuracy · Report an issue
Question 15 of 20

After containing and recovering from a ransomware incident, the CSIRT holds a post-incident review meeting attended by the SOC, IT operations, legal, and management. During the session, the team documents that the initial infection occurred because an unpatched VPN appliance was exploited, that detection took nine days because no alerting existed for that appliance's logs, and that restoration was delayed because backups had never been tested. As the analyst facilitating the meeting, which of the following BEST represents the primary intended outcome of this phase?

Reviewed for accuracy · Report an issue
Question 16 of 20

Following a successful containment and recovery from a ransomware incident, the IR team completes a post-incident review. The final report documents the root cause, timeline, response effectiveness, and several recommended process improvements. The IR lead is deciding how the completed report should be handled going forward. Which action provides the MOST long-term value from this deliverable?

Reviewed for accuracy · Report an issue
Question 17 of 20

After closing a breach investigation, a CySA+ analyst is preparing a metrics report for leadership. The intrusion first occurred on March 3, the SIEM generated the first correlated alert on March 18, the SOC began active investigation on March 19, and the threat actor was fully evicted on March 22. Leadership wants a single metric that best expresses how long the adversary went undetected inside the environment, so future preparation investments can target that specific gap. Which metric should the analyst report to answer that question?

Reviewed for accuracy · Report an issue
Question 18 of 20

During the analysis phase of an active malware incident, an analyst plans to collect forensic evidence from a compromised Windows workstation that is still powered on and connected to the network. The analyst wants to preserve the most fragile evidence first to avoid data loss. Which source should the analyst collect FIRST according to the order of volatility?

Reviewed for accuracy · Report an issue
Question 19 of 20

A mid-sized company recently suffered a ransomware incident. During the response, analysts wasted several hours debating who had authority to disconnect affected systems and how to escalate to legal and executive leadership. The CISO wants to ensure future incidents proceed with predefined, repeatable steps that assign roles and decision authority before an event occurs. Which preparation-phase activity most directly addresses this need?

Reviewed for accuracy · Report an issue
Question 20 of 20

Following the recovery from a ransomware incident, the incident response lead is preparing for the post-incident review. Before the lessons-learned meeting, the lead wants to produce a single artifact that chronologically documents every detected event, analyst action, and containment decision with precise timestamps sourced from correlated logs. Which artifact should the lead create to best support the review?

Reviewed for accuracy · Report an issue

More CS0-003 practice

Keep going with the other CompTIA CySA+ (CS0-003) domains, or take a full timed mock exam.

← Back to CS0-003 overview