Incident Response — CompTIA CySA+ (CS0-003) Practice Questions
Incident response is the structured methodology an organization follows when a security event is detected, progressing through preparation, identification, containment, eradication, recovery, and lessons-learned phases. The CySA+ exam tests candidates on how to triage alerts, distinguish true positives from false positives, escalate appropriately, and apply the correct procedures at each phase of the response lifecycle. Candidates must also understand the role of playbooks and runbooks in standardizing response actions and reducing mean time to respond. Sound incident response limits damage, preserves forensic evidence for potential legal action, and produces the data needed to prevent recurrence.
Free questions on incident response
During incident response, a security analyst discovers that ransomware has encrypted critical files across multiple departments. The attacker is demanding payment within 24 hours. What is the FIRST action the analyst should take?
Free question · medium · full answer + explanation
A CISO must explain a data breach to the board of directors. Which information should be emphasized to demonstrate proper incident response?
Free question · medium · full answer + explanation
During a post-incident review, the security team identifies that early warning signs of the breach were visible in logs for 3 days before detection. What should be improved?
Free question · medium · full answer + explanation
An analyst reviewing network traffic captures detects a large outbound transfer of data to an external IP address that matches no approved egress policy. What is the NEXT step?
Free question · medium · full answer + explanation
An incident response team discovers that malware has been present on a compromised system for 6 months before detection. What is the BEST recommendation to prevent similar incidents?
Free question · medium · full answer + explanation
A company discovers that developers have been committing API keys and database credentials to a public GitHub repository. What should the analyst recommend as an IMMEDIATE mitigation?
Free question · medium · full answer + explanation
A SIEM system detects that a database administrator account has been used to run unusual queries outside normal business hours, accessing sensitive customer data. What should the analyst investigate FIRST?
Free question · medium · full answer + explanation
A security team is creating an incident response plan. Which scenario should trigger activation of the full incident response team?
Free question · medium · full answer + explanation
A security analyst needs to report a data breach affecting 50,000 customers to executives and regulatory bodies. Which information should be prioritized in the initial notification?
Free question · medium · full answer + explanation
During a security incident, the analyst needs to preserve evidence from a compromised server. Which action should be performed FIRST?
Free question · medium · full answer + explanation
More incident response questions in the full bank
- In the detection phase of incident response, what is being identified? Unlock answer & explanation →
- How should a security analyst respond to a high number of failed authentication attempts from a single internal IP address? Unlock answer & explanation →
- In a complex incident involving multiple compromised domains, what approach would BEST identify the initial attack vector? Unlock answer & explanation →