Containment — CompTIA Security+ (SY0-701) Practice Questions
Containment is the incident response phase in which a confirmed threat is isolated to prevent it from spreading to additional systems or causing further damage. On SY0-701, candidates must distinguish between short-term containment actions, such as isolating a compromised host from the network, and long-term containment strategies that allow operations to continue while a full remediation is prepared. The exam tests understanding of when to contain versus when to monitor for intelligence gathering, and the forensic considerations, such as preserving volatile memory, that must be addressed before taking containment actions.
Free questions on containment
A security team discovers that attackers have compromised a web server and are using it to distribute malware to customers. What is the FIRST action that should be taken?
Free question · medium · full answer + explanation
More containment questions in the full bank
- What should you do immediately after discovering a security breach? Unlock answer & explanation →
- During incident response, the first priority after discovering a breach is to contain the incident. Which action should be taken FIRST? Unlock answer & explanation →
- During a threat intelligence-driven security incident, a SOAR playbook correlates indicators of compromise (IOCs) from a feed with CASB logs, CWPP alerts, and network telemetry. The same source IP is observed attempting lateral movement across cloud and on-premises infrastructure. What is the most critical action? Unlock answer & explanation →