Incident response questions on the Security+ exam typically ask you to order the phases, identify what comes first in a specific scenario, or choose the correct action at a given stage. These questions have a definitive right answer — the NIST and CompTIA IR frameworks define the correct order.
The Six Phases of Incident Response
CompTIA Security+ uses this sequence:
- Preparation — Establishing IR policies, creating playbooks, training staff, setting up tools before an incident occurs
- Identification — Detecting and confirming that an incident has occurred; determining its scope
- Containment — Limiting the spread and impact of the incident (short-term: isolate; long-term: rebuild)
- Eradication — Removing the root cause: malware, compromised accounts, vulnerabilities
- Recovery — Restoring systems to normal operation and monitoring for recurrence
- Lessons Learned — Post-incident review to improve future response
Acronym: PICER L (Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned)
What Comes First?
Preparation always comes first — but only in questions about building an IR program. If the question says "an incident has just been detected," the answer shifts to Identification.
Identification before containment — You must confirm and scope the incident before containing it. Acting too fast without understanding scope can cause you to miss parts of the attack or alert the attacker.
Containment before eradication — You must stop the spread before removing the threat. Trying to remove malware while the infected system is still connected to the network can cause re-infection from other compromised systems.
Eradication before recovery — You must remove the root cause before restoring systems. Restoring a system while the cause still exists means the system will be compromised again.
The Evidence Preservation Trap
One of the most common wrong-answer scenarios:
A security analyst discovers ransomware on a workstation. What should they do first?
Options often include: isolate the system, notify law enforcement, document the system's state, remove the malware.
Many candidates pick "remove the malware" — that is Eradication, which is phase 4. Before anything else, you need to contain the system (isolate it from the network) to prevent spread. Evidence preservation (documenting, imaging) also happens before removal.
The correct sequence in this scenario: isolate first, then document/preserve evidence, then eradicate.
Legal Hold and Chain of Custody
During Identification and Containment, evidence must be handled carefully:
- Legal hold — When an incident may lead to litigation, notify relevant parties to preserve all related data and stop its routine destruction
- Chain of custody — Document every person who handles evidence and every action taken; required for evidence to be admissible in legal proceedings
- Order of volatility — Collect the most volatile evidence first: CPU registers and cache (lost on shutdown), RAM (lost on power off), swap files, hard disk, logs, archived data
Exam trap: a question asks about the order in which to collect evidence. The answer is order of volatility — most volatile first. Candidates who think about priority (logs seem important) get this wrong.
Containment Strategies
Short-term containment — Immediately isolating the affected system (disconnecting from network) to stop spread while preserving its state for analysis.
Long-term containment — Applying patches, removing compromised accounts, and hardening configurations while a clean replacement system is being prepared.
The exam distinguishes between these: a question asking "what is the immediate first step after confirming ransomware" wants short-term containment (isolation), not long-term containment.
Lessons Learned
The final phase often gets overlooked but is tested. After recovery, the IR team documents:
- What happened and why
- How it was detected
- What the response involved
- What could be done better
- Changes to make to policies, playbooks, or controls
A question asking "which IR phase involves updating the incident response plan based on findings" — the answer is Lessons Learned.
Practice Security+ incident response questions to drill the phase sequence until it is automatic under exam time pressure.
NIST vs SANS IR Framework Comparison
Both frameworks appear in SY0-701 objectives. The exam tests whether you can recognise each and map their phases.
| Phase | NIST SP 800-61 | SANS |
|---|---|---|
| 1 | Preparation | Preparation |
| 2 | Detection and Analysis | Identification |
| 3 | Containment, Eradication, and Recovery | Containment |
| 4 | Post-Incident Activity | Eradication |
| 5 | — | Recovery |
| 6 | — | Lessons Learned |
The practical difference: NIST groups Containment, Eradication, and Recovery into a single phase. SANS treats them as three distinct phases. CompTIA tends to favour the SANS six-step model in question wording because it gives more distinct steps to sequence.
What the exam actually tests: If a question asks you to "put these phases in order" and gives you six options, expect the SANS model. If a question references a government framework or "NIST guidelines," map to the four NIST phases. The underlying logic is identical — the grouping is the only difference.
Exam trap: NIST's second phase is "Detection and Analysis," not just "Detection." This means identifying the incident AND understanding its scope, impact, and cause are both part of this phase. Candidates who learn only the phase names miss that analysis is explicitly included before containment begins.
Chain of Custody — What the Exam Actually Tests
Chain of custody is about documenting the handling of evidence from the moment it is collected until it is used in legal proceedings. The goal is to demonstrate that evidence was not tampered with or altered.
What documentation is required:
- Who collected the evidence (name, role, time)
- How it was collected (tool used, method)
- Where it was stored (physical location, access controls)
- Every person who accessed or transferred it, and when
- What analysis was performed on it
The exam scenarios that come up:
"A security analyst collected a hard drive from a compromised workstation. The drive later showed signs of modification. What was likely missing?" Chain of custody documentation — without it, you cannot prove the evidence was unaltered.
"Who takes custody of evidence when law enforcement is involved?" The initial response team documents custody and then formally transfers it to law enforcement with written documentation of the transfer.
"What makes digital evidence admissible in court?" Proper chain of custody, combined with forensic integrity verification (hash values taken at time of collection and verified to match later).
Practical tip for questions: Any question mentioning legal proceedings, court admissibility, or evidence integrity is testing chain of custody concepts.
Forensic Evidence Order of Volatility
When collecting evidence from a live system, you must collect the most volatile evidence first — because it will be lost when the system is powered off or rebooted.
The order, from most to least volatile:
- CPU registers, cache — Completely lost when power is cut. Contents of the processor's working memory at the moment of collection.
- RAM (physical memory) — Lost on power off. Contains running processes, decrypted data, network connections, encryption keys in use, and malware that may only exist in memory (fileless malware).
- Swap file / virtual memory — Less volatile than RAM but still more volatile than disk. Data paged out of RAM lives here temporarily.
- Hard disk / SSD contents — Persistent storage. Files, logs, installed software.
- Remote logs — Logs on a remote syslog server or SIEM. More reliable than local logs because a sophisticated attacker may have wiped local logs.
- Archived / backup data — Least volatile. Offsite, tape, cloud backups.
Why order matters on the exam: A question asking "what should be collected first from a running system that is suspected of being compromised?" wants RAM (or the full list starting from CPU registers). Candidates who think "logs are important" and answer logs are wrong — logs are significantly less volatile than RAM and would survive being collected after memory.
The practical implication: For this reason, forensic practitioners use memory acquisition tools (like Magnet RAM Capture or WinPmem) before doing anything else on a live system. Only after acquiring RAM do they proceed to disk imaging.
Common IR Mistakes in Exam Scenarios
The exam gives you a scenario and asks what was done wrong, or what should have been done first.
Type 1 — Acting before scoping: "An analyst discovered ransomware on one workstation and immediately wiped it to remove the malware." What was wrong? Eradication before containment and evidence preservation. The correct sequence: contain (isolate), preserve evidence, then eradicate. Wiping before imaging destroys forensic evidence.
Type 2 — Wrong containment approach: "An analyst disconnected the infected server from the network and powered it off immediately." The problem: powering off destroys volatile memory evidence (RAM). For most malware investigations, the correct containment is network isolation while the system remains powered on for memory acquisition.
Type 3 — Skipping lessons learned: "After resolving the incident, the team immediately returned to normal operations." What was missing? The lessons learned review — documentation of what happened, how it was detected, what worked, what didn't, and what policy changes are needed.
Type 4 — Evidence handling failure: "The analyst copied files from the compromised system to a USB drive without hashing them first." The problem: without hash verification, you cannot prove the copies are exact. Forensic copies require hash verification (MD5 or SHA-256 of the original and the copy must match).
Tabletop Exercise vs Penetration Test — When to Use Each
Tabletop exercise: A discussion-based scenario walkthrough. Key stakeholders (IR team, legal, communications, executives) sit around a table and talk through how they would respond to a hypothetical incident. No systems are tested. No actual attacks are launched. The goal is to test the IR plan, identify gaps in roles and communication, and ensure everyone knows what to do.
Use a tabletop when: the organisation has not tested its IR plan recently, you want to train new IR team members, you need to validate communication procedures, or executive buy-in is needed for IR investment.
Penetration test: An authorised simulated attack against actual systems. Testers use real attack techniques to find real vulnerabilities. Systems may be affected. The goal is to find technical vulnerabilities before attackers do.
Use a penetration test when: you need to validate technical defences, you want to test detection capabilities, a compliance requirement mandates it (PCI DSS requires annual penetration tests), or a major system change has been made.
The exam distinction: Tabletop = plan validation, discussion-based, no technical testing. Penetration test = technical validation, real attack simulation against live systems.
Legal Considerations — When to Involve Law Enforcement
The exam touches on this in IR scenarios. Key points:
Involve law enforcement when: the incident involves criminal activity (theft, espionage, ransomware demanding payment), when law enforcement has investigative capabilities you need, or when a regulatory framework requires notification (FBI notification for certain ransomware incidents).
Do NOT involve law enforcement without organisational legal counsel involved. Many organisations have legal and PR implications from publicly reporting incidents. Legal counsel advises on notification requirements.
Law enforcement involvement changes evidence handling requirements significantly — you must maintain strict chain of custody from the moment you decide legal action may follow.