Practice CS0-003 Incident Response and Management questions with full explanations on every answer.
Start practicing
Incident Response and Management — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
During the detection and analysis phase of the NIST SP 800-61 incident response lifecycle, an analyst identifies suspicious network traffic from an internal host to a known malicious IP address. Which step should the analyst perform next to validate the alert?
2An organization's security team receives an alert about a potential ransomware infection on a critical server. The severity classification is 'high' because the server supports a production database. According to the incident response plan, which containment action should be taken first to minimize data loss?
3A forensic analyst is investigating a suspected data breach involving a compromised workstation. The analyst wants to collect volatile data in accordance with the order of volatility. Which sequence of data collection is correct?
4After containing a malware outbreak, the incident response team performs static malware analysis on a suspicious executable. Which of the following artifacts would be most helpful in creating a YARA rule to detect variants of the malware?
5During dynamic malware analysis in a sandbox, an analyst observes that the malware attempts to connect to a remote IP address on port 443, modifies the Windows registry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run, and drops a DLL in the system32 folder. Which type of IOC is most indicative of persistence?
6An organization uses MISP as its threat intelligence platform. After a security incident, the team wants to share IOCs with other trusted organizations. Which standard should they use to package and exchange the threat intelligence?
7During a post-incident review, the incident response team identifies that the mean time to detect (MTTD) for a recent breach was 14 days, while the mean time to respond (MTTR) was 6 hours. Which metric should the team prioritize to improve in future incidents?
8A security analyst is performing memory acquisition on a compromised Linux server using LiME. The analyst needs to capture the memory image with minimal impact on the system. Which of the following parameters should the analyst use to ensure the output is forensically sound?
9An analyst receives an alert about a user account that has been locked out multiple times within an hour. The account belongs to a system administrator. Which incident category does this scenario most likely fall under?
10During a forensic investigation, an analyst creates a disk image using dd with a SHA256 hash. Later, the analyst needs to verify the integrity of the image before analysis. Which command should the analyst use to compare the original hash with a newly computed hash?
11An organization has been experiencing repeated phishing attacks that bypass email filters. The incident response team wants to enhance detection by creating rules based on characteristics of the phishing emails. Which of the following IOCs would be most effective for detecting similar phishing campaigns?
12During a post-incident activity, the CSIRT performs a root cause analysis for a data breach. They discover that the breach originated from a misconfigured S3 bucket that allowed public read access. Which of the following actions should be included in the lessons learned to prevent recurrence?
13A security analyst is responding to a potential data exfiltration incident. As part of the containment strategy, the analyst must preserve evidence. Which TWO actions should the analyst take before containment? (Select two.)
14A CSIRT is investigating a ransomware incident that encrypted files on multiple servers. The team needs to determine the initial infection vector. Which THREE pieces of evidence should the team prioritize collecting? (Select three.)
15A security analyst is reviewing IOCs from a threat intelligence feed. The analyst wants to enrich the IOCs using open-source tools. Which THREE tools are commonly used for IOC enrichment? (Select three.)
16During which phase of the NIST SP 800-61 incident response lifecycle would an organization conduct a lessons learned meeting?
17A security analyst detects ransomware on a critical server. Which containment strategy should be implemented FIRST to minimize damage?
18During a forensic investigation, an analyst needs to acquire memory from a Linux server. Which tool is specifically designed for this purpose?
19Which of the following is the MOST volatile data according to the order of volatility?
20An analyst is reviewing a suspicious executable using static analysis. Which of the following would provide information about the functions the executable imports from system libraries?
21A SOC analyst receives an alert from a threat intelligence platform (TIP) about a new phishing campaign. The indicator is a URL. Which enrichment source is BEST for determining the URL's current hosting infrastructure?
22During a post-incident review, the CSIRT identifies that the mean time to detect (MTTD) is significantly higher than the industry benchmark. Which initiative would MOST likely reduce MTTD?
23An organization has identified indicators of compromise (IOCs) from a recent incident. Which data format is specifically designed for sharing threat intelligence in a standardized, machine-readable way?
24A security analyst is investigating a potential data breach. The analyst needs to preserve evidence before containment. Which of the following actions is MOST appropriate at this stage?
25An analyst runs a YARA rule against a set of files and gets a hit. The rule was written to detect a specific malware family. What is the PRIMARY purpose of using YARA rules in this context?
26After a DDoS attack, the CSIRT wants to share IOCs with other organizations. Which protocol is specifically designed for automated, real-time threat intelligence sharing?
27Which of the following is an example of a behavioral indicator of compromise (IOC) observed during dynamic malware analysis?
28A security analyst is investigating a phishing incident that resulted in credential theft. Which TWO actions should the analyst take as part of short-term containment? (Choose two.)
29During a forensic investigation, an analyst must acquire digital evidence while maintaining forensic soundness. Which THREE practices should the analyst follow? (Choose three.)
30A company has experienced a ransomware attack that encrypted critical servers. The incident response team is in the containment, eradication, and recovery phase. Which THREE actions are part of long-term containment? (Choose three.)
31During the detection and analysis phase of incident response, a security analyst identifies suspicious outbound traffic from a workstation to an external IP address known for command and control (C2) activity. Which classification should the analyst assign to this incident?
32A security analyst receives an alert about a possible ransomware outbreak. Which short-term containment action should be performed FIRST to prevent further spread?
33During forensic analysis of a compromised server, an analyst needs to preserve evidence in order of volatility. Which of the following actions should the analyst perform FIRST?
34A security analyst is conducting static analysis of a suspicious executable. Which of the following tools or techniques is BEST suited for extracting strings and viewing the import table?
35After containing a security incident, the incident response team conducts a root cause analysis. Which of the following is the PRIMARY purpose of this activity?
36An analyst receives a threat intelligence feed containing IOCs in STIX format. Which of the following BEST describes the purpose of STIX?
37During post-incident activities, the security team reviews metrics. Which metric measures the average time taken to detect an incident?
38A security analyst is performing dynamic analysis of a suspicious file in a sandbox. Which of the following observations is most indicative of ransomware behavior?
39Which of the following is the correct order of volatility for digital evidence?
40An incident responder needs to collect memory from a Linux system during an incident. Which tool should the responder use?
41During a post-incident review, the team identifies that detection was delayed because alerts from multiple sources were not correlated. Which improvement would BEST address this issue?
42An analyst is investigating a suspected data breach and needs to preserve network logs. Which of the following actions is MOST appropriate?
43A security analyst is performing incident response for a suspected malware outbreak. Which TWO actions are examples of long-term containment? (Select TWO.)
44During a forensic investigation, an analyst must preserve evidence in accordance with forensic sound procedures. Which THREE of the following practices should the analyst follow? (Select THREE.)
45An incident response team is analyzing indicators of compromise (IOCs) from a phishing campaign. Which THREE of the following are commonly used IOC types? (Select THREE.)
46During the detection and analysis phase of incident response, a security analyst identifies suspicious outbound traffic from a finance workstation to a known malicious IP address at 2:00 AM. The analyst checks the firewall logs and sees a single connection. Which action should the analyst take FIRST according to NIST SP 800-61?
47An organization's incident response team is handling a ransomware incident where critical servers have been encrypted. The team has identified the ransomware variant and determined that decryption is not possible. Which of the following is the BEST post-incident activity to prevent recurrence?
48An analyst needs to capture the contents of volatile memory from a Windows system suspected of being compromised. Which tool should the analyst use to acquire a memory image?
49During a phishing incident, an analyst extracts a URL from the email body and searches VirusTotal. The URL is associated with a credential harvesting page. Which type of indicator is this URL?
50An incident responder needs to collect forensic evidence from a server that was attacked. The evidence includes network connections, running processes, memory contents, and disk data. According to the order of volatility, which piece of evidence should the responder collect FIRST?
51After containing a data breach, the incident response team discovers that an attacker exfiltrated sensitive data over DNS tunneling. Which of the following detection rules would BEST identify similar activity in the future?
52An organization's security team receives a report of a potential insider threat. An employee is suspected of accessing sensitive files without authorization. Which incident category BEST describes this scenario?
53An incident responder is called to a server room where a critical database server is exhibiting signs of compromise. The responder must preserve evidence while preventing further damage. Which of the following is a short-term containment strategy that also preserves evidence?
54A security analyst is performing static analysis on a suspicious PE file. Which initial step should the analyst take to understand the file's imports and potential capabilities?
55An organization is implementing an incident response plan. Which phase of the NIST SP 800-61 lifecycle includes activities such as creating policies, establishing IR teams, and acquiring necessary tools?
56During a DDoS attack, the incident response team notices that the attack traffic originates from multiple IP addresses across different countries. The team decides to implement a long-term containment strategy. Which action is MOST appropriate for long-term containment?
57An analyst is examining a disk image acquired from a compromised Linux server. The analyst needs to verify that the image is an exact bit-for-bit copy of the original drive. Which forensic sound procedure should the analyst perform?
58An incident response team is conducting post-incident activities after a ransomware attack. The team wants to improve detection and response for future incidents. Which TWO actions are most appropriate for updating detection rules? (Select TWO.)
59A security analyst is investigating a potential data exfiltration incident. The analyst captures memory from a Windows system and finds a process that is injecting code into other processes. Which THREE indicators from the memory analysis would MOST strongly suggest malicious activity? (Select THREE.)
60An organization's incident response team is classifying an incident based on severity and priority. Which TWO factors should the team consider when determining the priority of an incident? (Select TWO.)
61During the preparation phase of the NIST SP 800-61 incident response lifecycle, a security analyst is tasked with ensuring the team has the necessary tools and resources. Which of the following is the MOST important activity to perform during this phase?
62A security operations center (SOC) analyst receives an alert about a potential ransomware infection on a critical server. The incident response team needs to contain the threat quickly. Which of the following should be performed FIRST as a short-term containment measure?
63During a forensic investigation, an analyst needs to acquire volatile memory from a compromised Linux server running a critical application. The server cannot be powered off. Which tool should the analyst use to capture memory with the least impact on the system?
64An organization has experienced a data breach involving personally identifiable information (PII). The incident response team has contained the breach and eradicated the threat. During the post-incident activity phase, which activity is MOST critical to prevent future similar incidents?
65A security analyst is reviewing indicators of compromise (IOCs) from a recent phishing campaign. Which of the following is an example of an email-related IOC?
66During a dynamic malware analysis session, a security analyst uses a sandbox to detonate a suspicious file. Which of the following observations would be considered a behavioral indicator of compromise (IOC)?
67A security analyst is investigating a suspected insider threat incident. The analyst needs to preserve evidence before containment. Which of the following actions should the analyst prioritize to maintain the integrity of digital evidence?
68An organization uses MISP (Malware Information Sharing Platform) to share threat intelligence with trusted partners. Which of the following standards is commonly used by MISP to structure and exchange threat intelligence data?
69An incident responder is classifying an incident. The incident involves ransomware encrypting files on multiple workstations, causing significant business disruption. Which severity level should be assigned to this incident?
70During a forensic analysis, an analyst needs to collect data in order of volatility. Which of the following represents the correct order from most volatile to least volatile?
71An analyst is performing static analysis on a suspicious executable. The analyst discovers that the PE file has a suspicious section name and a high entropy value. Which tool or technique would be MOST useful for further analyzing the packed nature of the file?
72After a DDoS attack, the incident response team wants to improve detection and prevention. Which of the following metrics would be MOST useful for evaluating the effectiveness of the response?
73A security analyst is investigating a potential malware infection on a Windows workstation. The analyst needs to collect evidence while preserving the order of volatility. Which TWO pieces of data should the analyst collect FIRST? (Select TWO)
74An incident responder is performing containment of a ransomware incident that has encrypted files on several file servers. Which THREE actions are appropriate for long-term containment and recovery? (Select THREE)
75During a forensic investigation, an analyst needs to acquire disk images from multiple suspect drives. Which THREE practices ensure forensic soundness? (Select THREE)
76During the detection and analysis phase of the NIST SP 800-61 incident response lifecycle, a security analyst identifies an alert indicating a high volume of outbound traffic from a critical server to an unknown IP address. Which of the following actions should the analyst perform FIRST?
77A security analyst is classifying an incident where an employee's workstation is infected with ransomware that encrypts files and displays a ransom note. Which incident category and severity level best describe this scenario?
78During forensic analysis of a compromised Linux server, an analyst needs to acquire memory evidence. The server is running and the analyst has root access. Which of the following tools should the analyst use to capture the contents of RAM with the least impact on the system?
79A security team is responding to a phishing incident that led to credential compromise. Which of the following is the BEST short-term containment action to prevent further damage?
80An analyst is performing static analysis on a suspicious executable file. Which of the following would be MOST useful to identify potential malicious behavior without executing the file?
81During a post-incident review, the incident response team identifies that the mean time to detect (MTTD) for incidents is significantly higher than industry benchmarks. Which of the following improvements would most directly reduce MTTD?
82Which of the following is the FIRST step in the NIST SP 800-61 incident response lifecycle?
83An analyst is using YARA to create rules for detecting a specific malware strain. Which of the following pieces of information is MOST useful for writing a YARA rule?
84When performing digital forensics, which of the following represents the correct order of volatility from most volatile to least volatile?
85A security analyst needs to share threat intelligence with other organizations in a standardized format. Which of the following standards should the analyst use?
86During a ransomware incident, the incident response team needs to preserve evidence before containment. Which of the following actions should be performed BEFORE isolating the infected system from the network?
87An organization is experiencing a DDoS attack targeting its web servers. Which of the following is the BEST short-term containment strategy?
88A security analyst is investigating a potential data breach. The analyst needs to collect digital evidence while preserving its integrity. Which TWO actions should the analyst take? (Choose TWO.)
89During dynamic analysis of a suspicious file in a sandbox environment, which THREE behaviors are considered indicators of compromise (IOCs) that suggest malicious activity? (Choose THREE.)
90An incident response team is conducting post-incident activities after containing a malware outbreak. Which TWO activities should be included in the lessons learned phase? (Choose TWO.)
91During the preparation phase of the NIST SP 800-61 incident response lifecycle, which of the following is the MOST important activity to ensure effective incident response?
92A security analyst is triaging an alert indicating that a user's workstation has been infected with ransomware. The file server shows signs of encryption. The analyst needs to contain the incident. Which action should the analyst take FIRST to minimize damage?
93During a forensic investigation of a compromised Linux server, the analyst needs to acquire memory for analysis. The system is running and the analyst cannot power it off. Which tool is MOST appropriate for acquiring memory in this scenario?
94An analyst is investigating a suspected data breach. The analyst needs to identify which files were exfiltrated and preserve evidence. According to the order of volatility, which of the following should the analyst capture FIRST?
95A security analyst is analyzing a suspicious file using static analysis. The analyst wants to identify imported functions to determine the file's capabilities. Which tool or technique is BEST suited for this task?
96During dynamic analysis of a malware sample in a sandbox, the analyst observes that the malware attempts to connect to an IP address 198.51.100.23 and modifies the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Which IOC type is the IP address an example of?
97After containing a ransomware incident, the incident response team is conducting post-incident activities. Which action is MOST important to prevent a similar attack in the future?
98An analyst is investigating a possible data exfiltration incident. The analyst has acquired a memory dump from the compromised system. Which of the following would be the BEST approach to extract evidence of exfiltration?
99An organization wants to automate the sharing of threat intelligence with other trusted entities using a standardized protocol. Which protocol is specifically designed for this purpose?
100During the detection and analysis phase of an incident, an analyst identifies a file with a hash that matches a known malware signature. The analyst wants to enrich this IOC with additional context. Which resource is BEST suited for this enrichment?
101A security analyst is performing forensic analysis of a compromised system. The analyst needs to acquire disk evidence in a forensically sound manner. Which TWO actions should the analyst take to ensure the integrity of the evidence? (Choose TWO.)
102During a malware outbreak, an incident responder uses YARA rules to detect similar malware across the environment. The responder created a custom YARA rule based on static analysis of the malware sample. Which THREE elements are MOST useful for creating an effective YARA rule for this malware? (Choose THREE.)
103An organization is experiencing a distributed denial-of-service (DDoS) attack targeting its web servers. The incident response team is implementing containment strategies. Which TWO actions are appropriate for short-term containment of a DDoS attack? (Choose TWO.)
104After a phishing incident, the security team wants to improve detection of similar attacks in the future. Which THREE actions should the team take as part of post-incident activity? (Choose THREE.)
105A security analyst is investigating a potential insider threat where a user is suspected of exfiltrating sensitive data via USB drives. The analyst needs to gather evidence while preserving the chain of custody. Which THREE actions should the analyst perform? (Choose THREE.)
106During the detection and analysis phase of the NIST SP 800-61 incident response lifecycle, a security analyst identifies suspicious network traffic from an internal host to a known malicious IP address. Which of the following is the most appropriate next step?
107A security analyst is performing dynamic malware analysis using a sandbox. The analyst observes that the malware creates a scheduled task that executes a PowerShell command to download a payload from a remote server. Which of the following behavioral IOCs should be prioritized for detection?
108A security team is responding to a suspected data breach involving exfiltration of customer data via email. During the containment phase, which TWO actions should the team perform to preserve evidence while preventing further data loss?
109During a post-incident review, a security analyst identifies that the mean time to detect (MTTD) for incidents is significantly higher than the industry benchmark. Which THREE actions should the analyst recommend to improve detection capabilities?
The Incident Response and Management domain covers the key concepts tested in this area of the CS0-003 exam blueprint published by CompTIA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CS0-003 domains — no account required.
The Courseiva CS0-003 question bank contains 109 questions in the Incident Response and Management domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Incident Response and Management domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included