Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCS0-003DomainsIncident Response and Management
CS0-003Free — No Signup

Incident Response and Management

Practice CS0-003 Incident Response and Management questions with full explanations on every answer.

109questions

Start practicing

Incident Response and Management — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CS0-003 Domains

Security OperationsVulnerability ManagementIncident Response and ManagementReporting and Communication

Practice Incident Response and Management questions

10Q20Q30Q50Q

All CS0-003 Incident Response and Management questions (109)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

During the detection and analysis phase of the NIST SP 800-61 incident response lifecycle, an analyst identifies suspicious network traffic from an internal host to a known malicious IP address. Which step should the analyst perform next to validate the alert?

2

An organization's security team receives an alert about a potential ransomware infection on a critical server. The severity classification is 'high' because the server supports a production database. According to the incident response plan, which containment action should be taken first to minimize data loss?

3

A forensic analyst is investigating a suspected data breach involving a compromised workstation. The analyst wants to collect volatile data in accordance with the order of volatility. Which sequence of data collection is correct?

4

After containing a malware outbreak, the incident response team performs static malware analysis on a suspicious executable. Which of the following artifacts would be most helpful in creating a YARA rule to detect variants of the malware?

5

During dynamic malware analysis in a sandbox, an analyst observes that the malware attempts to connect to a remote IP address on port 443, modifies the Windows registry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run, and drops a DLL in the system32 folder. Which type of IOC is most indicative of persistence?

6

An organization uses MISP as its threat intelligence platform. After a security incident, the team wants to share IOCs with other trusted organizations. Which standard should they use to package and exchange the threat intelligence?

7

During a post-incident review, the incident response team identifies that the mean time to detect (MTTD) for a recent breach was 14 days, while the mean time to respond (MTTR) was 6 hours. Which metric should the team prioritize to improve in future incidents?

8

A security analyst is performing memory acquisition on a compromised Linux server using LiME. The analyst needs to capture the memory image with minimal impact on the system. Which of the following parameters should the analyst use to ensure the output is forensically sound?

9

An analyst receives an alert about a user account that has been locked out multiple times within an hour. The account belongs to a system administrator. Which incident category does this scenario most likely fall under?

10

During a forensic investigation, an analyst creates a disk image using dd with a SHA256 hash. Later, the analyst needs to verify the integrity of the image before analysis. Which command should the analyst use to compare the original hash with a newly computed hash?

11

An organization has been experiencing repeated phishing attacks that bypass email filters. The incident response team wants to enhance detection by creating rules based on characteristics of the phishing emails. Which of the following IOCs would be most effective for detecting similar phishing campaigns?

12

During a post-incident activity, the CSIRT performs a root cause analysis for a data breach. They discover that the breach originated from a misconfigured S3 bucket that allowed public read access. Which of the following actions should be included in the lessons learned to prevent recurrence?

13

A security analyst is responding to a potential data exfiltration incident. As part of the containment strategy, the analyst must preserve evidence. Which TWO actions should the analyst take before containment? (Select two.)

14

A CSIRT is investigating a ransomware incident that encrypted files on multiple servers. The team needs to determine the initial infection vector. Which THREE pieces of evidence should the team prioritize collecting? (Select three.)

15

A security analyst is reviewing IOCs from a threat intelligence feed. The analyst wants to enrich the IOCs using open-source tools. Which THREE tools are commonly used for IOC enrichment? (Select three.)

16

During which phase of the NIST SP 800-61 incident response lifecycle would an organization conduct a lessons learned meeting?

17

A security analyst detects ransomware on a critical server. Which containment strategy should be implemented FIRST to minimize damage?

18

During a forensic investigation, an analyst needs to acquire memory from a Linux server. Which tool is specifically designed for this purpose?

19

Which of the following is the MOST volatile data according to the order of volatility?

20

An analyst is reviewing a suspicious executable using static analysis. Which of the following would provide information about the functions the executable imports from system libraries?

21

A SOC analyst receives an alert from a threat intelligence platform (TIP) about a new phishing campaign. The indicator is a URL. Which enrichment source is BEST for determining the URL's current hosting infrastructure?

22

During a post-incident review, the CSIRT identifies that the mean time to detect (MTTD) is significantly higher than the industry benchmark. Which initiative would MOST likely reduce MTTD?

23

An organization has identified indicators of compromise (IOCs) from a recent incident. Which data format is specifically designed for sharing threat intelligence in a standardized, machine-readable way?

24

A security analyst is investigating a potential data breach. The analyst needs to preserve evidence before containment. Which of the following actions is MOST appropriate at this stage?

25

An analyst runs a YARA rule against a set of files and gets a hit. The rule was written to detect a specific malware family. What is the PRIMARY purpose of using YARA rules in this context?

26

After a DDoS attack, the CSIRT wants to share IOCs with other organizations. Which protocol is specifically designed for automated, real-time threat intelligence sharing?

27

Which of the following is an example of a behavioral indicator of compromise (IOC) observed during dynamic malware analysis?

28

A security analyst is investigating a phishing incident that resulted in credential theft. Which TWO actions should the analyst take as part of short-term containment? (Choose two.)

29

During a forensic investigation, an analyst must acquire digital evidence while maintaining forensic soundness. Which THREE practices should the analyst follow? (Choose three.)

30

A company has experienced a ransomware attack that encrypted critical servers. The incident response team is in the containment, eradication, and recovery phase. Which THREE actions are part of long-term containment? (Choose three.)

31

During the detection and analysis phase of incident response, a security analyst identifies suspicious outbound traffic from a workstation to an external IP address known for command and control (C2) activity. Which classification should the analyst assign to this incident?

32

A security analyst receives an alert about a possible ransomware outbreak. Which short-term containment action should be performed FIRST to prevent further spread?

33

During forensic analysis of a compromised server, an analyst needs to preserve evidence in order of volatility. Which of the following actions should the analyst perform FIRST?

34

A security analyst is conducting static analysis of a suspicious executable. Which of the following tools or techniques is BEST suited for extracting strings and viewing the import table?

35

After containing a security incident, the incident response team conducts a root cause analysis. Which of the following is the PRIMARY purpose of this activity?

36

An analyst receives a threat intelligence feed containing IOCs in STIX format. Which of the following BEST describes the purpose of STIX?

37

During post-incident activities, the security team reviews metrics. Which metric measures the average time taken to detect an incident?

38

A security analyst is performing dynamic analysis of a suspicious file in a sandbox. Which of the following observations is most indicative of ransomware behavior?

39

Which of the following is the correct order of volatility for digital evidence?

40

An incident responder needs to collect memory from a Linux system during an incident. Which tool should the responder use?

41

During a post-incident review, the team identifies that detection was delayed because alerts from multiple sources were not correlated. Which improvement would BEST address this issue?

42

An analyst is investigating a suspected data breach and needs to preserve network logs. Which of the following actions is MOST appropriate?

43

A security analyst is performing incident response for a suspected malware outbreak. Which TWO actions are examples of long-term containment? (Select TWO.)

44

During a forensic investigation, an analyst must preserve evidence in accordance with forensic sound procedures. Which THREE of the following practices should the analyst follow? (Select THREE.)

45

An incident response team is analyzing indicators of compromise (IOCs) from a phishing campaign. Which THREE of the following are commonly used IOC types? (Select THREE.)

46

During the detection and analysis phase of incident response, a security analyst identifies suspicious outbound traffic from a finance workstation to a known malicious IP address at 2:00 AM. The analyst checks the firewall logs and sees a single connection. Which action should the analyst take FIRST according to NIST SP 800-61?

47

An organization's incident response team is handling a ransomware incident where critical servers have been encrypted. The team has identified the ransomware variant and determined that decryption is not possible. Which of the following is the BEST post-incident activity to prevent recurrence?

48

An analyst needs to capture the contents of volatile memory from a Windows system suspected of being compromised. Which tool should the analyst use to acquire a memory image?

49

During a phishing incident, an analyst extracts a URL from the email body and searches VirusTotal. The URL is associated with a credential harvesting page. Which type of indicator is this URL?

50

An incident responder needs to collect forensic evidence from a server that was attacked. The evidence includes network connections, running processes, memory contents, and disk data. According to the order of volatility, which piece of evidence should the responder collect FIRST?

51

After containing a data breach, the incident response team discovers that an attacker exfiltrated sensitive data over DNS tunneling. Which of the following detection rules would BEST identify similar activity in the future?

52

An organization's security team receives a report of a potential insider threat. An employee is suspected of accessing sensitive files without authorization. Which incident category BEST describes this scenario?

53

An incident responder is called to a server room where a critical database server is exhibiting signs of compromise. The responder must preserve evidence while preventing further damage. Which of the following is a short-term containment strategy that also preserves evidence?

54

A security analyst is performing static analysis on a suspicious PE file. Which initial step should the analyst take to understand the file's imports and potential capabilities?

55

An organization is implementing an incident response plan. Which phase of the NIST SP 800-61 lifecycle includes activities such as creating policies, establishing IR teams, and acquiring necessary tools?

56

During a DDoS attack, the incident response team notices that the attack traffic originates from multiple IP addresses across different countries. The team decides to implement a long-term containment strategy. Which action is MOST appropriate for long-term containment?

57

An analyst is examining a disk image acquired from a compromised Linux server. The analyst needs to verify that the image is an exact bit-for-bit copy of the original drive. Which forensic sound procedure should the analyst perform?

58

An incident response team is conducting post-incident activities after a ransomware attack. The team wants to improve detection and response for future incidents. Which TWO actions are most appropriate for updating detection rules? (Select TWO.)

59

A security analyst is investigating a potential data exfiltration incident. The analyst captures memory from a Windows system and finds a process that is injecting code into other processes. Which THREE indicators from the memory analysis would MOST strongly suggest malicious activity? (Select THREE.)

60

An organization's incident response team is classifying an incident based on severity and priority. Which TWO factors should the team consider when determining the priority of an incident? (Select TWO.)

61

During the preparation phase of the NIST SP 800-61 incident response lifecycle, a security analyst is tasked with ensuring the team has the necessary tools and resources. Which of the following is the MOST important activity to perform during this phase?

62

A security operations center (SOC) analyst receives an alert about a potential ransomware infection on a critical server. The incident response team needs to contain the threat quickly. Which of the following should be performed FIRST as a short-term containment measure?

63

During a forensic investigation, an analyst needs to acquire volatile memory from a compromised Linux server running a critical application. The server cannot be powered off. Which tool should the analyst use to capture memory with the least impact on the system?

64

An organization has experienced a data breach involving personally identifiable information (PII). The incident response team has contained the breach and eradicated the threat. During the post-incident activity phase, which activity is MOST critical to prevent future similar incidents?

65

A security analyst is reviewing indicators of compromise (IOCs) from a recent phishing campaign. Which of the following is an example of an email-related IOC?

66

During a dynamic malware analysis session, a security analyst uses a sandbox to detonate a suspicious file. Which of the following observations would be considered a behavioral indicator of compromise (IOC)?

67

A security analyst is investigating a suspected insider threat incident. The analyst needs to preserve evidence before containment. Which of the following actions should the analyst prioritize to maintain the integrity of digital evidence?

68

An organization uses MISP (Malware Information Sharing Platform) to share threat intelligence with trusted partners. Which of the following standards is commonly used by MISP to structure and exchange threat intelligence data?

69

An incident responder is classifying an incident. The incident involves ransomware encrypting files on multiple workstations, causing significant business disruption. Which severity level should be assigned to this incident?

70

During a forensic analysis, an analyst needs to collect data in order of volatility. Which of the following represents the correct order from most volatile to least volatile?

71

An analyst is performing static analysis on a suspicious executable. The analyst discovers that the PE file has a suspicious section name and a high entropy value. Which tool or technique would be MOST useful for further analyzing the packed nature of the file?

72

After a DDoS attack, the incident response team wants to improve detection and prevention. Which of the following metrics would be MOST useful for evaluating the effectiveness of the response?

73

A security analyst is investigating a potential malware infection on a Windows workstation. The analyst needs to collect evidence while preserving the order of volatility. Which TWO pieces of data should the analyst collect FIRST? (Select TWO)

74

An incident responder is performing containment of a ransomware incident that has encrypted files on several file servers. Which THREE actions are appropriate for long-term containment and recovery? (Select THREE)

75

During a forensic investigation, an analyst needs to acquire disk images from multiple suspect drives. Which THREE practices ensure forensic soundness? (Select THREE)

76

During the detection and analysis phase of the NIST SP 800-61 incident response lifecycle, a security analyst identifies an alert indicating a high volume of outbound traffic from a critical server to an unknown IP address. Which of the following actions should the analyst perform FIRST?

77

A security analyst is classifying an incident where an employee's workstation is infected with ransomware that encrypts files and displays a ransom note. Which incident category and severity level best describe this scenario?

78

During forensic analysis of a compromised Linux server, an analyst needs to acquire memory evidence. The server is running and the analyst has root access. Which of the following tools should the analyst use to capture the contents of RAM with the least impact on the system?

79

A security team is responding to a phishing incident that led to credential compromise. Which of the following is the BEST short-term containment action to prevent further damage?

80

An analyst is performing static analysis on a suspicious executable file. Which of the following would be MOST useful to identify potential malicious behavior without executing the file?

81

During a post-incident review, the incident response team identifies that the mean time to detect (MTTD) for incidents is significantly higher than industry benchmarks. Which of the following improvements would most directly reduce MTTD?

82

Which of the following is the FIRST step in the NIST SP 800-61 incident response lifecycle?

83

An analyst is using YARA to create rules for detecting a specific malware strain. Which of the following pieces of information is MOST useful for writing a YARA rule?

84

When performing digital forensics, which of the following represents the correct order of volatility from most volatile to least volatile?

85

A security analyst needs to share threat intelligence with other organizations in a standardized format. Which of the following standards should the analyst use?

86

During a ransomware incident, the incident response team needs to preserve evidence before containment. Which of the following actions should be performed BEFORE isolating the infected system from the network?

87

An organization is experiencing a DDoS attack targeting its web servers. Which of the following is the BEST short-term containment strategy?

88

A security analyst is investigating a potential data breach. The analyst needs to collect digital evidence while preserving its integrity. Which TWO actions should the analyst take? (Choose TWO.)

89

During dynamic analysis of a suspicious file in a sandbox environment, which THREE behaviors are considered indicators of compromise (IOCs) that suggest malicious activity? (Choose THREE.)

90

An incident response team is conducting post-incident activities after containing a malware outbreak. Which TWO activities should be included in the lessons learned phase? (Choose TWO.)

91

During the preparation phase of the NIST SP 800-61 incident response lifecycle, which of the following is the MOST important activity to ensure effective incident response?

92

A security analyst is triaging an alert indicating that a user's workstation has been infected with ransomware. The file server shows signs of encryption. The analyst needs to contain the incident. Which action should the analyst take FIRST to minimize damage?

93

During a forensic investigation of a compromised Linux server, the analyst needs to acquire memory for analysis. The system is running and the analyst cannot power it off. Which tool is MOST appropriate for acquiring memory in this scenario?

94

An analyst is investigating a suspected data breach. The analyst needs to identify which files were exfiltrated and preserve evidence. According to the order of volatility, which of the following should the analyst capture FIRST?

95

A security analyst is analyzing a suspicious file using static analysis. The analyst wants to identify imported functions to determine the file's capabilities. Which tool or technique is BEST suited for this task?

96

During dynamic analysis of a malware sample in a sandbox, the analyst observes that the malware attempts to connect to an IP address 198.51.100.23 and modifies the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Which IOC type is the IP address an example of?

97

After containing a ransomware incident, the incident response team is conducting post-incident activities. Which action is MOST important to prevent a similar attack in the future?

98

An analyst is investigating a possible data exfiltration incident. The analyst has acquired a memory dump from the compromised system. Which of the following would be the BEST approach to extract evidence of exfiltration?

99

An organization wants to automate the sharing of threat intelligence with other trusted entities using a standardized protocol. Which protocol is specifically designed for this purpose?

100

During the detection and analysis phase of an incident, an analyst identifies a file with a hash that matches a known malware signature. The analyst wants to enrich this IOC with additional context. Which resource is BEST suited for this enrichment?

101

A security analyst is performing forensic analysis of a compromised system. The analyst needs to acquire disk evidence in a forensically sound manner. Which TWO actions should the analyst take to ensure the integrity of the evidence? (Choose TWO.)

102

During a malware outbreak, an incident responder uses YARA rules to detect similar malware across the environment. The responder created a custom YARA rule based on static analysis of the malware sample. Which THREE elements are MOST useful for creating an effective YARA rule for this malware? (Choose THREE.)

103

An organization is experiencing a distributed denial-of-service (DDoS) attack targeting its web servers. The incident response team is implementing containment strategies. Which TWO actions are appropriate for short-term containment of a DDoS attack? (Choose TWO.)

104

After a phishing incident, the security team wants to improve detection of similar attacks in the future. Which THREE actions should the team take as part of post-incident activity? (Choose THREE.)

105

A security analyst is investigating a potential insider threat where a user is suspected of exfiltrating sensitive data via USB drives. The analyst needs to gather evidence while preserving the chain of custody. Which THREE actions should the analyst perform? (Choose THREE.)

106

During the detection and analysis phase of the NIST SP 800-61 incident response lifecycle, a security analyst identifies suspicious network traffic from an internal host to a known malicious IP address. Which of the following is the most appropriate next step?

107

A security analyst is performing dynamic malware analysis using a sandbox. The analyst observes that the malware creates a scheduled task that executes a PowerShell command to download a payload from a remote server. Which of the following behavioral IOCs should be prioritized for detection?

108

A security team is responding to a suspected data breach involving exfiltration of customer data via email. During the containment phase, which TWO actions should the team perform to preserve evidence while preventing further data loss?

109

During a post-incident review, a security analyst identifies that the mean time to detect (MTTD) for incidents is significantly higher than the industry benchmark. Which THREE actions should the analyst recommend to improve detection capabilities?

Practice all 109 Incident Response and Management questions

Other CS0-003 exam domains

Security OperationsVulnerability ManagementReporting and Communication

Frequently asked questions

What does the Incident Response and Management domain cover on the CS0-003 exam?

The Incident Response and Management domain covers the key concepts tested in this area of the CS0-003 exam blueprint published by CompTIA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CS0-003 domains — no account required.

How many Incident Response and Management questions are in the CS0-003 question bank?

The Courseiva CS0-003 question bank contains 109 questions in the Incident Response and Management domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Incident Response and Management for CS0-003?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Incident Response and Management questions for CS0-003?

Yes — the session launcher on this page draws questions exclusively from the Incident Response and Management domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CS0-003 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

SY0-701CAS-004PT0-002CEH