Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

Certifications›CS0-003›Objectives›Incident Response and Management
Objective 3.0

Incident Response and Management

CS0-003 Practice Questions

Incident Response questions always test the order of phases and the containment decision. Memorise the six phases in order and understand why containment comes before eradication — it is the most common sequence trap.

Full Practice Test →All Objectives

What this objective tests

CS0-003 Incident Response and Management — Key Topics

Incident Response questions test the IR lifecycle phases, evidence handling, containment strategies, and regulatory notification timelines.

  • IR phases: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned.
  • Evidence preservation: chain of custody, write-blockers, and forensic imaging before analysis.
  • Containment strategies: isolate vs shut down — choosing based on business continuity vs evidence preservation.
  • Notification timelines: regulatory requirements (GDPR 72 hours, US state laws) and internal escalation paths.

Common exam traps

Where candidates lose marks on Incident Response and Management

  • ⚠Jumping to Eradication before Containment — the threat is still active if you skip containment.
  • ⚠Destroying evidence by powering off a machine that stores volatile memory (RAM) containing malware artefacts.
  • ⚠Forgetting that Lessons Learned is a mandatory phase, not an optional debrief.
  • ⚠Confusing the IR team's role with law enforcement's role — IR teams preserve evidence for law enforcement, not investigate crimes.

CS0-003 Incident Response and Management — Practice Questions

30 questions from this objective

Question 2hardmulti select
Full question →

A host is suspected of running fileless malware. Which artefacts should be collected quickly? (Choose two.)

Question 3mediummulti select
Full question →

A phishing incident led to credential theft. Which containment actions are appropriate? (Choose two.)

Question 4hardmulti select
Full question →

Which actions belong in eradication after a confirmed web-shell compromise? (Choose two.)

Question 5mediummulti select
Full question →

What should be included in incident scoping for ransomware? (Choose three.)

Question 6hardmulti select
Full question →

A legal hold is issued during an investigation. Which actions support it? (Choose two.)

Question 7mediummulti select
Full question →

A tabletop exercise reveals that no one knows who can approve public statements. What should be updated? (Choose two.)

Question 8hardmulti select
Full question →

A responder is acquiring evidence from a potentially compromised server. Which actions support forensic integrity? (Choose two.)

Question 9hardmulti select
Study the full AAA explanation →

An attacker used a stolen cloud token. Which evidence helps determine blast radius? (Choose two.)

Question 10mediummulti select
Full question →

Which actions are appropriate before restoring systems after malware eradication? (Choose two.)

Question 11hardmulti select
Full question →

A root-cause analysis finds that an alert fired but was never triaged. Which corrective actions are useful? (Choose two.)

Question 12mediummultiple choice
Full question →

A user reports approving an unexpected OAuth consent prompt for an app named 'Invoice Reader'. The app now has mailbox read permissions. What should the incident responder do first? During detection and analysis, which decision is most defensible?

Question 13hardmultiple choice
Full question →

File shares show rapid encryption and ransom-note creation from one workstation. What is the best immediate containment action? During containment, which decision is most defensible?

Question 14easymultiple choice
Full question →

A developer accidentally committed a cloud access key to a public repository. Logs show the key was used from an unfamiliar IP. What should be done first? During eradication, which decision is most defensible?

Question 15mediummultiple choice
Full question →

A web server contains a new file that executes commands through a query parameter. What evidence best confirms web-shell activity? During recovery, which decision is most defensible?

Question 16hardmultiple choice
Full question →

A laptop may contain evidence for a legal investigation. What should the responder document during acquisition? During post-incident improvement, which decision is most defensible?

Question 17easymultiple choice
Full question →

A server suspected of running fileless malware is still powered on. Which evidence should be captured first if it is safe to do so? During detection and analysis, which decision is most defensible?

Question 18mediummultiple choice
Full question →

After containing a compromised host, analysis shows persistence through a scheduled task and a stolen service account. What is required before recovery? During containment, which decision is most defensible?

Question 19hardmultiple choice
Full question →

An incident was contained successfully, but delayed escalation allowed the attacker more dwell time. What should the post-incident review produce? During eradication, which decision is most defensible?

Question 20easymultiple choice
Full question →

A malware alert affects a single kiosk with no sensitive access. A second alert shows the same malware on a domain admin workstation. What should drive severity? During recovery, which decision is most defensible?

Question 21mediummultiple choice
Full question →

A company wants to test whether legal, PR, IT, and executives understand their roles during a ransomware incident without touching production systems. What exercise is best? During post-incident improvement, which decision is most defensible?

Question 22hardmultiple choice
Full question →

In a regulated payment environment, a user reports approving an unexpected OAuth consent prompt for an app named 'Invoice Reader'. The app now has mailbox read permissions. What should the incident responder do first? During detection and analysis, which decision is most defensible? which action best reduces risk without losing evidence?

Question 23mediummulti select
Full question →

During containment of a compromised cloud access key, which actions are appropriate? (Choose two.)

Question 24mediummultiple choice
Full question →

In a regulated payment environment, a developer accidentally committed a cloud access key to a public repository. Logs show the key was used from an unfamiliar IP. What should be done first? During eradication, which decision is most defensible? which action best reduces risk without losing evidence?

Question 25hardmultiple choice
Full question →

In a regulated payment environment, a web server contains a new file that executes commands through a query parameter. What evidence best confirms web-shell activity? During recovery, which decision is most defensible? which action best reduces risk without losing evidence?

Question 26easymultiple choice
Full question →

In a regulated payment environment, a laptop may contain evidence for a legal investigation. What should the responder document during acquisition? During post-incident improvement, which decision is most defensible? which action best reduces risk without losing evidence?

Question 27mediummultiple choice
Full question →

In a regulated payment environment, a server suspected of running fileless malware is still powered on. Which evidence should be captured first if it is safe to do so? During detection and analysis, which decision is most defensible? which action best reduces risk without losing evidence?

Question 28hardmultiple choice
Full question →

In a regulated payment environment, after containing a compromised host, analysis shows persistence through a scheduled task and a stolen service account. What is required before recovery? During containment, which decision is most defensible? which action best reduces risk without losing evidence?

Question 29easymultiple choice
Full question →

In a regulated payment environment, an incident was contained successfully, but delayed escalation allowed the attacker more dwell time. What should the post-incident review produce? During eradication, which decision is most defensible? which action best reduces risk without losing evidence?

Question 30mediummultiple choice
Full question →

In a regulated payment environment, a malware alert affects a single kiosk with no sensitive access. A second alert shows the same malware on a domain admin workstation. What should drive severity? During recovery, which decision is most defensible? which action best reduces risk without losing evidence?

Question 31hardmultiple choice
Full question →

In a regulated payment environment, a company wants to test whether legal, PR, IT, and executives understand their roles during a ransomware incident without touching production systems. What exercise is best? During post-incident improvement, which decision is most defensible? which action best reduces risk without losing evidence?

More Incident Response and Management questions available in the full practice test.

Continue Practising →
←

Previous objective

Vulnerability Management

Next objective

Reporting and Communication

→

All CS0-003 Objectives

  • 1.Security Operations
  • 2.Vulnerability Management
  • 3.Incident Response and Management
  • 4.Reporting and Communication