20+ practice questions focused on Incident Response and Management — one of the most tested topics on the CompTIA CySA+ CS0-003 exam. Each question includes a detailed explanation so you learn why the right answer is correct.
Start Incident Response and Management PracticeA host is suspected of running fileless malware. Which artefacts should be collected quickly? (Choose two.)
Explanation: Fileless malware operates in memory without writing to disk, so capturing a memory image or live response data preserves the malicious code, injected DLLs, and process hollowing artifacts that would vanish on reboot. Active network connections and running processes reveal the malware's C2 communications and its in-memory execution context, which are critical for identifying the infection vector and scope.
A phishing incident led to credential theft. Which containment actions are appropriate? (Choose two.)
Explanation: Option A is correct because immediately resetting compromised credentials and revoking active sessions (e.g., via Azure AD 'Revoke-AzureADUserAllRefreshToken' or Active Directory 'Reset-ADAccountPassword' combined with 'Revoke-AuthenticationTokens') invalidates the attacker's access tokens and session cookies, preventing further lateral movement or data exfiltration. This aligns with the NIST SP 800-61 containment phase, which prioritizes cutting off attacker access while preserving forensic evidence.
Which actions belong in eradication after a confirmed web-shell compromise? (Choose two.)
Explanation: Option A is correct because removing the web shell eliminates the attacker's foothold, and closing the exploited vulnerability (e.g., patching the application, disabling vulnerable functions like `eval()` or `system()`, or updating a CMS plugin) prevents re-exploitation. This aligns with the eradication phase of incident response, which aims to remove all artifacts of the compromise and harden the system against the same attack vector.
What should be included in incident scoping for ransomware? (Choose three.)
Explanation: Option A is correct because identifying the initial infected host and user context is critical for understanding the attack vector, containing the threat, and preventing further spread. In ransomware incidents, the first compromised system often reveals the entry point (e.g., phishing email, RDP brute force) and the user account used, which helps scope the blast radius and prioritize remediation.
A legal hold is issued during an investigation. Which actions support it? (Choose two.)
Explanation: A legal hold (litigation hold) requires preservation of all potentially relevant electronically stored information (ESI). Preserving logs, mailboxes, images, and tickets ensures that data is not altered or deleted, maintaining its integrity for forensic analysis and legal proceedings. This action directly supports the hold by preventing spoliation and ensuring compliance with discovery obligations.
+15 more Incident Response and Management questions available
Practice all Incident Response and Management questions1. Baseline your knowledge
Start with 10 questions to gauge your current understanding of Incident Response and Management. This tells you whether you need a concept refresher or just practice.
2. Review every explanation
For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.
3. Focus on exam traps
Incident Response and Management questions on the CS0-003 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.
4. Reach 80% consistently
Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.
The exact number varies per candidate. Incident Response and Management is tested as part of the CompTIA CySA+ CS0-003 blueprint. Practicing with targeted Incident Response and Management questions ensures you can handle any format or difficulty that appears.
Yes. Courseiva provides free CS0-003 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.
Difficulty is subjective, but Incident Response and Management is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.
Launch a full Incident Response and Management practice session with instant scoring and detailed explanations.
Start Incident Response and Management Practice →