Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSSCPDomainsIncident Response and Recovery
SSCPFree — No Signup

Incident Response and Recovery

Practice SSCP Incident Response and Recovery questions with full explanations on every answer.

67questions

Start practicing

Incident Response and Recovery — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

SSCP Domains

Risk Identification, Monitoring and AnalysisNetwork and Communications SecuritySystems and Application SecuritySecurity Operations and AdministrationIncident Response and RecoveryAccess ControlsCryptography

Practice Incident Response and Recovery questions

10Q20Q30Q50Q

All SSCP Incident Response and Recovery questions (67)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A security analyst detects unusual outbound traffic from a server that normally communicates only with internal systems. The firewall logs show connections to an external IP address on port 443/tcp. Which incident response step should the analyst perform FIRST?

2

During a security incident, the IR team collects memory dumps from an infected workstation. The analysis reveals a process injecting code into 'svchost.exe'. Which technique is most likely being used?

3

A company's incident response plan includes a step to preserve evidence. Which action BEST ensures the integrity of forensic evidence?

4

After a ransomware attack, the recovery team must restore encrypted files from backups. The backups are stored on a separate network segment and were last verified three days ago. What should the team do FIRST?

5

During a security incident, the IR team discovers that an attacker used a valid user account to access sensitive data. The account had multifactor authentication (MFA) enabled. Which attack technique most likely bypassed the MFA?

6

A security analyst is reviewing logs and finds multiple failed login attempts from an external IP address followed by a successful login. Which type of attack is most likely occurring?

7

An organization's incident response plan is tested annually. After a real incident, the team finds that the plan did not address cloud-based assets. What is the BEST action?

8

Which TWO actions are appropriate during the containment phase of incident response?

9

Which THREE types of evidence are MOST important to collect from a compromised Linux server during forensic acquisition?

10

Which TWO components are essential for an effective disaster recovery plan (DRP)?

11

A security analyst reviews the firewall log exhibit. Which type of activity is indicated?

12

A security analyst sees the event log exhibit. What does this indicate?

13

You are the incident response lead for a medium-sized financial services company. The company uses a hybrid infrastructure with on-premises servers (Active Directory, file shares, and a SQL database) and cloud services (Office 365, Azure VMs). At 2:00 PM on a Tuesday, the helpdesk receives multiple calls that users cannot access the file shares. Simultaneously, the SOC alerts on unusual outbound traffic from the domain controller (DC) to an external IP on port 443. The DC is also running a scheduled antivirus scan. The file server (FS) shows no signs of compromise but is responding slowly. The backup system reports that last night's backup of the DC failed due to a 'volume shadow copy error'. The backup of the FS succeeded. You need to take immediate action. What should you do FIRST?

14

Drag and drop the steps for performing a risk assessment according to NIST SP 800-30 into the correct order.

15

Match each incident response phase to its activity.

16

An alert shows a successful login from an unusual geographic location. Which of the following is the BEST initial response?

17

Which backup strategy is MOST suitable for a server with an RTO of 4 hours and an RPO of 15 minutes?

18

During an incident response, a forensic analyst captures a memory dump from a compromised server. Which of the following is the MOST important step to ensure the integrity of the evidence?

19

A company detects ransomware on a file server. The ransomware is currently encrypting files. Which containment strategy should be implemented FIRST?

20

A company is developing an incident response plan. Which of the following stakeholders should be included in the initial planning phase?

21

To determine how malware initially infected a workstation, which artifact would be MOST useful?

22

A company's disaster recovery plan includes offsite tape backups. During a test, it is discovered that the tapes are stored at a location that shares the same power grid as the primary site. Which risk does this pose?

23

A user reports that their computer is displaying a fake antivirus warning that demands payment. This is an example of which type of attack?

24

After an incident, the team identifies that the incident was caused by a missing security patch. Which of the following is the MOST effective way to prevent recurrence?

25

Which TWO of the following are key components of an incident response plan (IRP) according to NIST SP 800-61?

26

Which TWO of the following are appropriate actions when preserving digital evidence at a crime/incident scene?

27

Which THREE of the following are standard phases of the incident response lifecycle?

28

Based on the exhibit, which security threat is likely being attempted?

29

What is the analyst's BEST next step?

30

If the web server is compromised, which of the following is a likely immediate risk?

31

An organization experiences a ransomware attack that encrypts critical data. The incident response team isolates affected systems. What is the NEXT step?

32

A security analyst detects unusual outbound traffic from a server to a known malicious IP. The server is running a critical business application. What should the analyst do FIRST?

33

During incident analysis, a forensic examiner finds that the system logs were cleared using a command that writes null bytes. Which artifact is most likely preserved?

34

A company's backup strategy includes weekly full backups and daily differential backups. A ransomware attack occurred on Wednesday, corrupting data. The last full backup was Sunday. Which backup set should be restored first?

35

During incident response, a team member uses a tool to capture memory from a compromised Windows system. Which of the following best describes the order of volatility?

36

A security analyst reviews a firewall log showing an internal IP attempting outbound connections to multiple external IPs on port 443. The analyst suspects command and control. Which additional data source would be MOST useful for confirmation?

37

After containing a malware outbreak, the incident response team needs to ensure the malware is completely removed from all systems. Which phase of the incident response process is this?

38

In a forensic investigation, a hash of a suspect file is computed. Which of the following is the primary purpose of hashing in this context?

39

A company's incident response plan includes a requirement to notify law enforcement within 24 hours of certain security incidents. Which regulation most likely mandates this requirement?

40

Which TWO roles are typically part of an incident response team?

41

Which THREE activities are part of the post-incident phase?

42

During forensic analysis, which THREE pieces of evidence should be preserved in original form?

43

Refer to the exhibit. The security analyst sees this event from a user workstation. What is the most likely conclusion?

44

Refer to the exhibit. A network administrator implements this ACL on a border router. What is the effect?

45

Refer to the exhibit. An organization's incident response policy defines these actions. In what sequence should these phases be applied?

46

An organization suspects a security incident. Which initial step should the incident response team take?

47

A company uses a SIEM to detect anomalies. An alert indicates a user logged in from two geographically distant locations within 5 minutes. What is the most likely indication?

48

After a ransomware attack, the recovery team restored systems from backups. However, some files remain encrypted. What is the most probable cause?

49

During an incident, the IR team needs to collect volatile data. Which order should they follow?

50

A security analyst receives an alert indicating a large number of failed login attempts from a single IP. The analyst blocks the IP. What should be done next?

51

A company's IDS generated an alert for a suspicious outbound connection to a known C2 server. The incident team discovers the host has been communicating for 2 weeks. Which containment strategy is most appropriate?

52

After an incident, what is the primary purpose of a lessons learned meeting?

53

A company uses a SOAR platform for incident response. Which factor is most critical for effective automation?

54

During a forensic investigation, you find that the attacker used a legitimate Windows tool to exfiltrate data. Which tool is commonly abused for this purpose?

55

Which TWO actions are part of the containment phase of incident response?

56

Which THREE steps are essential during the identification phase of incident response?

57

Which TWO of the following are considered key components of a disaster recovery plan?

58

Based on the exhibit, what is the most likely cause of the web application outage?

59

Your organization has a mixed environment of Windows and Linux servers. You receive an alert from the EDR that a Linux server is beaconing to a suspicious IP. The server runs a critical application that cannot be taken offline. The security team needs to investigate while maintaining availability. You have access to a jump box with network monitoring tools. Which course of action is most appropriate?

60

A small business experienced a ransomware attack that encrypted all files on the file server. They have no backups. The attacker demands a ransom. The CEO asks for advice. Which recommendation should the incident responder give?

61

An organization has detected a ransomware infection on a critical file server. The incident response team has been activated. Which TWO actions should be performed FIRST during the initial response phase?

62

A medium-sized company recently experienced a phishing attack where an employee downloaded a malicious attachment, leading to a data breach. The incident response team has identified the affected user and the malware. However, the team is unsure whether the attacker has established persistence. The security analyst must recommend the next step. The company has a standard incident response plan that includes detection, containment, eradication, recovery, and lessons learned. The malware sample has been isolated for analysis. The user's account has been disabled temporarily. The network team has quarantined the user's workstation. The analyst needs to ensure the attacker cannot regain access after the initial cleanup. What should the analyst recommend next?

63

A company uses AWS for critical workloads. An analyst notices unauthorized API calls from an IP address outside the company. The logs show that the attacker used stolen access keys belonging to an IAM user with administrative privileges. The incident response team must contain the breach as quickly as possible. The analyst has access to the AWS Management Console and can use the CLI. The team is following the incident response plan. Which action should be taken FIRST to prevent further unauthorized actions?

64

An organization has suffered a sophisticated attack where the attacker compromised a domain controller and used it to move laterally to several file servers. The incident response team has isolated the domain controller and some file servers, but they suspect that the attacker may have created hidden accounts and modified permissions to maintain access. The team needs to ensure that the attacker's access is entirely removed before restoring operations. The organization has a large number of users and complex Active Directory structure. The incident response plan outlines containment, eradication, recovery, and post-incident analysis. The team has forensic imaging of the domain controller and file servers. What is the MOST comprehensive approach to eradicate the attacker's presence?

65

A security analyst notices unusual outbound traffic from a server. Which TWO actions should be taken immediately as part of the incident response process?

66

Refer to the exhibit. A security incident responder sees this alert in the SIEM. What should the responder do first?

67

A medium-sized e-commerce company uses a SIEM with correlation rules. During peak sales hours, the SIEM generates an alert: multiple failed login attempts from internal IP 172.16.10.50 followed by a successful login to a critical database server. The account used is 'dbadmin', which normally only authenticates from the IT department subnet. The user 'dbadmin' reports that they had to try several passwords because they forgot theirs earlier. The incident responder is under pressure to quickly restore normal operations. Which course of action should the responder take?

Practice all 67 Incident Response and Recovery questions

Other SSCP exam domains

Risk Identification, Monitoring and AnalysisNetwork and Communications SecuritySystems and Application SecuritySecurity Operations and AdministrationAccess ControlsCryptography

Frequently asked questions

What does the Incident Response and Recovery domain cover on the SSCP exam?

The Incident Response and Recovery domain covers the key concepts tested in this area of the SSCP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SSCP domains — no account required.

How many Incident Response and Recovery questions are in the SSCP question bank?

The Courseiva SSCP question bank contains 67 questions in the Incident Response and Recovery domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Incident Response and Recovery for SSCP?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Incident Response and Recovery questions for SSCP?

Yes — the session launcher on this page draws questions exclusively from the Incident Response and Recovery domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your SSCP domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CCCISSPSY0-701