Practice SSCP Incident Response and Recovery questions with full explanations on every answer.
Start practicing
Incident Response and Recovery — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
During which phase of the NIST SP 800-61 incident response lifecycle are incident response plan updates and lessons learned typically documented?
2An organization's security team detects a potential data breach. After confirming the incident, they classify it as P2 (high severity) and begin containment. Which action should be performed FIRST to preserve evidence for forensic analysis?
3A security analyst receives a chain of custody form for a hard drive that was seized from a suspected insider threat. The form shows that the drive was handled by three individuals over two days. Which of the following is the PRIMARY reason for maintaining a chain of custody?
4During incident response, a team needs to isolate an infected workstation that is part of a critical manufacturing network. Which containment method is MOST appropriate to minimize disruption while preventing the spread of malware?
5After a ransomware incident, an organization decides to restore data from backups. The RPO (Recovery Point Objective) is 4 hours. What does this RPO indicate?
6Which DR testing type involves running recovery systems in parallel with production systems to verify functionality without impacting live operations?
7During the eradication phase of a malware incident, a security analyst removes malicious files and cleans registry persistence. What is the MOST critical additional step to prevent reinfection through the same vector?
8A security team is collecting evidence from a compromised server. They need to create a forensic image. Which of the following is the CORRECT procedure to ensure data integrity?
9What is the PRIMARY purpose of a lessons learned meeting after an incident?
10An analyst detects suspicious outbound traffic from a workstation to a known command-and-control IP. Which IoC blocking method is MOST appropriate as an immediate containment measure?
11During a forensic investigation, an examiner needs to preserve volatile evidence. Which of the following lists the correct order of collection for volatile data?
12A company is developing a DR plan for a critical database. The maximum acceptable downtime is 2 hours, and the maximum data loss is 1 hour. What are the RTO and RPO?
13A security analyst is investigating a phishing incident that led to credential theft. Which TWO actions are appropriate during the containment phase? (Select TWO)
14During a ransomware incident, the incident response team needs to recover encrypted servers. Which THREE steps are essential for successful recovery? (Select THREE)
15Which TWO metrics are commonly tracked to measure the effectiveness of the incident response process? (Select TWO)
16During which phase of the NIST SP 800-61 incident response lifecycle are lessons learned meetings conducted and metrics such as MTTD and MTTR tracked?
17Which of the following is the FIRST step in the volatile evidence collection order when responding to an incident on a live system?
18A security analyst receives an alert from the EDR system indicating that a workstation has been communicating with a known malicious IP address. The analyst confirms the alert and notes that the user is still logged in. Which immediate containment action should the analyst take FIRST?
19During the eradication phase of incident response, which of the following actions is MOST critical to ensure the threat is completely removed from a compromised system?
20An organization's disaster recovery plan specifies an RTO of 4 hours and an RPO of 1 hour for its critical database. Which of the following DR site configurations BEST meets these requirements?
21Which of the following is the PRIMARY purpose of establishing a chain of custody when handling digital evidence?
22An incident responder is tasked with collecting forensic evidence from a compromised Linux server. Which command would the responder use to capture the contents of volatile memory (RAM) for analysis?
23After containing a ransomware incident, the incident response team identifies that the attacker gained initial access through a phishing email that installed a backdoor. Which of the following eradication steps is MOST critical to prevent re-infection?
24During the detection and analysis phase, an analyst classifies an incident as P1 (critical) because it involves a breach of sensitive customer data. What is the IMMEDIATE next step the analyst should take?
25Which type of disaster recovery test involves running the DR systems alongside the production systems to validate functionality without impacting live operations?
26An incident responder needs to create a forensic image of a suspect hard drive. Which of the following steps is ESSENTIAL to ensure the integrity of the evidence?
27During a malware containment operation, the incident response team decides to isolate an infected endpoint using network access controls. However, the malware is spreading via removable media. Which additional containment measure should the team implement?
28An organization has suffered a ransomware attack that encrypted files on several file servers. The incident response team is planning recovery. Which TWO actions should be performed to verify that the restored systems are clean before returning them to production? (Select TWO)
29A forensic investigator is collecting evidence from a compromised Windows server. According to the order of volatility, which THREE pieces of evidence should be collected FIRST? (Select THREE)
30During the preparation phase of incident response, which TWO components are essential for an effective incident response plan? (Select TWO)
31An organization is developing its incident response plan. According to NIST SP 800-61, which phase should include establishing a communication plan, acquiring necessary tools, and conducting exercises?
32A security analyst detects a workstation communicating with a known command-and-control server. The workstation is running critical applications. What should be the analyst's first step according to the NIST incident response lifecycle?
33During a forensic investigation, a responder must collect evidence from a live Windows system. Which of the following represents the correct order for collecting volatile data?
34An organization has experienced a ransomware attack. After containing the incident, the response team plans to restore systems from backups. Which step is most critical before restoring production systems?
35Which of the following is the primary purpose of a chain of custody form in digital forensics?
36An incident responder needs to create a forensic image of a suspect hard drive. What is the correct procedure to ensure evidence integrity?
37A security team detects lateral movement within the network. Which containment strategy should be applied first to limit the spread of the threat?
38During a post-incident review, the incident response team identifies that the mean time to detect (MTTD) was 14 days. Which improvement would most directly reduce MTTD?
39Which type of disaster recovery test involves running the DR systems alongside production systems to verify functionality without impacting operations?
40An organization's disaster recovery plan specifies an RPO of 4 hours and an RTO of 24 hours for a critical database. Which of the following best describes these metrics?
41An incident responder is handling a malware outbreak. The malware has been identified as a fileless threat that persists via registry run keys. Which eradication step is most appropriate?
42During the detection and analysis phase, an analyst receives a user report of unusual system behavior. The analyst reviews logs and finds several failed login attempts followed by a successful login from an unusual IP address. What is the next step?
43An incident responder is collecting volatile evidence from a compromised Linux server. Which TWO of the following should be collected first? (Select two.)
44A company is selecting a disaster recovery site for its critical applications. Which THREE characteristics differentiate a warm site from a cold site? (Select three.)
45After a security incident, the response team holds a lessons learned meeting. Which TWO are primary objectives of this meeting? (Select two.)
46During the preparation phase of the incident response lifecycle, which of the following is the MOST important component to establish?
47An analyst detects suspicious outbound traffic from a server to a known command-and-control IP address. According to NIST SP 800-61, which phase of the incident response lifecycle does this activity fall under?
48A security analyst receives a user report about a workstation exhibiting unusual behavior, such as unexpected pop-ups and slow performance. The analyst first checks the antivirus logs and finds no alerts. What is the NEXT step in the detection and analysis phase?
49During a malware outbreak, a security analyst needs to contain the spread. The affected systems are on the same VLAN as critical servers. Which of the following containment actions should be performed FIRST to minimize impact?
50An incident responder is collecting evidence from a compromised server. Which of the following is the correct order for collecting volatile data?
51What is the primary purpose of establishing a chain of custody for digital evidence?
52During a forensic investigation, an examiner creates a bit-for-bit copy of a hard drive using a write blocker. What is the purpose of using a write blocker?
53An organization is restoring a critical database from a backup after a ransomware attack. Which of the following steps should be performed BEFORE restoring the data to ensure the restoration is successful and secure?
54Which metric is used to measure the average time it takes to detect an incident?
55After a security incident, the incident response team holds a lessons learned meeting. What is the PRIMARY outcome of this meeting?
56A company's disaster recovery plan specifies an RTO of 4 hours for its customer relationship management (CRM) system. Which of the following DR site types is MOST appropriate to meet this RTO?
57During a full interruption test of the disaster recovery plan, which of the following is the PRIMARY risk?
58A security analyst is responding to a malware incident on a Windows server. Which TWO actions should be taken to properly collect volatile evidence?
59During a post-incident review, the incident response team identifies several areas for improvement. According to NIST SP 800-61, which THREE activities are typically part of the post-incident activity phase?
60A company is conducting a disaster recovery test. Which TWO types of tests involve minimal risk to production operations?
61During the containment phase of incident response, a security analyst identifies malware on a critical server. Which TWO actions should be taken FIRST to contain the threat and preserve evidence? (Choose two.)
62After a ransomware incident, the incident response team is conducting recovery. Which THREE steps are essential to ensure a secure restoration and prevent reinfection? (Choose three.)
63An organization uses a hot disaster recovery (DR) site and has a Recovery Time Objective (RTO) of 4 hours. During a DR test, the team discovers that data replication from the primary site fails. Which TWO actions should the team take to meet the RTO while ensuring data integrity? (Choose two.)
64During a post-incident review of a data breach, the incident response team is evaluating the chain of custody for forensic evidence. Which THREE practices demonstrate proper evidence handling? (Choose three.)
The Incident Response and Recovery domain covers the key concepts tested in this area of the SSCP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SSCP domains — no account required.
The Courseiva SSCP question bank contains 64 questions in the Incident Response and Recovery domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Incident Response and Recovery domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included