Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Incident Response and Recovery practice sets

SSCP Incident Response and Recovery • Complete Question Bank

SSCP Incident Response and Recovery — All Questions With Answers

Complete SSCP Incident Response and Recovery question bank — all 0 questions with answers and detailed explanations.

67
Questions
Free
No signup
Certifications/SSCP/Practice Test/Incident Response and Recovery/All Questions
Question 1mediummultiple choice
Read the full Incident Response and Recovery explanation →

A security analyst detects unusual outbound traffic from a server that normally communicates only with internal systems. The firewall logs show connections to an external IP address on port 443/tcp. Which incident response step should the analyst perform FIRST?

Question 2hardmultiple choice
Read the full Incident Response and Recovery explanation →

During a security incident, the IR team collects memory dumps from an infected workstation. The analysis reveals a process injecting code into 'svchost.exe'. Which technique is most likely being used?

Question 3easymultiple choice
Read the full Incident Response and Recovery explanation →

A company's incident response plan includes a step to preserve evidence. Which action BEST ensures the integrity of forensic evidence?

Question 4mediummultiple choice
Read the full Incident Response and Recovery explanation →

After a ransomware attack, the recovery team must restore encrypted files from backups. The backups are stored on a separate network segment and were last verified three days ago. What should the team do FIRST?

Question 5hardmultiple choice
Read the full Incident Response and Recovery explanation →

During a security incident, the IR team discovers that an attacker used a valid user account to access sensitive data. The account had multifactor authentication (MFA) enabled. Which attack technique most likely bypassed the MFA?

Question 6easymultiple choice
Read the full Incident Response and Recovery explanation →

A security analyst is reviewing logs and finds multiple failed login attempts from an external IP address followed by a successful login. Which type of attack is most likely occurring?

Question 7mediummultiple choice
Read the full Incident Response and Recovery explanation →

An organization's incident response plan is tested annually. After a real incident, the team finds that the plan did not address cloud-based assets. What is the BEST action?

Question 8mediummulti select
Read the full Incident Response and Recovery explanation →

Which TWO actions are appropriate during the containment phase of incident response?

Question 9hardmulti select
Read the full Incident Response and Recovery explanation →

Which THREE types of evidence are MOST important to collect from a compromised Linux server during forensic acquisition?

Question 10easymulti select
Read the full Incident Response and Recovery explanation →

Which TWO components are essential for an effective disaster recovery plan (DRP)?

Question 11hardmultiple choice
Read the full Incident Response and Recovery explanation →

A security analyst reviews the firewall log exhibit. Which type of activity is indicated?

Exhibit

Refer to the exhibit.

Exhibit: Firewall log snippet
```
2024-03-15 10:23:45 ALLOW TCP 192.168.1.100:34567 -> 10.0.0.50:3389
2024-03-15 10:23:46 ALLOW TCP 192.168.1.100:34568 -> 10.0.0.50:3389
2024-03-15 10:23:47 ALLOW TCP 192.168.1.100:34569 -> 10.0.0.50:3389
2024-03-15 10:23:48 ALLOW TCP 192.168.1.100:34570 -> 10.0.0.50:3389
2024-03-15 10:23:49 ALLOW TCP 192.168.1.100:34571 -> 10.0.0.50:3389
```
Question 12mediummultiple choice
Read the full Incident Response and Recovery explanation →

A security analyst sees the event log exhibit. What does this indicate?

Exhibit

Refer to the exhibit.

Exhibit: Windows Event Log
```
Event ID 4625: An account failed to log on.
Subject: Security ID: S-1-5-18, Account Name: SYSTEM
Logon Type: 3
Account For Which Logon Failed: Security ID: NULL SID, Account Name: Administrator
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Workstation Name: WORKSTATION1
Source Network Address: 10.0.0.200
```
Question 13hardmultiple choice
Read the full Incident Response and Recovery explanation →

You are the incident response lead for a medium-sized financial services company. The company uses a hybrid infrastructure with on-premises servers (Active Directory, file shares, and a SQL database) and cloud services (Office 365, Azure VMs). At 2:00 PM on a Tuesday, the helpdesk receives multiple calls that users cannot access the file shares. Simultaneously, the SOC alerts on unusual outbound traffic from the domain controller (DC) to an external IP on port 443. The DC is also running a scheduled antivirus scan. The file server (FS) shows no signs of compromise but is responding slowly. The backup system reports that last night's backup of the DC failed due to a 'volume shadow copy error'. The backup of the FS succeeded. You need to take immediate action. What should you do FIRST?

Question 14mediumdrag order
Read the full Incident Response and Recovery explanation →

Drag and drop the steps for performing a risk assessment according to NIST SP 800-30 into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 15mediummatching
Read the full Incident Response and Recovery explanation →

Match each incident response phase to its activity.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Train staff and establish policies

Identify potential incidents

Isolate affected systems

Restore normal operations

Question 16mediummultiple choice
Read the full Incident Response and Recovery explanation →

An alert shows a successful login from an unusual geographic location. Which of the following is the BEST initial response?

Question 17easymultiple choice
Read the full Incident Response and Recovery explanation →

Which backup strategy is MOST suitable for a server with an RTO of 4 hours and an RPO of 15 minutes?

Question 18hardmultiple choice
Read the full Incident Response and Recovery explanation →

During an incident response, a forensic analyst captures a memory dump from a compromised server. Which of the following is the MOST important step to ensure the integrity of the evidence?

Question 19mediummultiple choice
Read the full Incident Response and Recovery explanation →

A company detects ransomware on a file server. The ransomware is currently encrypting files. Which containment strategy should be implemented FIRST?

Question 20easymultiple choice
Read the full Incident Response and Recovery explanation →

A company is developing an incident response plan. Which of the following stakeholders should be included in the initial planning phase?

Question 21hardmultiple choice
Read the full Incident Response and Recovery explanation →

To determine how malware initially infected a workstation, which artifact would be MOST useful?

Question 22mediummultiple choice
Read the full Incident Response and Recovery explanation →

A company's disaster recovery plan includes offsite tape backups. During a test, it is discovered that the tapes are stored at a location that shares the same power grid as the primary site. Which risk does this pose?

Question 23easymultiple choice
Read the full Incident Response and Recovery explanation →

A user reports that their computer is displaying a fake antivirus warning that demands payment. This is an example of which type of attack?

Question 24mediummultiple choice
Read the full NAT/PAT explanation →

After an incident, the team identifies that the incident was caused by a missing security patch. Which of the following is the MOST effective way to prevent recurrence?

Question 25mediummulti select
Read the full Incident Response and Recovery explanation →

Which TWO of the following are key components of an incident response plan (IRP) according to NIST SP 800-61?

Question 26hardmulti select
Read the full Incident Response and Recovery explanation →

Which TWO of the following are appropriate actions when preserving digital evidence at a crime/incident scene?

Question 27easymulti select
Read the full Incident Response and Recovery explanation →

Which THREE of the following are standard phases of the incident response lifecycle?

Question 28mediummultiple choice
Read the full Incident Response and Recovery explanation →

Based on the exhibit, which security threat is likely being attempted?

Exhibit

Refer to the exhibit.

May 15 10:23:45 server1 sshd[12345]: Failed password for root from 192.168.1.100 port 22 ssh2
May 15 10:23:46 server1 sshd[12345]: Failed password for root from 192.168.1.100 port 22 ssh2
May 15 10:23:47 server1 sshd[12345]: Failed password for root from 192.168.1.100 port 22 ssh2
... (multiple entries within seconds)
Question 29hardmultiple choice
Read the full Incident Response and Recovery explanation →

What is the analyst's BEST next step?

Exhibit

Refer to the exhibit.

Event ID: 4688
Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLine: powershell -EncodedCommand SQBmACgAJABlAG4AdgA6AHUAcwBlAHIAcwBRAHUAYQBsAGkAZgB5ACAALQBjACAAMQApAHsA... (truncated)
Question 30easymultiple choice
Read the full Incident Response and Recovery explanation →

If the web server is compromised, which of the following is a likely immediate risk?

Exhibit

Refer to the exhibit.

Network diagram description:
- Web server (192.168.1.10) connected to internal network.
- Database server (192.168.1.20) connected to internal network.
- Firewall allows HTTP (port 80) from external to Web server only.
- No internal firewall between Web and database servers.
Question 31easymultiple choice
Read the full Incident Response and Recovery explanation →

An organization experiences a ransomware attack that encrypts critical data. The incident response team isolates affected systems. What is the NEXT step?

Question 32mediummultiple choice
Read the full Incident Response and Recovery explanation →

A security analyst detects unusual outbound traffic from a server to a known malicious IP. The server is running a critical business application. What should the analyst do FIRST?

Question 33hardmultiple choice
Read the full Incident Response and Recovery explanation →

During incident analysis, a forensic examiner finds that the system logs were cleared using a command that writes null bytes. Which artifact is most likely preserved?

Question 34easymultiple choice
Read the full Incident Response and Recovery explanation →

A company's backup strategy includes weekly full backups and daily differential backups. A ransomware attack occurred on Wednesday, corrupting data. The last full backup was Sunday. Which backup set should be restored first?

Question 35mediummultiple choice
Read the full Incident Response and Recovery explanation →

During incident response, a team member uses a tool to capture memory from a compromised Windows system. Which of the following best describes the order of volatility?

Question 36hardmultiple choice
Read the full Incident Response and Recovery explanation →

A security analyst reviews a firewall log showing an internal IP attempting outbound connections to multiple external IPs on port 443. The analyst suspects command and control. Which additional data source would be MOST useful for confirmation?

Question 37easymultiple choice
Read the full Incident Response and Recovery explanation →

After containing a malware outbreak, the incident response team needs to ensure the malware is completely removed from all systems. Which phase of the incident response process is this?

Question 38mediummultiple choice
Read the full Incident Response and Recovery explanation →

In a forensic investigation, a hash of a suspect file is computed. Which of the following is the primary purpose of hashing in this context?

Question 39hardmultiple choice
Read the full Incident Response and Recovery explanation →

A company's incident response plan includes a requirement to notify law enforcement within 24 hours of certain security incidents. Which regulation most likely mandates this requirement?

Question 40easymulti select
Read the full Incident Response and Recovery explanation →

Which TWO roles are typically part of an incident response team?

Question 41mediummulti select
Read the full Incident Response and Recovery explanation →

Which THREE activities are part of the post-incident phase?

Question 42hardmulti select
Read the full Incident Response and Recovery explanation →

During forensic analysis, which THREE pieces of evidence should be preserved in original form?

Question 43mediummultiple choice
Read the full Incident Response and Recovery explanation →

Refer to the exhibit. The security analyst sees this event from a user workstation. What is the most likely conclusion?

Exhibit

Event Log: Event ID 4688 - Process Creation
Command Line: cmd.exe /c net localgroup administrators user1 /add
Question 44easymultiple choice
Study the full ACL explanation →

Refer to the exhibit. A network administrator implements this ACL on a border router. What is the effect?

Exhibit

access-list 101 permit tcp any host 192.168.1.100 eq 22
access-list 101 deny tcp any any eq 22
Question 45hardmultiple choice
Read the full Incident Response and Recovery explanation →

Refer to the exhibit. An organization's incident response policy defines these actions. In what sequence should these phases be applied?

Exhibit

{"policy": {"name": "IncidentResponse", "containment": "isolate", "eradication": "reimage", "recovery": "backup"}}
Question 46easymultiple choice
Read the full Incident Response and Recovery explanation →

An organization suspects a security incident. Which initial step should the incident response team take?

Question 47mediummultiple choice
Read the full Incident Response and Recovery explanation →

A company uses a SIEM to detect anomalies. An alert indicates a user logged in from two geographically distant locations within 5 minutes. What is the most likely indication?

Question 48hardmultiple choice
Read the full Incident Response and Recovery explanation →

After a ransomware attack, the recovery team restored systems from backups. However, some files remain encrypted. What is the most probable cause?

Question 49easymultiple choice
Read the full Incident Response and Recovery explanation →

During an incident, the IR team needs to collect volatile data. Which order should they follow?

Question 50easymultiple choice
Read the full Incident Response and Recovery explanation →

A security analyst receives an alert indicating a large number of failed login attempts from a single IP. The analyst blocks the IP. What should be done next?

Question 51hardmultiple choice
Read the full Incident Response and Recovery explanation →

A company's IDS generated an alert for a suspicious outbound connection to a known C2 server. The incident team discovers the host has been communicating for 2 weeks. Which containment strategy is most appropriate?

Question 52easymultiple choice
Read the full Incident Response and Recovery explanation →

After an incident, what is the primary purpose of a lessons learned meeting?

Question 53mediummultiple choice
Read the full Incident Response and Recovery explanation →

A company uses a SOAR platform for incident response. Which factor is most critical for effective automation?

Question 54hardmultiple choice
Read the full Incident Response and Recovery explanation →

During a forensic investigation, you find that the attacker used a legitimate Windows tool to exfiltrate data. Which tool is commonly abused for this purpose?

Question 55mediummulti select
Read the full Incident Response and Recovery explanation →

Which TWO actions are part of the containment phase of incident response?

Question 56hardmulti select
Read the full Incident Response and Recovery explanation →

Which THREE steps are essential during the identification phase of incident response?

Question 57easymulti select
Read the full Incident Response and Recovery explanation →

Which TWO of the following are considered key components of a disaster recovery plan?

Question 58mediummultiple choice
Read the full Incident Response and Recovery explanation →

Based on the exhibit, what is the most likely cause of the web application outage?

Exhibit

Refer to the exhibit.
```
[2024-01-15 14:32:05] [ERROR] [host=web01] Failed to connect to SQL server at 10.0.1.50:1433: Connection refused
[2024-01-15 14:32:10] [WARNING] [host=web01] Application pool "AppPool1" has been recycled due to memory limit
[2024-01-15 14:32:15] [ERROR] [host=db01] Disk I/O write latency exceeded threshold: 2000ms
```
Question 59hardmultiple choice
Read the full Incident Response and Recovery explanation →

Your organization has a mixed environment of Windows and Linux servers. You receive an alert from the EDR that a Linux server is beaconing to a suspicious IP. The server runs a critical application that cannot be taken offline. The security team needs to investigate while maintaining availability. You have access to a jump box with network monitoring tools. Which course of action is most appropriate?

Question 60mediummultiple choice
Read the full Incident Response and Recovery explanation →

A small business experienced a ransomware attack that encrypted all files on the file server. They have no backups. The attacker demands a ransom. The CEO asks for advice. Which recommendation should the incident responder give?

Question 61mediummulti select
Read the full Incident Response and Recovery explanation →

An organization has detected a ransomware infection on a critical file server. The incident response team has been activated. Which TWO actions should be performed FIRST during the initial response phase?

Question 62easymultiple choice
Read the full Incident Response and Recovery explanation →

A medium-sized company recently experienced a phishing attack where an employee downloaded a malicious attachment, leading to a data breach. The incident response team has identified the affected user and the malware. However, the team is unsure whether the attacker has established persistence. The security analyst must recommend the next step. The company has a standard incident response plan that includes detection, containment, eradication, recovery, and lessons learned. The malware sample has been isolated for analysis. The user's account has been disabled temporarily. The network team has quarantined the user's workstation. The analyst needs to ensure the attacker cannot regain access after the initial cleanup. What should the analyst recommend next?

Question 63mediummultiple choice
Read the full Incident Response and Recovery explanation →

A company uses AWS for critical workloads. An analyst notices unauthorized API calls from an IP address outside the company. The logs show that the attacker used stolen access keys belonging to an IAM user with administrative privileges. The incident response team must contain the breach as quickly as possible. The analyst has access to the AWS Management Console and can use the CLI. The team is following the incident response plan. Which action should be taken FIRST to prevent further unauthorized actions?

Question 64hardmultiple choice
Read the full Incident Response and Recovery explanation →

An organization has suffered a sophisticated attack where the attacker compromised a domain controller and used it to move laterally to several file servers. The incident response team has isolated the domain controller and some file servers, but they suspect that the attacker may have created hidden accounts and modified permissions to maintain access. The team needs to ensure that the attacker's access is entirely removed before restoring operations. The organization has a large number of users and complex Active Directory structure. The incident response plan outlines containment, eradication, recovery, and post-incident analysis. The team has forensic imaging of the domain controller and file servers. What is the MOST comprehensive approach to eradicate the attacker's presence?

Question 65easymulti select
Read the full Incident Response and Recovery explanation →

A security analyst notices unusual outbound traffic from a server. Which TWO actions should be taken immediately as part of the incident response process?

Question 66mediummultiple choice
Read the full Incident Response and Recovery explanation →

Refer to the exhibit. A security incident responder sees this alert in the SIEM. What should the responder do first?

Exhibit

ALERT: Port scan detected from IP 10.0.0.5 to multiple ports on internal host 192.168.1.10. Signature ID: 201. Action: Log only.
Question 67hardmultiple choice
Review the full subnetting walkthrough →

A medium-sized e-commerce company uses a SIEM with correlation rules. During peak sales hours, the SIEM generates an alert: multiple failed login attempts from internal IP 172.16.10.50 followed by a successful login to a critical database server. The account used is 'dbadmin', which normally only authenticates from the IT department subnet. The user 'dbadmin' reports that they had to try several passwords because they forgot theirs earlier. The incident responder is under pressure to quickly restore normal operations. Which course of action should the responder take?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

SSCP Practice Test 1 — 10 Questions→SSCP Practice Test 2 — 10 Questions→SSCP Practice Test 3 — 10 Questions→SSCP Practice Test 4 — 10 Questions→SSCP Practice Test 5 — 10 Questions→SSCP Practice Exam 1 — 20 Questions→SSCP Practice Exam 2 — 20 Questions→SSCP Practice Exam 3 — 20 Questions→SSCP Practice Exam 4 — 20 Questions→Free SSCP Practice Test 1 — 30 Questions→Free SSCP Practice Test 2 — 30 Questions→Free SSCP Practice Test 3 — 30 Questions→SSCP Practice Questions 1 — 50 Questions→SSCP Practice Questions 2 — 50 Questions→SSCP Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Risk Identification, Monitoring and AnalysisNetwork and Communications SecuritySystems and Application SecuritySecurity Operations and AdministrationIncident Response and RecoveryAccess ControlsCryptography

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Incident Response and Recovery setsAll Incident Response and Recovery questionsSSCP Practice Hub