Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Incident Response and Recovery practice sets

SSCP Incident Response and Recovery • Complete Question Bank

SSCP Incident Response and Recovery — All Questions With Answers

Complete SSCP Incident Response and Recovery question bank — all 0 questions with answers and detailed explanations.

64
Questions
Free
No signup
Certifications/SSCP/Practice Test/Incident Response and Recovery/All Questions
Question 1easymultiple choice
Read the full Incident Response and Recovery explanation →

During which phase of the NIST SP 800-61 incident response lifecycle are incident response plan updates and lessons learned typically documented?

Question 2mediummultiple choice
Read the full Incident Response and Recovery explanation →

An organization's security team detects a potential data breach. After confirming the incident, they classify it as P2 (high severity) and begin containment. Which action should be performed FIRST to preserve evidence for forensic analysis?

Question 3hardmultiple choice
Read the full Incident Response and Recovery explanation →

A security analyst receives a chain of custody form for a hard drive that was seized from a suspected insider threat. The form shows that the drive was handled by three individuals over two days. Which of the following is the PRIMARY reason for maintaining a chain of custody?

Question 4mediummultiple choice
Read the full Incident Response and Recovery explanation →

During incident response, a team needs to isolate an infected workstation that is part of a critical manufacturing network. Which containment method is MOST appropriate to minimize disruption while preventing the spread of malware?

Question 5mediummultiple choice
Read the full Incident Response and Recovery explanation →

After a ransomware incident, an organization decides to restore data from backups. The RPO (Recovery Point Objective) is 4 hours. What does this RPO indicate?

Question 6easymultiple choice
Read the full Incident Response and Recovery explanation →

Which DR testing type involves running recovery systems in parallel with production systems to verify functionality without impacting live operations?

Question 7hardmultiple choice
Read the full Incident Response and Recovery explanation →

During the eradication phase of a malware incident, a security analyst removes malicious files and cleans registry persistence. What is the MOST critical additional step to prevent reinfection through the same vector?

Question 8mediummultiple choice
Read the full Incident Response and Recovery explanation →

A security team is collecting evidence from a compromised server. They need to create a forensic image. Which of the following is the CORRECT procedure to ensure data integrity?

Question 9easymultiple choice
Read the full Incident Response and Recovery explanation →

What is the PRIMARY purpose of a lessons learned meeting after an incident?

Question 10mediummultiple choice
Read the full Incident Response and Recovery explanation →

An analyst detects suspicious outbound traffic from a workstation to a known command-and-control IP. Which IoC blocking method is MOST appropriate as an immediate containment measure?

Question 11hardmultiple choice
Read the full Incident Response and Recovery explanation →

During a forensic investigation, an examiner needs to preserve volatile evidence. Which of the following lists the correct order of collection for volatile data?

Question 12mediummultiple choice
Read the full Incident Response and Recovery explanation →

A company is developing a DR plan for a critical database. The maximum acceptable downtime is 2 hours, and the maximum data loss is 1 hour. What are the RTO and RPO?

Question 13mediummulti select
Read the full Incident Response and Recovery explanation →

A security analyst is investigating a phishing incident that led to credential theft. Which TWO actions are appropriate during the containment phase? (Select TWO)

Question 14hardmulti select
Read the full Incident Response and Recovery explanation →

During a ransomware incident, the incident response team needs to recover encrypted servers. Which THREE steps are essential for successful recovery? (Select THREE)

Question 15easymulti select
Read the full Incident Response and Recovery explanation →

Which TWO metrics are commonly tracked to measure the effectiveness of the incident response process? (Select TWO)

Question 16easymultiple choice
Read the full Incident Response and Recovery explanation →

During which phase of the NIST SP 800-61 incident response lifecycle are lessons learned meetings conducted and metrics such as MTTD and MTTR tracked?

Question 17easymultiple choice
Read the full Incident Response and Recovery explanation →

Which of the following is the FIRST step in the volatile evidence collection order when responding to an incident on a live system?

Question 18mediummultiple choice
Read the full Incident Response and Recovery explanation →

A security analyst receives an alert from the EDR system indicating that a workstation has been communicating with a known malicious IP address. The analyst confirms the alert and notes that the user is still logged in. Which immediate containment action should the analyst take FIRST?

Question 19mediummultiple choice
Read the full Incident Response and Recovery explanation →

During the eradication phase of incident response, which of the following actions is MOST critical to ensure the threat is completely removed from a compromised system?

Question 20mediummultiple choice
Read the full Incident Response and Recovery explanation →

An organization's disaster recovery plan specifies an RTO of 4 hours and an RPO of 1 hour for its critical database. Which of the following DR site configurations BEST meets these requirements?

Question 21mediummultiple choice
Read the full Incident Response and Recovery explanation →

Which of the following is the PRIMARY purpose of establishing a chain of custody when handling digital evidence?

Question 22hardmultiple choice
Read the full Incident Response and Recovery explanation →

An incident responder is tasked with collecting forensic evidence from a compromised Linux server. Which command would the responder use to capture the contents of volatile memory (RAM) for analysis?

Question 23hardmultiple choice
Read the full Incident Response and Recovery explanation →

After containing a ransomware incident, the incident response team identifies that the attacker gained initial access through a phishing email that installed a backdoor. Which of the following eradication steps is MOST critical to prevent re-infection?

Question 24easymultiple choice
Read the full Incident Response and Recovery explanation →

During the detection and analysis phase, an analyst classifies an incident as P1 (critical) because it involves a breach of sensitive customer data. What is the IMMEDIATE next step the analyst should take?

Question 25mediummultiple choice
Read the full Incident Response and Recovery explanation →

Which type of disaster recovery test involves running the DR systems alongside the production systems to validate functionality without impacting live operations?

Question 26mediummultiple choice
Read the full Incident Response and Recovery explanation →

An incident responder needs to create a forensic image of a suspect hard drive. Which of the following steps is ESSENTIAL to ensure the integrity of the evidence?

Question 27hardmultiple choice
Read the full Incident Response and Recovery explanation →

During a malware containment operation, the incident response team decides to isolate an infected endpoint using network access controls. However, the malware is spreading via removable media. Which additional containment measure should the team implement?

Question 28mediummulti select
Read the full Incident Response and Recovery explanation →

An organization has suffered a ransomware attack that encrypted files on several file servers. The incident response team is planning recovery. Which TWO actions should be performed to verify that the restored systems are clean before returning them to production? (Select TWO)

Question 29hardmulti select
Read the full Incident Response and Recovery explanation →

A forensic investigator is collecting evidence from a compromised Windows server. According to the order of volatility, which THREE pieces of evidence should be collected FIRST? (Select THREE)

Question 30mediummulti select
Read the full Incident Response and Recovery explanation →

During the preparation phase of incident response, which TWO components are essential for an effective incident response plan? (Select TWO)

Question 31easymultiple choice
Read the full Incident Response and Recovery explanation →

An organization is developing its incident response plan. According to NIST SP 800-61, which phase should include establishing a communication plan, acquiring necessary tools, and conducting exercises?

Question 32mediummultiple choice
Read the full Incident Response and Recovery explanation →

A security analyst detects a workstation communicating with a known command-and-control server. The workstation is running critical applications. What should be the analyst's first step according to the NIST incident response lifecycle?

Question 33hardmultiple choice
Read the full Incident Response and Recovery explanation →

During a forensic investigation, a responder must collect evidence from a live Windows system. Which of the following represents the correct order for collecting volatile data?

Question 34mediummultiple choice
Read the full Incident Response and Recovery explanation →

An organization has experienced a ransomware attack. After containing the incident, the response team plans to restore systems from backups. Which step is most critical before restoring production systems?

Question 35easymultiple choice
Read the full Incident Response and Recovery explanation →

Which of the following is the primary purpose of a chain of custody form in digital forensics?

Question 36mediummultiple choice
Read the full Incident Response and Recovery explanation →

An incident responder needs to create a forensic image of a suspect hard drive. What is the correct procedure to ensure evidence integrity?

Question 37mediummultiple choice
Read the full Incident Response and Recovery explanation →

A security team detects lateral movement within the network. Which containment strategy should be applied first to limit the spread of the threat?

Question 38hardmultiple choice
Read the full Incident Response and Recovery explanation →

During a post-incident review, the incident response team identifies that the mean time to detect (MTTD) was 14 days. Which improvement would most directly reduce MTTD?

Question 39easymultiple choice
Read the full Incident Response and Recovery explanation →

Which type of disaster recovery test involves running the DR systems alongside production systems to verify functionality without impacting operations?

Question 40mediummultiple choice
Read the full Incident Response and Recovery explanation →

An organization's disaster recovery plan specifies an RPO of 4 hours and an RTO of 24 hours for a critical database. Which of the following best describes these metrics?

Question 41hardmultiple choice
Read the full Incident Response and Recovery explanation →

An incident responder is handling a malware outbreak. The malware has been identified as a fileless threat that persists via registry run keys. Which eradication step is most appropriate?

Question 42mediummultiple choice
Read the full Incident Response and Recovery explanation →

During the detection and analysis phase, an analyst receives a user report of unusual system behavior. The analyst reviews logs and finds several failed login attempts followed by a successful login from an unusual IP address. What is the next step?

Question 43mediummulti select
Read the full Incident Response and Recovery explanation →

An incident responder is collecting volatile evidence from a compromised Linux server. Which TWO of the following should be collected first? (Select two.)

Question 44hardmulti select
Read the full Incident Response and Recovery explanation →

A company is selecting a disaster recovery site for its critical applications. Which THREE characteristics differentiate a warm site from a cold site? (Select three.)

Question 45mediummulti select
Read the full Incident Response and Recovery explanation →

After a security incident, the response team holds a lessons learned meeting. Which TWO are primary objectives of this meeting? (Select two.)

Question 46easymultiple choice
Read the full Incident Response and Recovery explanation →

During the preparation phase of the incident response lifecycle, which of the following is the MOST important component to establish?

Question 47mediummultiple choice
Read the full Incident Response and Recovery explanation →

An analyst detects suspicious outbound traffic from a server to a known command-and-control IP address. According to NIST SP 800-61, which phase of the incident response lifecycle does this activity fall under?

Question 48mediummultiple choice
Read the full Incident Response and Recovery explanation →

A security analyst receives a user report about a workstation exhibiting unusual behavior, such as unexpected pop-ups and slow performance. The analyst first checks the antivirus logs and finds no alerts. What is the NEXT step in the detection and analysis phase?

Question 49hardmultiple choice
Open the full VLAN trunking answer →

During a malware outbreak, a security analyst needs to contain the spread. The affected systems are on the same VLAN as critical servers. Which of the following containment actions should be performed FIRST to minimize impact?

Question 50mediummultiple choice
Read the full Incident Response and Recovery explanation →

An incident responder is collecting evidence from a compromised server. Which of the following is the correct order for collecting volatile data?

Question 51easymultiple choice
Read the full Incident Response and Recovery explanation →

What is the primary purpose of establishing a chain of custody for digital evidence?

Question 52mediummultiple choice
Read the full Incident Response and Recovery explanation →

During a forensic investigation, an examiner creates a bit-for-bit copy of a hard drive using a write blocker. What is the purpose of using a write blocker?

Question 53hardmultiple choice
Read the full Incident Response and Recovery explanation →

An organization is restoring a critical database from a backup after a ransomware attack. Which of the following steps should be performed BEFORE restoring the data to ensure the restoration is successful and secure?

Question 54easymultiple choice
Read the full Incident Response and Recovery explanation →

Which metric is used to measure the average time it takes to detect an incident?

Question 55mediummultiple choice
Read the full Incident Response and Recovery explanation →

After a security incident, the incident response team holds a lessons learned meeting. What is the PRIMARY outcome of this meeting?

Question 56hardmultiple choice
Read the full Incident Response and Recovery explanation →

A company's disaster recovery plan specifies an RTO of 4 hours for its customer relationship management (CRM) system. Which of the following DR site types is MOST appropriate to meet this RTO?

Question 57mediummultiple choice
Read the full Incident Response and Recovery explanation →

During a full interruption test of the disaster recovery plan, which of the following is the PRIMARY risk?

Question 58mediummulti select
Read the full Incident Response and Recovery explanation →

A security analyst is responding to a malware incident on a Windows server. Which TWO actions should be taken to properly collect volatile evidence?

Question 59hardmulti select
Read the full Incident Response and Recovery explanation →

During a post-incident review, the incident response team identifies several areas for improvement. According to NIST SP 800-61, which THREE activities are typically part of the post-incident activity phase?

Question 60mediummulti select
Read the full Incident Response and Recovery explanation →

A company is conducting a disaster recovery test. Which TWO types of tests involve minimal risk to production operations?

Question 61easymulti select
Read the full Incident Response and Recovery explanation →

During the containment phase of incident response, a security analyst identifies malware on a critical server. Which TWO actions should be taken FIRST to contain the threat and preserve evidence? (Choose two.)

Question 62mediummulti select
Read the full Incident Response and Recovery explanation →

After a ransomware incident, the incident response team is conducting recovery. Which THREE steps are essential to ensure a secure restoration and prevent reinfection? (Choose three.)

Question 63mediummulti select
Read the full Incident Response and Recovery explanation →

An organization uses a hot disaster recovery (DR) site and has a Recovery Time Objective (RTO) of 4 hours. During a DR test, the team discovers that data replication from the primary site fails. Which TWO actions should the team take to meet the RTO while ensuring data integrity? (Choose two.)

Question 64hardmulti select
Read the full Incident Response and Recovery explanation →

During a post-incident review of a data breach, the incident response team is evaluating the chain of custody for forensic evidence. Which THREE practices demonstrate proper evidence handling? (Choose three.)

Practice tests

Scored 10-question sessions with instant feedback and explanations.

SSCP Practice Test 1 — 25 Questions→SSCP Practice Test 2 — 25 Questions→SSCP Practice Test 3 — 25 Questions→SSCP Practice Test 4 — 25 Questions→SSCP Practice Test 5 — 25 Questions→SSCP Practice Exam 1 — 20 Questions→SSCP Practice Exam 2 — 20 Questions→SSCP Practice Exam 3 — 20 Questions→SSCP Practice Exam 4 — 20 Questions→Free SSCP Practice Test 1 — 30 Questions→Free SSCP Practice Test 2 — 30 Questions→Free SSCP Practice Test 3 — 30 Questions→SSCP Practice Questions 1 — 50 Questions→SSCP Practice Questions 2 — 50 Questions→SSCP Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Access ControlsRisk Identification, Monitoring, and AnalysisIncident Response and RecoverySecurity Operations and AdministrationCryptographyNetwork and Communications SecuritySystems and Application SecurityRisk Identification, Monitoring and Analysis

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Incident Response and Recovery setsAll Incident Response and Recovery questionsSSCP Practice Hub