CS0-003 domain

Incident Response and Management

Use this page to practise CS0-003 Incident Response and Management practice questions. The goal is not to memorise dumps, but to understand the concept, review the explanation and improve your exam readiness.

60 questions

Practice 20 questions Practice 20 questions →

Focused practice

Start a Incident Response and Management session

All sessions draw only from this domain. Pick a length or try interactive practice with inline explanations.

10 questions 20 questions 30 questions 50 questions

Start 20-question practice session →

What the exam tests

What to know about Incident Response and Management

Incident Response and Management questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Question index

All Incident Response and Management questions (60)

Click any question to see the full explanation, or start a practice session above.

A host is suspected of running fileless malware. Which artefacts should be collected quickly? (Choose two.)

A phishing incident led to credential theft. Which containment actions are appropriate? (Choose two.)

Which actions belong in eradication after a confirmed web-shell compromise? (Choose two.)

What should be included in incident scoping for ransomware? (Choose three.)

A legal hold is issued during an investigation. Which actions support it? (Choose two.)

A tabletop exercise reveals that no one knows who can approve public statements. What should be updated? (Choose two.)

A responder is acquiring evidence from a potentially compromised server. Which actions support forensic integrity? (Choose two.)

An attacker used a stolen cloud token. Which evidence helps determine blast radius? (Choose two.)

Which actions are appropriate before restoring systems after malware eradication? (Choose two.)

A root-cause analysis finds that an alert fired but was never triaged. Which corrective actions are useful? (Choose two.)

A user reports approving an unexpected OAuth consent prompt for an app named 'Invoice Reader'. The app now has mailbox read permissions. What should the incident responder do first? During detection and analysis, which decision is most defensible?

File shares show rapid encryption and ransom-note creation from one workstation. What is the best immediate containment action? During containment, which decision is most defensible?

A developer accidentally committed a cloud access key to a public repository. Logs show the key was used from an unfamiliar IP. What should be done first? During eradication, which decision is most defensible?

A web server contains a new file that executes commands through a query parameter. What evidence best confirms web-shell activity? During recovery, which decision is most defensible?

A laptop may contain evidence for a legal investigation. What should the responder document during acquisition? During post-incident improvement, which decision is most defensible?

A server suspected of running fileless malware is still powered on. Which evidence should be captured first if it is safe to do so? During detection and analysis, which decision is most defensible?

After containing a compromised host, analysis shows persistence through a scheduled task and a stolen service account. What is required before recovery? During containment, which decision is most defensible?

An incident was contained successfully, but delayed escalation allowed the attacker more dwell time. What should the post-incident review produce? During eradication, which decision is most defensible?

A malware alert affects a single kiosk with no sensitive access. A second alert shows the same malware on a domain admin workstation. What should drive severity? During recovery, which decision is most defensible?

A company wants to test whether legal, PR, IT, and executives understand their roles during a ransomware incident without touching production systems. What exercise is best? During post-incident improvement, which decision is most defensible?

In a regulated payment environment, a user reports approving an unexpected OAuth consent prompt for an app named 'Invoice Reader'. The app now has mailbox read permissions. What should the incident responder do first? During detection and analysis, which decision is most defensible? which action best reduces risk without losing evidence?

During containment of a compromised cloud access key, which actions are appropriate? (Choose two.)

In a regulated payment environment, a developer accidentally committed a cloud access key to a public repository. Logs show the key was used from an unfamiliar IP. What should be done first? During eradication, which decision is most defensible? which action best reduces risk without losing evidence?

In a regulated payment environment, a web server contains a new file that executes commands through a query parameter. What evidence best confirms web-shell activity? During recovery, which decision is most defensible? which action best reduces risk without losing evidence?

In a regulated payment environment, a laptop may contain evidence for a legal investigation. What should the responder document during acquisition? During post-incident improvement, which decision is most defensible? which action best reduces risk without losing evidence?

In a regulated payment environment, a server suspected of running fileless malware is still powered on. Which evidence should be captured first if it is safe to do so? During detection and analysis, which decision is most defensible? which action best reduces risk without losing evidence?

In a regulated payment environment, after containing a compromised host, analysis shows persistence through a scheduled task and a stolen service account. What is required before recovery? During containment, which decision is most defensible? which action best reduces risk without losing evidence?

In a regulated payment environment, an incident was contained successfully, but delayed escalation allowed the attacker more dwell time. What should the post-incident review produce? During eradication, which decision is most defensible? which action best reduces risk without losing evidence?

In a regulated payment environment, a malware alert affects a single kiosk with no sensitive access. A second alert shows the same malware on a domain admin workstation. What should drive severity? During recovery, which decision is most defensible? which action best reduces risk without losing evidence?

In a regulated payment environment, a company wants to test whether legal, PR, IT, and executives understand their roles during a ransomware incident without touching production systems. What exercise is best? During post-incident improvement, which decision is most defensible? which action best reduces risk without losing evidence?

While supporting a hybrid workforce, a user reports approving an unexpected OAuth consent prompt for an app named 'Invoice Reader'. The app now has mailbox read permissions. What should the incident responder do first? During detection and analysis, which decision is most defensible? which evidence should guide the decision?

In a regulated payment environment, file shares show rapid encryption and ransom-note creation from one workstation. What is the best immediate containment action? During containment, which decision is most defensible? which action best reduces risk without losing evidence?

While supporting a hybrid workforce, a developer accidentally committed a cloud access key to a public repository. Logs show the key was used from an unfamiliar IP. What should be done first? During eradication, which decision is most defensible? which evidence should guide the decision?

While supporting a hybrid workforce, a web server contains a new file that executes commands through a query parameter. What evidence best confirms web-shell activity? During recovery, which decision is most defensible? which evidence should guide the decision?

While supporting a hybrid workforce, a laptop may contain evidence for a legal investigation. What should the responder document during acquisition? During post-incident improvement, which decision is most defensible? which evidence should guide the decision?

While supporting a hybrid workforce, a server suspected of running fileless malware is still powered on. Which evidence should be captured first if it is safe to do so? During detection and analysis, which decision is most defensible? which evidence should guide the decision?

While supporting a hybrid workforce, after containing a compromised host, analysis shows persistence through a scheduled task and a stolen service account. What is required before recovery? During containment, which decision is most defensible? which evidence should guide the decision?

While supporting a hybrid workforce, an incident was contained successfully, but delayed escalation allowed the attacker more dwell time. What should the post-incident review produce? During eradication, which decision is most defensible? which evidence should guide the decision?

While supporting a hybrid workforce, a malware alert affects a single kiosk with no sensitive access. A second alert shows the same malware on a domain admin workstation. What should drive severity? During recovery, which decision is most defensible? which evidence should guide the decision?

While supporting a hybrid workforce, a company wants to test whether legal, PR, IT, and executives understand their roles during a ransomware incident without touching production systems. What exercise is best? During post-incident improvement, which decision is most defensible? which evidence should guide the decision?

After a high-priority SOC escalation, a user reports approving an unexpected OAuth consent prompt for an app named 'Invoice Reader'. The app now has mailbox read permissions. What should the incident responder do first? During detection and analysis, which decision is most defensible? which response best matches incident-response practice?

While supporting a hybrid workforce, file shares show rapid encryption and ransom-note creation from one workstation. What is the best immediate containment action? During containment, which decision is most defensible? which evidence should guide the decision?

After a high-priority SOC escalation, a developer accidentally committed a cloud access key to a public repository. Logs show the key was used from an unfamiliar IP. What should be done first? During eradication, which decision is most defensible? which response best matches incident-response practice?

After a high-priority SOC escalation, a web server contains a new file that executes commands through a query parameter. What evidence best confirms web-shell activity? During recovery, which decision is most defensible? which response best matches incident-response practice?

After a high-priority SOC escalation, a laptop may contain evidence for a legal investigation. What should the responder document during acquisition? During post-incident improvement, which decision is most defensible? which response best matches incident-response practice?

After a high-priority SOC escalation, a server suspected of running fileless malware is still powered on. Which evidence should be captured first if it is safe to do so? During detection and analysis, which decision is most defensible? which response best matches incident-response practice?

After a high-priority SOC escalation, after containing a compromised host, analysis shows persistence through a scheduled task and a stolen service account. What is required before recovery? During containment, which decision is most defensible? which response best matches incident-response practice?

After a high-priority SOC escalation, an incident was contained successfully, but delayed escalation allowed the attacker more dwell time. What should the post-incident review produce? During eradication, which decision is most defensible? which response best matches incident-response practice?

After a high-priority SOC escalation, a malware alert affects a single kiosk with no sensitive access. A second alert shows the same malware on a domain admin workstation. What should drive severity? During recovery, which decision is most defensible? which response best matches incident-response practice?

After a high-priority SOC escalation, a company wants to test whether legal, PR, IT, and executives understand their roles during a ransomware incident without touching production systems. What exercise is best? During post-incident improvement, which decision is most defensible? which response best matches incident-response practice?

During a post-compromise review, a user reports approving an unexpected OAuth consent prompt for an app named 'Invoice Reader'. The app now has mailbox read permissions. What should the incident responder do first? During detection and analysis, which decision is most defensible? which action should be prioritized before closure?

After a high-priority SOC escalation, file shares show rapid encryption and ransom-note creation from one workstation. What is the best immediate containment action? During containment, which decision is most defensible? which response best matches incident-response practice?

During a post-compromise review, a developer accidentally committed a cloud access key to a public repository. Logs show the key was used from an unfamiliar IP. What should be done first? During eradication, which decision is most defensible? which action should be prioritized before closure?

During a post-compromise review, a web server contains a new file that executes commands through a query parameter. What evidence best confirms web-shell activity? During recovery, which decision is most defensible? which action should be prioritized before closure?

During a post-compromise review, a laptop may contain evidence for a legal investigation. What should the responder document during acquisition? During post-incident improvement, which decision is most defensible? which action should be prioritized before closure?

During a post-compromise review, a server suspected of running fileless malware is still powered on. Which evidence should be captured first if it is safe to do so? During detection and analysis, which decision is most defensible? which action should be prioritized before closure?

During a post-compromise review, after containing a compromised host, analysis shows persistence through a scheduled task and a stolen service account. What is required before recovery? During containment, which decision is most defensible? which action should be prioritized before closure?

During a post-compromise review, an incident was contained successfully, but delayed escalation allowed the attacker more dwell time. What should the post-incident review produce? During eradication, which decision is most defensible? which action should be prioritized before closure?

During a post-compromise review, a malware alert affects a single kiosk with no sensitive access. A second alert shows the same malware on a domain admin workstation. What should drive severity? During recovery, which decision is most defensible? which action should be prioritized before closure?

During a post-compromise review, a company wants to test whether legal, PR, IT, and executives understand their roles during a ransomware incident without touching production systems. What exercise is best? During post-incident improvement, which decision is most defensible? which action should be prioritized before closure?

Watch out for

Common Incident Response and Management exam traps

▸Answering from memory before reading the full scenario.
▸Missing a constraint such as cost, availability, security, scope or command context.
▸Choosing a broad answer when the question asks for the most specific fix.
▸Ignoring why the wrong options are tempting.

Frequently asked questions

What does the Incident Response and Management domain cover on the CS0-003 exam?: Incident Response and Management questions test whether you can apply the concept in context, not just recognise a definition.
How many questions are in this domain?: This page lists all 60 Incident Response and Management questions in the CS0-003 question bank. The actual exam draws from this domain proportionally to its weighting in the official exam blueprint.
What is the best way to practise this domain?: Start with a short focused session (10 questions) to identify gaps, then use the interactive practice page to work through explanations. Repeat with a longer session once the weak areas feel solid.
Can I practise only Incident Response and Management questions?: Yes — the session launcher on this page filters questions to this domain only. Choose any session length or try the interactive practice page for inline explanations.

Start a practice session

Pick a session length. Each question includes answer choices, an explanation, and a topic link to fix the gap.

10 questions 20 questions 30 questions 50 questions

Timed exam simulation

Practice by topic

Target a specific weak area. Each page focuses on one exam topic with questions, explanations and a concept guide.

CompTIA A+ hardware practice questions CompTIA A+ mobile devices practice questions CompTIA A+ networking practice questions CompTIA A+ operating systems practice questions CompTIA A+ security practice questions CompTIA A+ software troubleshooting questions CompTIA A+ operational procedures questions

Common exam traps

•Answering from memory before reading the full scenario.
•Missing a constraint such as cost, availability, security, scope or command context.
•Choosing a broad answer when the question asks for the most specific fix.
•Ignoring why the wrong options are tempting.

Continue studying

Practice Incident Response and Management questions CS0-003 exam guide Study guide Exam domains overview All CS0-003 questions