CS0-003 · topic practice

Incident Response and Management practice questions

Practise CompTIA CySA+ CS0-003 Incident Response and Management practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Incident Response and Management

What the exam tests

What to know about Incident Response and Management

Incident Response and Management questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Incident Response and Management exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Incident Response and Management questions

20 questions · select your answer, then reveal the explanation

During the detection and analysis phase of the NIST SP 800-61 incident response lifecycle, an analyst identifies suspicious network traffic from an internal host to a known malicious IP address. Which step should the analyst perform next to validate the alert?

An organization's security team receives an alert about a potential ransomware infection on a critical server. The severity classification is 'high' because the server supports a production database. According to the incident response plan, which containment action should be taken first to minimize data loss?

A forensic analyst is investigating a suspected data breach involving a compromised workstation. The analyst wants to collect volatile data in accordance with the order of volatility. Which sequence of data collection is correct?

After containing a malware outbreak, the incident response team performs static malware analysis on a suspicious executable. Which of the following artifacts would be most helpful in creating a YARA rule to detect variants of the malware?

During dynamic malware analysis in a sandbox, an analyst observes that the malware attempts to connect to a remote IP address on port 443, modifies the Windows registry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run, and drops a DLL in the system32 folder. Which type of IOC is most indicative of persistence?

An organization uses MISP as its threat intelligence platform. After a security incident, the team wants to share IOCs with other trusted organizations. Which standard should they use to package and exchange the threat intelligence?

During a post-incident review, the incident response team identifies that the mean time to detect (MTTD) for a recent breach was 14 days, while the mean time to respond (MTTR) was 6 hours. Which metric should the team prioritize to improve in future incidents?

A security analyst is performing memory acquisition on a compromised Linux server using LiME. The analyst needs to capture the memory image with minimal impact on the system. Which of the following parameters should the analyst use to ensure the output is forensically sound?

An analyst receives an alert about a user account that has been locked out multiple times within an hour. The account belongs to a system administrator. Which incident category does this scenario most likely fall under?

During a forensic investigation, an analyst creates a disk image using dd with a SHA256 hash. Later, the analyst needs to verify the integrity of the image before analysis. Which command should the analyst use to compare the original hash with a newly computed hash?

An organization has been experiencing repeated phishing attacks that bypass email filters. The incident response team wants to enhance detection by creating rules based on characteristics of the phishing emails. Which of the following IOCs would be most effective for detecting similar phishing campaigns?

During a post-incident activity, the CSIRT performs a root cause analysis for a data breach. They discover that the breach originated from a misconfigured S3 bucket that allowed public read access. Which of the following actions should be included in the lessons learned to prevent recurrence?

A security analyst is responding to a potential data exfiltration incident. As part of the containment strategy, the analyst must preserve evidence. Which TWO actions should the analyst take before containment? (Select two.)

A CSIRT is investigating a ransomware incident that encrypted files on multiple servers. The team needs to determine the initial infection vector. Which THREE pieces of evidence should the team prioritize collecting? (Select three.)

A security analyst is reviewing IOCs from a threat intelligence feed. The analyst wants to enrich the IOCs using open-source tools. Which THREE tools are commonly used for IOC enrichment? (Select three.)

During which phase of the NIST SP 800-61 incident response lifecycle would an organization conduct a lessons learned meeting?

A security analyst detects ransomware on a critical server. Which containment strategy should be implemented FIRST to minimize damage?

During a forensic investigation, an analyst needs to acquire memory from a Linux server. Which tool is specifically designed for this purpose?

Which of the following is the MOST volatile data according to the order of volatility?

An analyst is reviewing a suspicious executable using static analysis. Which of the following would provide information about the functions the executable imports from system libraries?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Incident Response and Management sessions

Start a Incident Response and Management only practice session

Every question in these sessions is drawn from the Incident Response and Management domain — nothing else.

Related practice questions

Related CS0-003 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CS0-003 exam test about Incident Response and Management?
Incident Response and Management questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Incident Response and Management questions in a focused session?
Yes — the session launcher on this page draws every question from the Incident Response and Management domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CS0-003 topics?
Use the topic links above to move to related areas, or go back to the CS0-003 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CS0-003 exam covers. They are not copied from any real exam or dump site.
CompTIA CySA+ CS0-003 Incident Response and Management Practice Questions with Explanations | Courseiva