CS0-003 · topic practice

Incident Response and Management practice questions

Incident Response questions always test the order of phases and the containment decision. Memorise the six phases in order and understand why containment comes before eradication — it is the most common sequence trap.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Incident Response and Management

What the exam tests

What to know about Incident Response and Management

Incident Response questions test the IR lifecycle phases, evidence handling, containment strategies, and regulatory notification timelines.

IR phases: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned.

Evidence preservation: chain of custody, write-blockers, and forensic imaging before analysis.

Containment strategies: isolate vs shut down — choosing based on business continuity vs evidence preservation.

Notification timelines: regulatory requirements (GDPR 72 hours, US state laws) and internal escalation paths.

Watch out for

Common Incident Response and Management exam traps

  • Jumping to Eradication before Containment — the threat is still active if you skip containment.
  • Destroying evidence by powering off a machine that stores volatile memory (RAM) containing malware artefacts.
  • Forgetting that Lessons Learned is a mandatory phase, not an optional debrief.
  • Confusing the IR team's role with law enforcement's role — IR teams preserve evidence for law enforcement, not investigate crimes.

Practice set

Incident Response and Management questions

20 questions · select your answer, then reveal the explanation

A host is suspected of running fileless malware. Which artefacts should be collected quickly? (Choose two.)

A phishing incident led to credential theft. Which containment actions are appropriate? (Choose two.)

Which actions belong in eradication after a confirmed web-shell compromise? (Choose two.)

What should be included in incident scoping for ransomware? (Choose three.)

A legal hold is issued during an investigation. Which actions support it? (Choose two.)

A tabletop exercise reveals that no one knows who can approve public statements. What should be updated? (Choose two.)

A responder is acquiring evidence from a potentially compromised server. Which actions support forensic integrity? (Choose two.)

Question 8hardmulti select
Study the full AAA explanation →

An attacker used a stolen cloud token. Which evidence helps determine blast radius? (Choose two.)

Which actions are appropriate before restoring systems after malware eradication? (Choose two.)

A root-cause analysis finds that an alert fired but was never triaged. Which corrective actions are useful? (Choose two.)

A user reports approving an unexpected OAuth consent prompt for an app named 'Invoice Reader'. The app now has mailbox read permissions. What should the incident responder do first? During detection and analysis, which decision is most defensible?

File shares show rapid encryption and ransom-note creation from one workstation. What is the best immediate containment action? During containment, which decision is most defensible?

A developer accidentally committed a cloud access key to a public repository. Logs show the key was used from an unfamiliar IP. What should be done first? During eradication, which decision is most defensible?

A web server contains a new file that executes commands through a query parameter. What evidence best confirms web-shell activity? During recovery, which decision is most defensible?

A laptop may contain evidence for a legal investigation. What should the responder document during acquisition? During post-incident improvement, which decision is most defensible?

A server suspected of running fileless malware is still powered on. Which evidence should be captured first if it is safe to do so? During detection and analysis, which decision is most defensible?

After containing a compromised host, analysis shows persistence through a scheduled task and a stolen service account. What is required before recovery? During containment, which decision is most defensible?

An incident was contained successfully, but delayed escalation allowed the attacker more dwell time. What should the post-incident review produce? During eradication, which decision is most defensible?

A malware alert affects a single kiosk with no sensitive access. A second alert shows the same malware on a domain admin workstation. What should drive severity? During recovery, which decision is most defensible?

A company wants to test whether legal, PR, IT, and executives understand their roles during a ransomware incident without touching production systems. What exercise is best? During post-incident improvement, which decision is most defensible?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Incident Response and Management sessions

Start a Incident Response and Management only practice session

Every question in these sessions is drawn from the Incident Response and Management domain — nothing else.

Related practice questions

Related CS0-003 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CS0-003 exam test about Incident Response and Management?
Incident Response questions test the IR lifecycle phases, evidence handling, containment strategies, and regulatory notification timelines.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Incident Response and Management questions in a focused session?
Yes — the session launcher on this page draws every question from the Incident Response and Management domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CS0-003 topics?
Use the topic links above to move to related areas, or go back to the CS0-003 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CS0-003 exam covers. They are not copied from any real exam or dump site.