Question 1mediummultiple choice
Full question →CS0-003 · topic practice
Incident Response And Management practice questions
Use this page to practise CS0-003 Incident Response And Management practice questions. The goal is not to memorise dumps, but to understand the concept, review the explanation and improve your exam readiness.
What the exam tests
What to know about Incident Response And Management
Incident Response And Management questions test whether you can apply the concept in context, not just recognise a definition.
How the topic appears in realistic exam-style scenarios.
Which detail in the question changes the correct answer.
How to eliminate plausible but wrong options.
How to connect the question back to the wider exam objective.
Practice set
Incident Response And Management questions
20 questions · select your answer, then reveal the explanation
Question 2mediummultiple choice
Full question →A host alert shows certutil.exe downloading a file from an external URL, followed by execution from a user-writable directory. What should the analyst focus on? In the containment trade-off phase, Which response balances containment with evidence preservation?
Question 3hardmultiple choice
Full question →A container workload unexpectedly starts a shell, mounts the host filesystem, and attempts outbound connections to an unknown IP. Which telemetry is MOST useful? In the containment trade-off phase, Which response balances containment with evidence preservation?
Question 4mediummultiple choice
Full question →A cloud posture scan finds a storage bucket with public read access containing customer exports. What should the team do first? For stakeholder management, Which documentation or approval is required to keep the programme defensible?
Question 5mediummultiple choice
Full question →A legacy system cannot be patched because the vendor no longer supports the application. What should the vulnerability manager request? For stakeholder management, Which documentation or approval is required to keep the programme defensible?
Question 6mediummultiple choice
Full question →A business unit accepts the risk of delaying a patch because downtime would breach a contractual deadline. What should be updated? For stakeholder management, Which documentation or approval is required to keep the programme defensible?
Question 7hardmultiple choice
Full question →A development team wants to find vulnerable open-source libraries before deployment. Which control best fits this stage? For stakeholder management, Which documentation or approval is required to keep the programme defensible?
Question 8hardmultiple choice
Full question →A threat hunter wants a portable detection for suspicious rundll32 execution that can be converted for multiple SIEM platforms. Which artefact format best fits this goal? In the containment trade-off phase, Which response balances containment with evidence preservation?
Question 9easymultiple choice
Full question →A DAST scan cannot reach authenticated pages of a web application and reports only public content findings. What should be configured? For business prioritization, Which recommendation gives the best risk-based order of work?
Question 10hardmultiple choice
Full question →A laptop may contain evidence for a legal investigation. What should the responder document during acquisition? During post-incident improvement, which decision is most defensible?
Question 11hardmultiple choice
Full question →A vulnerability report has 900 findings. One medium CVSS vulnerability is listed in CISA KEV and has high EPSS; several high CVSS issues are not exploitable in the environment. What should the analyst recommend? For stakeholder management, Which documentation or approval is required to keep the programme defensible?
Question 12mediummultiple choice
Full question →After a high-priority SOC escalation, a company wants to test whether legal, PR, IT, and executives understand their roles during a ransomware incident without touching production systems. What exercise is best? During post-incident improvement, which decision is most defensible? which response best matches incident-response practice?
Question 13mediummulti select
Full question →A phishing incident led to credential theft. Which containment actions are appropriate? (Choose two.)
Question 14easymultiple choice
Full question →A vulnerability scan identifies a critical unauthenticated remote-code-execution flaw on an internet-facing VPN appliance that is actively exploited in the wild. Several internal-only medium vulnerabilities are also present. What should be remediated first? For stakeholder management, Which documentation or approval is required to keep the programme defensible?
Question 15easymultiple choice
Full question →After a high-priority SOC escalation, file shares show rapid encryption and ransom-note creation from one workstation. What is the best immediate containment action? During containment, which decision is most defensible? which response best matches incident-response practice?
Question 16mediummultiple choice
Full question →A SOC analyst reviews DNS telemetry and sees a workstation resolving hundreds of algorithmically generated domains at fixed intervals, with most responses returning NXDOMAIN. What evidence should the analyst prioritize to validate command-and-control beaconing? In the evidence source phase, Which evidence source best supports or refutes the detection?
Question 17mediummultiple choice
Full question →A SOC analyst reviews DNS telemetry and sees a workstation resolving hundreds of algorithmically generated domains at fixed intervals, with most responses returning NXDOMAIN. What evidence should the analyst prioritize to validate command-and-control beaconing? In the root-cause analysis phase, Which finding would most directly explain the activity?
Question 18mediummultiple choice
Full question →A scan of Windows servers reports few findings, but the scanner used no credentials. The security manager suspects missing patch data. What should be changed? For stakeholder management, Which documentation or approval is required to keep the programme defensible?
Question 19mediummultiple choice
Full question →A SOC analyst reviews DNS telemetry and sees a workstation resolving hundreds of algorithmically generated domains at fixed intervals, with most responses returning NXDOMAIN. What evidence should the analyst prioritize to validate command-and-control beaconing? In the containment trade-off phase, Which response balances containment with evidence preservation?
Question 20mediummultiple choice
Full question →An analyst has several malware samples from the same campaign and wants to detect related files based on unique strings and byte patterns. Which method is MOST appropriate? In the containment trade-off phase, Which response balances containment with evidence preservation?
Watch out for
Common Incident Response And Management exam traps
- ▸Answering from memory before reading the full scenario.
- ▸Missing a constraint such as cost, availability, security, scope or command context.
- ▸Choosing a broad answer when the question asks for the most specific fix.
- ▸Ignoring why the wrong options are tempting.
Free account
Track your progress over time
Create a free account to save your results and see which topics improve across sessions.
Focused Incident Response And Management sessions
Start a Incident Response And Management only practice session
Every question in these sessions is drawn from the Incident Response And Management domain — nothing else.
Related practice questions
Related CS0-003 topic practice pages
Move into related areas when this topic feels solid.
CompTIA A+ hardware practice questions
Practise CS0-003 questions linked to CompTIA A+ hardware.
CompTIA A+ mobile devices practice questions
Practise CS0-003 questions linked to CompTIA A+ mobile devices.
CompTIA A+ networking practice questions
Practise CS0-003 questions linked to CompTIA A+ networking.
CompTIA A+ operating systems practice questions
Practise CS0-003 questions linked to CompTIA A+ operating systems.
CompTIA A+ security practice questions
Practise CS0-003 questions linked to CompTIA A+ security.
CompTIA A+ software troubleshooting questions
Practise CS0-003 questions linked to CompTIA A+ software troubleshooting questions.
CompTIA A+ operational procedures questions
Practise CS0-003 questions linked to CompTIA A+ operational procedures questions.
Frequently asked questions
- What does the CS0-003 exam test about Incident Response And Management?
- Incident Response And Management questions test whether you can apply the concept in context, not just recognise a definition.
- How should I use these practice questions?
- Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
- Can I practise just Incident Response And Management questions in a focused session?
- Yes — the session launcher on this page draws every question from the Incident Response And Management domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
- Where can I practise other CS0-003 topics?
- Use the topic links above to move to related areas, or go back to the CS0-003 question bank to see all topics.
- Are these real exam questions or dumps?
- These are original practice questions written to test the same concepts the CS0-003 exam covers. They are not copied from any real exam or dump site.
Incident Response And Management only
Mixed CS0-003 sessionTrack your progress
A free account saves results across sessions and highlights which topics need work.
Sign up freeStudy resources
Exam traps to avoid
- ▸Answering from memory before reading the full scenario.
- ▸Missing a constraint such as cost, availability, security, scope or command context.
- ▸Choosing a broad answer when the question asks for the most specific fix.
- ▸Ignoring why the wrong options are tempting.