The correct next step is to isolate FIN-LT-22 from the network to contain the suspected malware activity. This action immediately stops the compromised host from communicating with command-and-control servers or spreading laterally to other systems, directly addressing the need to contain a suspected compromise with network isolation. On the Security+ SY0-701 exam, this scenario tests your understanding of the containment phase in the NIST incident response framework, where limiting damage takes priority over eradication or recovery. A common trap is choosing to run antivirus or capture memory first, but those steps risk alerting the malware or losing volatile evidence; isolation preserves forensic data while cutting off the threat. Remember the memory tip: “Isolate first, investigate second” — when you see a suspected compromise, your first move is always to cut the network cord.
SY0-701 Security Operations Practice Question
This SY0-701 practice question tests your understanding of security operations. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
EDR Alert Summary
Host: FIN-LT-22
Severity: High
Detection: Suspicious PowerShell with encoded command
Parent Process: winword.exe
Network Activity: outbound connection to 203.0.113.77:4444
User Note: 'The laptop is running very slowly and pop-ups started after opening an attachment.'
Based on the exhibit, what should the analyst do next to limit the impact of the suspected compromise?
EDR Alert Summary
Host: FIN-LT-22
Severity: High
Detection: Suspicious PowerShell with encoded command
Parent Process: winword.exe
Network Activity: outbound connection to 203.0.113.77:4444
User Note: 'The laptop is running very slowly and pop-ups started after opening an attachment.'
A
Run a full antivirus scan first and wait for the results before taking any other action.
Why wrong: A scan is useful later, but it does not immediately stop possible spread or attacker activity.
B
Isolate FIN-LT-22 from the network to contain the suspected malware activity.
Network isolation is the best immediate containment step when an endpoint shows signs of active malicious behavior. It limits further command-and-control traffic, prevents lateral movement, and buys time for investigation. In incident response, containment comes before eradication and recovery when the threat is still active.
C
Reboot the laptop to clear the malicious process from memory.
Why wrong: Rebooting can destroy volatile evidence and may not stop persistence mechanisms from reloading afterward.
D
Reset the user's password and close the ticket after confirming they can log in again.
Why wrong: Changing a password may help if credentials were stolen, but it does not stop the endpoint infection.
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
Isolate FIN-LT-22 from the network to contain the suspected malware activity.
Option B is correct because isolating FIN-LT-22 from the network immediately stops the suspected malware from communicating with command-and-control servers or spreading laterally to other hosts. This containment step aligns with the NIST incident response framework's containment phase, which prioritizes limiting damage before eradication or recovery. In a suspected compromise, network isolation (e.g., disabling the switch port or using a host-based firewall rule) is the fastest way to cut off malicious traffic without destroying volatile evidence in memory.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✗
Run a full antivirus scan first and wait for the results before taking any other action.
Why it's wrong here
A scan is useful later, but it does not immediately stop possible spread or attacker activity.
✓
Isolate FIN-LT-22 from the network to contain the suspected malware activity.
Why this is correct
Network isolation is the best immediate containment step when an endpoint shows signs of active malicious behavior. It limits further command-and-control traffic, prevents lateral movement, and buys time for investigation. In incident response, containment comes before eradication and recovery when the threat is still active.
Related concept
Read the scenario before looking for a memorised answer.
✗
Reboot the laptop to clear the malicious process from memory.
Why it's wrong here
Rebooting can destroy volatile evidence and may not stop persistence mechanisms from reloading afterward.
✗
Reset the user's password and close the ticket after confirming they can log in again.
Why it's wrong here
Changing a password may help if credentials were stolen, but it does not stop the endpoint infection.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates often choose to run an antivirus scan first (Option A) because they assume detection must precede containment, but the SY0-701 exam emphasizes that containment is the immediate priority to limit impact, even before identifying the specific malware.
Detailed technical explanation
How to think about this question
Network isolation can be achieved by disabling the switch port via SNMP or SSH, applying a 802.1X authentication failure, or using a host-based firewall rule to block all outbound traffic except to a management VLAN. In a real-world scenario, an analyst might use a tool like Wireshark to confirm suspicious DNS queries or beaconing to an external IP, then immediately issue a `shutdown` command on the switch interface or use a NAC solution to quarantine the endpoint. This preserves the system state for memory forensics (e.g., using Volatility to dump the malicious process) while preventing data exfiltration.
KKey Concepts to Remember
Read the scenario before looking for a memorised answer.
Find the constraint that changes the correct option.
Eliminate answers that are true in general but not in this case.
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A security team runs a vulnerability scan on a web application and discovers an unpatched SQL injection flaw. The team prioritises remediation by CVSS score — critical flaws are patched within 24 hours, high within 7 days. Questions like this test whether you understand vulnerability management processes, scanning tools, and remediation prioritisation.
Related glossary terms
Concepts from this question explained
These glossary pages explain the core terms tested in this SY0-701 question in full detail.
Security Operations — This question tests Security Operations — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: Isolate FIN-LT-22 from the network to contain the suspected malware activity. — Option B is correct because isolating FIN-LT-22 from the network immediately stops the suspected malware from communicating with command-and-control servers or spreading laterally to other hosts. This containment step aligns with the NIST incident response framework's containment phase, which prioritizes limiting damage before eradication or recovery. In a suspected compromise, network isolation (e.g., disabling the switch port or using a host-based firewall rule) is the fastest way to cut off malicious traffic without destroying volatile evidence in memory.
What should I do if I get this SY0-701 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. A security analyst at a manufacturing company notices multiple workstations generating high volumes of encrypted outbound traffic and displaying ransom notes. The analyst suspects a ransomware outbreak. According to the incident response process, which of the following should the analyst perform FIRST?
medium
A.Immediately wipe the hard drives of all affected workstations and reinstall the operating system.
✓ B.Isolate the affected workstations from the network by disconnecting their network cables and disabling Wi-Fi.
C.Contact local law enforcement to report the ransomware incident and request a forensic investigation.
D.Conduct a full forensic analysis of one affected workstation to determine the ransomware variant and entry vector.
Why B: The first priority in a suspected ransomware outbreak is containment to prevent lateral spread and further encryption. Disconnecting network cables and disabling Wi-Fi immediately isolates the affected workstations from the network, stopping the ransomware from communicating with its command-and-control (C2) server or encrypting additional systems. This aligns with the NIST SP 800-61 incident response lifecycle, where containment precedes eradication and recovery.
Variation 2. A SOC analyst confirms that a critical Linux virtual machine is making outbound connections to a known malicious IP address. The application owner says the VM hosts a revenue system that cannot be powered off without causing a major outage. What is the best containment action?
medium
A.Shut down the VM immediately to stop all malicious activity.
✓ B.Isolate the VM at the network layer while keeping it powered on.
C.Wait for the next maintenance window before taking action.
D.Reimage the VM from a known-good template immediately.
Why B: Option B is correct because network isolation (e.g., applying a firewall ACL or moving the VM to a quarantine VLAN) stops outbound malicious traffic while keeping the revenue-critical system powered on and available for forensic analysis. This balances security containment with business continuity, as shutting down the VM (Option A) would cause a major outage, and waiting (Option C) would allow continued data exfiltration or lateral movement.
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This SY0-701 practice question is part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SY0-701 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.