During an incident, the IR team identifies that the root cause is a zero-day vulnerability. Which of the following is the best immediate action?
Compensating controls reduce risk by blocking or detecting exploitation of the vulnerability.
Why this answer
When a zero-day vulnerability is the root cause, no vendor patch exists yet (option C is impossible). Rebuilding systems (option B) without addressing the vulnerability leaves them re-exposed. The best immediate action is to implement compensating controls—such as firewall rules, IDS/IPS signatures, or application-layer filtering—to mitigate the risk until a permanent fix is available.
This aligns with incident response containment strategies that prioritize reducing impact while preserving forensic evidence.
Exam trap
ISC2 often tests the misconception that 'rebuilding systems' or 'applying a patch' are immediate actions for a zero-day, when in reality the absence of a patch and the need for containment make compensating controls the only viable first step.
How to eliminate wrong answers
Option A is wrong because reporting to CERT/CC is a post-incident coordination step, not an immediate containment action; it does not stop the ongoing attack. Option B is wrong because rebuilding affected systems without first containing the vulnerability will result in immediate re-infection, as the zero-day exploit vector remains active. Option C is wrong because a zero-day vulnerability, by definition, has no vendor patch available at the time of discovery; applying a non-existent patch is impossible.