Q1. What is the FIRST step in the incident response process? (Q-924430)
- A.Containment
- B.Identification
- C.Preparation✓ Correct
- D.Recovery
Explanation: Preparation ensures policies, tools, and teams are ready before an incident occurs. Learn more.
CompTIA CySA+ Practice Questions: Incident Response
44 free, exam-style CompTIA CySA+ (CS0-003) practice questions covering Incident Response. Each question shows the correct answer and a clear explanation. Ready for the real thing? Take the full timed quiz below.
Q2. What is the purpose of a playbook in incident response? (Q-924432)
- A.To automate malware analysis
- B.To provide step-by-step response procedures✓ Correct
- C.To replace human analysts
- D.To document compliance violations
Explanation: Playbooks standardize responses to specific incidents. Learn more.
Q3. Which metric measures the time to detect a security incident? (Q-627fe9)
- A.MTTR
- B.MTTD✓ Correct
- C.MTBF
- D.RTO
Explanation: MTTD = Mean Time to Detect. Learn more.
Q4. Which framework provides guidelines for incident response? (Q-924443)
- A.NIST SP 800-53
- B.NIST SP 800-61✓ Correct
- C.ISO 27001
- D.PCI DSS
Explanation: NIST SP 800-61 is the Computer Security Incident Handling Guide. Learn more.
Q5. What is the purpose of chain of custody documentation? (Q-627fee)
- A.To track evidence handling✓ Correct
- B.To monitor network traffic
- C.To document password changes
- D.To record software licenses
Explanation: Chain of custody maintains evidence integrity for legal proceedings. Learn more.
Q6. What does the 'C' in 'CSIRT' stand for? (Q-627ff7)
- A.Critical
- B.Computer
- C.Cyber✓ Correct
- D.Central
Explanation: CSIRT = Computer Security Incident Response Team. Learn more.
Q7. What is the MAIN purpose of a disaster recovery plan (DRP)? (Q-627ffd)
- A.To prevent all cyberattacks
- B.To restore operations after an incident✓ Correct
- C.To train employees on security
- D.To document compliance
Explanation: DRPs outline procedures to recover systems after disruptions. Learn more.
Q8. What does the 'D' in 'IDEAL' incident response framework stand for? (Q-628005)
- A.Detect
- B.Defend
- C.Document✓ Correct
- D.Destroy
Explanation: IDEAL = Identify, Detect, Evaluate, Act, Learn (with Documentation throughout). Learn more.
Q9. What is the PRIMARY purpose of a disaster recovery plan (DRP)? (Q-628013)
- A.To prevent cyberattacks
- B.To restore operations after disruptions✓ Correct
- C.To train employees
- D.To document compliance
Explanation: DRPs outline recovery procedures for systems/data after incidents. Learn more.
Q10. When analyzing a suspected malware sample, which technique would BEST determine its capabilities without executing it?
- A.Dynamic analysis
- B.Static analysis✓ Correct
- C.Behavioral analysis
- D.Network analysis
Explanation: Static analysis examines the code without execution, reducing risk while revealing functionality. Learn more.
Q11. A security alert indicates unusual data transfers to an external cloud storage provider. What type of data analysis would BEST identify what was exfiltrated?
- A.NetFlow analysis
- B.Data loss prevention logs
- C.Endpoint forensic analysis✓ Correct
- D.SIEM correlation rules
Explanation: Endpoint forensics can reconstruct files and data accessed around the time of exfiltration. Learn more.
Q12. During an investigation, you find a user account with administrative privileges that was last used at 3 AM. What should you do NEXT?
- A.Immediately disable the account
- B.Check if this matches the user's work schedule
- C.Review authentication logs for the account
- D.Compare with baseline activity for this account✓ Correct
Explanation: Authentication logs would show if this was legitimate access or potentially compromised credentials. Learn more.
Q13. Which tool would be MOST effective for analyzing a memory dump from a compromised system?
- A.Wireshark
- B.Volatility✓ Correct
- C.Nmap
- D.Metasploit
Explanation: Volatility is specifically designed for memory forensics analysis. Learn more.
Q14. What is the PRIMARY purpose of a playbook in incident response?
- A.To replace analyst decision-making
- B.To document forensic tools
- C.To provide standardized response procedures✓ Correct
- D.To automate all remediation
Explanation: Playbooks ensure consistent, efficient response to common incident types. Learn more.
Q15. During a forensic investigation, which artifact would MOST likely reveal recently executed commands?
- A.Windows Prefetch files✓ Correct
- B.Browser history
- C.DNS cache
- D.ARP table
Explanation: Prefetch files track application execution history on Windows systems. Learn more.
Q16. What is the PRIMARY purpose of reverse engineering malware?
- A.To delete infected files
- B.To understand its functionality and indicators✓ Correct
- C.To improve system performance
- D.To automatically patch vulnerabilities
Explanation: Reverse engineering reveals how malware operates and how to detect it. Learn more.
Q17. When investigating a phishing incident, which artifact would MOST likely reveal the initial entry point?
- A.Firewall logs
- B.Email headers✓ Correct
- C.DNS cache
- D.Process list
Explanation: Email headers contain routing information that can trace a message's origin. Learn more.
Q18. When analyzing a memory dump, what would the presence of Mimikatz MOST likely indicate?
- A.Normal system process
- B.Credential dumping activity✓ Correct
- C.Memory optimization
- D.Antivirus scanning
Explanation: Mimikatz is a credential theft tool commonly used in attacks. Learn more.
Q19. Which Windows registry key would MOST likely contain persistence mechanisms?
- A.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run✓ Correct
- B.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
- C.HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
- D.HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Explanation: The Run registry key specifies programs that start automatically at login. Learn more.
Q20. Which artifact would MOST likely reveal browser-based credential theft?
- A.Windows event logs
- B.Browser history and saved passwords✓ Correct
- C.DNS cache
- D.ARP table
Explanation: Browser artifacts may show credential access or form submission to malicious sites. Learn more.
Q21. What is the PRIMARY purpose of maintaining a chain of custody during an investigation?
- A.To encrypt evidence
- B.To ensure evidence admissibility in court✓ Correct
- C.To speed up analysis
- D.To reduce storage requirements
Explanation: Proper documentation of evidence handling is critical for legal proceedings. Learn more.
Q22. Which Windows artifact would MOST likely reveal recently accessed files?
- A.Prefetch files
- B.LNK files✓ Correct
- C.DNS cache
- D.ARP table
Explanation: LNK (shortcut) files in Recent folders track accessed files and locations. Learn more.
Q23. What is the PRIMARY purpose of a memory dump during incident response?
- A.To free up system resources
- B.To capture volatile evidence✓ Correct
- C.To improve performance
- D.To create backups
Explanation: Memory captures preserve running processes, network connections, and other volatile data. Learn more.
Q24. Which artifact would MOST likely reveal USB device usage times?
- A.Windows Setup logs
- B.Security event logs✓ Correct
- C.Application logs
- D.System Registry
Explanation: Security logs record USB device connection events with timestamps. Learn more.
Q25. Which artifact would be MOST useful for determining data exfiltration via cloud storage?
- A.Firewall logs
- B.Cloud access security broker logs✓ Correct
- C.DNS cache
- D.ARP table
Explanation: CASB logs track user activities and data transfers to cloud services. Learn more.
Q26. What does the presence of unexpected registry Run keys indicate?
- A.Normal system operation
- B.Persistence mechanism✓ Correct
- C.Software update
- D.Hardware change
Explanation: Attackers often use registry Run keys to maintain persistence across reboots. Learn more.
Q27. What is the PRIMARY purpose of a memory dump during forensic analysis?
- A.To free up disk space
- B.To capture evidence of running processes✓ Correct
- C.To improve system performance
- D.To create system backups
Explanation: Memory captures preserve volatile evidence like running processes and network connections. Learn more.
Q28. Which artifact would MOST likely reveal browser-based attacks?
- A.Windows event logs
- B.Browser cache and history✓ Correct
- C.DNS cache
- D.ARP table
Explanation: Browser artifacts may show malicious scripts, downloads, or form submissions. Learn more.
Q29. What is the PRIMARY purpose of maintaining a chain of custody document?
- A.To encrypt evidence
- B.To ensure evidence admissibility✓ Correct
- C.To speed up analysis
- D.To reduce storage needs
Explanation: Chain of custody documents proper evidence handling for legal proceedings. Learn more.
Q30. Which Windows artifact would reveal recently executed programs?
- A.Prefetch files✓ Correct
- B.Browser history
- C.DNS cache
- D.ARP table
Explanation: Prefetch files track application execution history on Windows systems. Learn more.
Q31. Which artifact would reveal USB device usage times?
- A.Setup logs
- B.Security logs✓ Correct
- C.App logs
- D.Registry
Explanation: Security logs record USB connection events with timestamps. Learn more.
Q32. Which tool would be MOST effective for memory analysis?
- A.Wireshark
- B.Volatility✓ Correct
- C.Nmap
- D.Metasploit
Explanation: Volatility is specifically designed for memory forensics. Learn more.
Q33. When investigating phishing, which artifact reveals entry point?
- A.Firewall logs
- B.Email headers✓ Correct
- C.DNS cache
- D.Process list
Explanation: Email headers contain routing information to trace message origin. Learn more.
Q34. What does the presence of Mimikatz in memory indicate?
- A.Normal process
- B.Credential dumping✓ Correct
- C.Memory optimization
- D.AV scanning
Explanation: Mimikatz is a credential theft tool used in attacks. Learn more.
Q35. Which registry key contains persistence mechanisms?
- A.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run✓ Correct
- B.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
- C.HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
- D.HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Explanation: The Run registry key specifies auto-start programs. Learn more.
Q36. What is the PRIMARY purpose of reverse engineering malware?
- A.Delete files
- B.Understand functionality✓ Correct
- C.Improve performance
- D.Automate patching
Explanation: Reverse engineering reveals how malware operates and how to detect it. Learn more.
Q37. What is the PRIMARY purpose of a playbook?
- A.Replace analysts
- B.Document tools
- C.Standardize response✓ Correct
- D.Automate remediation
Explanation: Playbooks ensure consistent, efficient response to incidents. Learn more.
Q38. What is the primary purpose of a root cause analysis (RCA) after a security incident?
- A.To assign blame to individuals
- B.To prevent recurrence of the incident✓ Correct
- C.To restore system backups
- D.To calculate financial loss
Explanation: RCA identifies the underlying cause of an incident to implement corrective actions and prevent future occurrences. Learn more.
Q39. An endpoint is confirmed to be running ransomware. What is the best immediate containment action?
- A.Isolate the host from the network✓ Correct
- B.Run a marketing report
- C.Increase mailbox quota
- D.Disable all backups
Explanation: Network isolation limits spread and command-and-control communication while preserving the system for investigation. Learn more.
Q40. Why should evidence hashes be calculated during acquisition?
- A.To prove the data has not changed during analysis✓ Correct
- B.To compress the evidence automatically
- C.To identify the device owner by name
- D.To remove malware
Explanation: Cryptographic hashes allow investigators to verify evidence integrity after collection and transfer. Learn more.
Q41. Which incident response phase captures what worked, what failed, and what should change?
- A.Lessons learned✓ Correct
- B.Initial compromise
- C.Lateral movement
- D.Credential harvesting
Explanation: Lessons learned identifies process, control, and communication improvements after an incident. Learn more.
Q42. Which response action removes attacker-created persistence after containment?
- A.Eradication✓ Correct
- B.Preparation
- C.Lessons learned only
- D.Scoping only
Explanation: Eradication removes malware, persistence mechanisms, unauthorized accounts, and exploited weaknesses. Learn more.
Q43. A phishing investigation needs to determine whether users clicked a link. Which data source helps most?
- A.Web proxy or secure web gateway logs✓ Correct
- B.Keyboard firmware version
- C.Patch panel map
- D.Printer toner alerts
Explanation: Proxy or web gateway logs can show whether users visited malicious URLs. Learn more.
Q44. An analyst creates a timeline from endpoint, firewall, and identity logs. What is the main purpose?
- A.Reconstruct attacker activity and sequence of events✓ Correct
- B.Improve monitor color
- C.Calculate disk warranty
- D.Replace change control
Explanation: Timelines help determine scope, initial access, lateral movement, and response priorities. Learn more.
More CompTIA CySA+ practice topics
- Security Operations (64)
- Threat Management (53)
- Cloud Security (45)
- Security Operations and Monitoring (32)
- Access Control (21)
- Network Security (18)
- Risk Management (17)
- Software Security (16)
- Data Security (14)
- Vulnerability Management (11)
- Cryptography (10)
- Compliance (9)
- Threat Intelligence (9)
- Threat Detection (7)
- Threat and Vulnerability Management (5)
- More Practice Questions (15)
- All CompTIA CySA+ topics →