CompTIA Security+ Practice Questions: Operations & Incident Response

32 free, exam-style CompTIA Security+ (SY0-701) practice questions covering Operations & Incident Response. Each question shows the correct answer and a clear explanation. Ready for the real thing? Take the full timed quiz below.

🚀 Take the full CompTIA Security+ quiz 📘 CompTIA Security+ study guide

Q1. What is the PRIMARY purpose of a honeypot?

Explanation: Honeypots are decoy systems designed to attract and study attackers' methods without exposing real systems. Learn more.

Q2. Which control would BEST protect against ransomware?

Explanation: Regular, isolated backups allow recovery without paying ransom if systems are encrypted by ransomware. Learn more.

Q3. What does SIEM stand for?

Explanation: SIEM systems provide real-time analysis of security alerts from network devices and applications. Learn more.

Q4. Which backup type only copies changed data since the last full backup?

Explanation: Differential backups capture all changes made since the last full backup. Learn more.

Q5. What is the PRIMARY purpose of a disaster recovery plan?

Explanation: DR plans outline procedures for restoring systems and data after catastrophic events. Learn more.

Q6. What is the PRIMARY purpose of an IRP (Incident Response Plan)?

Explanation: An IRP defines procedures for detecting, responding to, and recovering from security incidents. Learn more.

Q7. Which type of assessment identifies security weaknesses without exploiting them?

Explanation: Vulnerability scans identify potential weaknesses without attempting actual exploitation. Learn more.

Q8. Which control would BEST protect against phishing?

Explanation: Educating users to recognize phishing attempts is the most effective defense. Learn more.

Q9. What is the PRIMARY purpose of a warm site for disaster recovery?

Explanation: Warm sites have infrastructure prepared but require data restoration and configuration. Learn more.

Q10. Which control would BEST protect against insider threats?

Explanation: Monitoring for anomalous user behavior helps detect potential insider threats. Learn more.

Q11. What is the PRIMARY purpose of a data loss prevention (DLP) system?

Explanation: DLP systems monitor and control data transfers to prevent sensitive information leaks. Learn more.

Q12. What is the PRIMARY purpose of a sandbox?

Explanation: Sandboxes provide isolated environments for safely executing suspicious programs. Learn more.

Q13. What is the PRIMARY purpose of a CSIRT (Computer Security Incident Response Team)?

Explanation: CSIRTs are specialized groups that handle security incident investigation and response. Learn more.

Q14. What is the PRIMARY purpose of a hot site for disaster recovery?

Explanation: Hot sites maintain real-time data synchronization for near-instantaneous failover. Learn more.

Q15. What is the PRIMARY purpose of a tabletop exercise?

Explanation: Tabletop exercises validate plans through discussion-based scenario testing. Learn more.

Q16. What is the PRIMARY purpose of a chain of custody?

Explanation: Chain of custody maintains evidentiary integrity for legal proceedings. Learn more.

Q17. What is the PRIMARY purpose of a security operations center (SOC)?

Explanation: SOCs provide continuous security monitoring and incident response capabilities. Learn more.

Q18. What is the PRIMARY purpose of a security assessment?

Explanation: Assessments systematically evaluate how well security controls meet requirements. Learn more.

Q19. What is the PRIMARY purpose of a penetration test?

Explanation: Penetration tests simulate attacks to find security weaknesses. Learn more.

Q20. What is the main purpose of performing a Business Impact Analysis (BIA) as part of a business continuity plan?

Explanation: A BIA identifies an organization's critical processes and resources and quantifies the potential impact (financial, operational, reputational) if those functions are disrupted. This helps prioritize recovery efforts. Learn more.

Q21. Which of the following is a common indicator of a compromised system?

Explanation: Unusual outbound network connections, especially to known malicious IPs or unusual ports, can indicate that a system has been compromised and is communicating with a command-and-control server or exfiltrating data. Learn more.

Q22. Which stage of the incident response lifecycle involves determining the extent of the compromise and identifying affected systems?

Explanation: During the Containment phase (which often overlaps with Identification and Analysis), responders work to limit the scope and magnitude of the incident, prevent further damage, and identify all affected systems. Learn more.

Q23. What is the primary goal of a Red Team exercise in cybersecurity?

Explanation: Red Team exercises involve a dedicated team emulating the tactics, techniques, and procedures (TTPs) of real-world attackers to rigorously test an organization's detection and response capabilities, as well as overall security posture. Learn more.

Q24. Which type of security assessment involves attempting to actively exploit vulnerabilities to gain unauthorized access, similar to what a real attacker would do?

Explanation: A penetration test (pen test) simulates an attack on a computer system, network, or web application to find security weaknesses that an attacker could exploit. It goes beyond just identifying vulnerabilities by attempting to exploit them. Learn more.

Q25. Which standard is used to represent threat intelligence information in a structured format for automated sharing?

Explanation: STIX (Structured Threat Information Expression) is the language/format used to describe threats, while TAXII is the protocol used to transmit that data. Learn more.

Q26. A security team wants to automate the response to common phishing alerts to reduce analyst fatigue. Which tool is BEST suited for this purpose?

Explanation: SOAR (Security Orchestration, Automation, and Response) platforms allow organizations to define incident analysis and response procedures (playbooks) in a digital workflow format. Learn more.

Q27. In the context of digital forensics, which of the following data sources has the highest order of volatility and should be collected first?

Explanation: The order of volatility dictates that the most fleeting data must be captured first. CPU registers and cache are the most volatile, followed by RAM. Learn more.

Q28. Which threat hunting model uses four core features (Adversary, Capability, Infrastructure, and Victim) to analyze security incidents?

Explanation: The Diamond Model of Intrusion Analysis emphasizes the relationships between the Adversary, Capability, Infrastructure, and Victim to understand malicious activity. Learn more.

Q29. Which monitoring tool aggregates logs and correlates security events?

Explanation: Security information and event management systems collect, normalize, and correlate logs for alerting and investigation. Learn more.

Q30. What is the primary purpose of a playbook in incident response?

Explanation: Playbooks document repeatable response actions, roles, escalation paths, and decision points. Learn more.

Q31. Which control helps ensure logs from different systems can be accurately correlated?

Explanation: Synchronized clocks allow analysts to build accurate event timelines across systems. Learn more.

Q32. Which incident response action should occur before wiping an infected system when evidence is needed?

Explanation: Evidence should be preserved before destructive remediation if investigation or legal requirements apply. Learn more.

More CompTIA Security+ practice topics