Practice Incident Response Questions Now

Start a timed practice session focusing on Incident Response & Management topics from the CYSA question bank.

CYSA Incident Response Question Bank (4 Questions)

Browse all 4 practice questions covering Incident Response & Management for the CYSA certification exam. Each question includes the full answer and a detailed explanation to help you understand the concepts.

Question 1Incident Response & Management
A server has been compromised by ransomware. The IR team has confirmed the malware variant and identified the initial access vector. What is the correct order of the remaining response steps?
ARecovery → Eradication → Containment
BContainment → Eradication → Recovery✓
CEradication → Recovery → Containment
DRecovery → Containment → Eradication
Show Answer & Explanation
Correct Answer: B
Explanation:
The correct order is: Containment (isolate affected systems to prevent spread), Eradication (remove the malware and close the attack vector), Recovery (restore systems from clean backups and return to normal operations).
Question 2Incident Response & Management
During containment of a compromised workstation, which of the following actions should be taken FIRST?
AReformat the hard drive
BIsolate the system from the network while preserving its running state for forensic analysis✓
CImmediately power off the system
DDelete all suspicious files from the system
Show Answer & Explanation
Correct Answer: B
Explanation:
Network isolation prevents lateral movement while preserving the system's state for forensic analysis. Powering off loses volatile memory evidence, reformatting destroys all evidence, and deleting files hampers the investigation.
Question 3Incident Response & Management
During the eradication phase of a malware incident, the IR team finds that the attacker installed a rootkit. What is the recommended approach for eradication?
ARun a standard antivirus scan and consider the system clean
BWipe and reimage the system from a known-good baseline because rootkits can survive standard cleaning✓
CSimply delete the rootkit files from the file system
DRename the rootkit files so they cannot execute
Show Answer & Explanation
Correct Answer: B
Explanation:
Rootkits embed deeply into the operating system and may survive standard removal attempts. The only reliable eradication method is to wipe the system completely and rebuild from a known-good image, then apply all current patches.
Question 4Incident Response & Management
After recovering from a security incident, which validation step should be performed before returning systems to production?
ARun a vulnerability scan and verify all identified vulnerabilities from the attack vector are remediated✓
BAsk the attacker if they left any backdoors
CSimply restart the system and monitor for one hour
DRestore the system from the compromised backup
Show Answer & Explanation
Correct Answer: A
Explanation:
Before returning systems to production, vulnerability scanning verifies the attack vector is closed and no new vulnerabilities were introduced during recovery. Systems should also be monitored closely for signs of reinfection after restoration.

Key Incident Response Concepts for CYSA

incident responseforensicscontainmenteradicationrecoverychain of custody

CYSA Incident Response Exam Tips

Incident Response & Management questions in CYSA are typically scenario-based. Focus on service-level decision making aligned to official exam objectives. Priority concepts: incident response, forensics, containment, eradication, recovery, chain of custody.

What CYSA Expects

Anchor your answer in select the most practical, secure, and scalable answer for the stated scenario.
Incident Response scenarios for CYSA are frequently mapped to Domain 3 (20%), so read the objective carefully before picking controls or architecture.
Expect multi-service scenarios where Incident Response interacts with IAM, networking, storage, or observability patterns rather than appearing as an isolated service question.
When two options are both technically valid, prefer the choice that best aligns with the exam's operational scope (Professional) and managed-service best practices.

High-Value Incident Response Concepts

Know the core Incident Response building blocks cold: incident response, forensics, containment, eradication.
Review the edge-case features and limits for recovery, chain of custody; these details are commonly used to differentiate answer choices.
Practice service-integration reasoning: how Incident Response pairs with Security Operations, Reporting in real deployment patterns.
For CYSA, explain why the chosen Incident Response design meets reliability, security, and cost expectations better than the alternatives.

Common CYSA Traps

Watch for answers that partially solve the requirement but miss operational constraints.
Questions in Incident Response and Management often include distractors that look correct for Incident Response but violate least-privilege, durability, or availability requirements.
Avoid picking options purely by feature name; validate data path, failure handling, and governance impact before answering.
If the prompt hints at automation or repeatability, eliminate manual-only operational answers first.

Fast Review Checklist

Can you compare at least two Incident Response implementation paths and justify which one best fits the scenario?
Can you map the chosen answer back to Incident Response and Management (20%) outcomes for CYSA?
Can you explain security and access boundaries for Incident Response without relying on default-open assumptions?
Can you describe how Incident Response integrates with Security Operations and Reporting during failure, scaling, and monitoring events?

Exam Domains Covering Incident Response

Domain 3Incident Response and Management20%

Related Resources

🎯 Free CYSA Mock Exam 📝 Security Operations Questions 📝 Reporting Questions

More CYSA Study Resources

← CYSA Study Hub 30-Day Study Plan Full Practice Exam

🚨 Incident Response & Management - CYSA Practice Questions