CompTIA Security+ · SY0-701
Objective 4.8: Explain appropriate incident response activities
Practice questions for Security+ objective 4.8, “Explain appropriate incident response activities.” Every question is original, written to the SY0-701 exam objectives, and comes with a full explanation — answer them below to see instant grading.
This objective sits in Domain 4.0: Security Operations, which is about 28% of the exam — so mastering it moves your readiness score meaningfully.
1.A security analyst confirms that ransomware has encrypted files on a single workstation and that the malware process is still active. The workstation is connected to both the corporate LAN and a shared network drive that several other users access. Applying the standard incident response lifecycle, which action should the analyst take first?
2.A SOC analyst detects that a server is actively exfiltrating data to an external IP. The analyst's FIRST priority under the NIST IR framework should be to:
3.During a simulated IR exercise, team members execute the exact tools and procedures they would use in a real incident, but against a dedicated test environment. Which type of exercise is described?
4.After a phishing campaign compromised 12 employee accounts, the security team rebuilds the affected systems from clean images and resets all compromised credentials. Which IR phase does this represent?
5.An analyst needs to produce log exports, email archives, and database records in response to a civil lawsuit. Which legal process governs this activity?
Practice every objective, adaptively
CertBench tracks your score on 4.8 and every other objective, then builds a daily plan that targets your weakest spots. Start with the free diagnostic.
Take the free diagnostic