Try 10 focused CompTIA CySA+ CS0-004 questions on Incident Response and Management, with explanations, then continue with IT Mastery.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
Try CompTIA CySA+ CS0-004 on Web View full CompTIA CySA+ CS0-004 practice page
| Field | Detail |
|---|---|
| Exam route | CompTIA CySA+ CS0-004 |
| Topic area | Incident Response and Management |
| Blueprint weight | 24% |
| Page purpose | Focused sample questions before returning to mixed practice |
Use this page to isolate Incident Response and Management for CompTIA CySA+ CS0-004. Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 24% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
These original IT Mastery practice questions are aligned to this topic area. Use them for self-assessment, scope review, and deciding what to drill next.
Topic: Incident Response and Management
A SOC analyst must provide evidence to an approved external incident response firm for malware and exfiltration analysis. The analyst needs to protect sensitive employee data without reducing the evidentiary value.
Exhibit: Evidence handover note
Case: IR-2471
Evidence: laptop disk image, memory capture, proxy logs
Sensitive data: HR records and session tokens present
Legal hold: active
Need: vendor analysis within 24 hours
Approved channel: encrypted evidence portal
Which evidence-handling decision best supports the investigation while protecting confidentiality?
Options:
A. Remove all user identifiers before calculating evidence hashes
B. Send an encrypted evidence package with hashes and chain-of-custody documentation
C. Upload the full evidence set to a temporary public share
D. Email screenshots of the files most relevant to the case
Best answer: B
Explanation: Evidence handling must preserve integrity, provenance, and confidentiality at the same time. In this scenario, the evidence contains HR records and session tokens, so uncontrolled sharing would create avoidable exposure. Because legal hold is active and vendor analysis is required, the analyst should use the approved encrypted evidence portal and include hash values plus chain-of-custody documentation. Hashes help prove that the evidence reviewed by the vendor matches what was collected, and chain-of-custody records who handled it and when. The key takeaway is to minimize disclosure through approved secure transfer without altering or weakening the evidence needed for analysis.
Topic: Incident Response and Management
A Tier 2 analyst is reviewing an incident handover. The Tier 1 recommendation is to isolate WS-043 and reimage it immediately. Based on the exhibit, which next action is most appropriate before making isolation or eradication decisions?
Exhibit: Incident handover
09:12 EDR: credential-access alert on WS-043 for user jsmith
09:19 VPN: jsmith login from new country, MFA push approved
09:27 AD: jsmith Kerberos requests to 6 servers not normally accessed
09:34 Proxy: SRV-FIN-02 outbound connection to known C2 IP
Coverage note: EDR not installed on SRV-FIN-02 or two legacy servers
Current scope: only WS-043 has been investigated
Options:
A. Disable all VPN access for the organization
B. Isolate only WS-043 and close the incident
C. Reimage WS-043 to remove the confirmed malware
D. Expand scoping across jsmith, target servers, and C2 indicators
Best answer: D
Explanation: Additional scoping is needed when the available evidence suggests the incident may extend beyond the initially alerted host. Here, WS-043 triggered a credential-access alert, but the same user account then authenticated through VPN, queried multiple unusual servers, and a finance server without EDR contacted a known C2 IP. Those facts make host-only isolation or immediate reimaging unreliable because they could destroy evidence and leave compromised accounts or other systems active. The next step should identify affected identities, systems, and indicators before selecting targeted containment and eradication actions. The key takeaway is to avoid narrowing the response to the first alert when the timeline indicates a broader compromise path.
WS-043 while leaving a compromised account or other affected servers unaddressed.WS-043.Topic: Incident Response and Management
A SOC confirms that a production database server is communicating with a known command-and-control IP. The server supports an order-processing application, may contain regulated customer data, and business leadership reports that downtime above 30 minutes will disrupt shipping. Which coordination step best aligns the required response across SOC, IT operations, legal, compliance, and business stakeholders?
Options:
A. Ask IT operations to rebuild the server after business hours
B. Have the SOC isolate the server immediately without additional stakeholder input
C. Open a cross-functional incident bridge with an incident lead and stakeholder owners
D. Notify regulators and customers before completing impact analysis
Best answer: C
Explanation: Escalation and response coordination should bring the right stakeholders into a controlled decision process when an incident has technical, legal, compliance, and business-impact dimensions. In this scenario, containment may affect shipping operations, the system may contain regulated data, and evidence must be handled appropriately. A cross-functional incident bridge or similar coordination mechanism lets the SOC present evidence, IT operations evaluate safe containment or failover options, legal and compliance advise on preservation and notification obligations, and business owners decide acceptable operational risk. The key is not to delay response, but to coordinate response actions through defined roles and an incident lead.
Topic: Incident Response and Management
A SOC is handling an incident on a finance application server that processes sensitive customer records. EDR confirmed a malicious persistence mechanism, the server has been isolated from the network, and firewall blocks are in place for the known command-and-control destinations. The incident lead confirms that required memory and disk evidence have been preserved under chain of custody, and the business owner is requesting service restoration. What is the BEST professional decision for eradication timing?
Options:
A. Keep the server isolated until the after-action report is finalized
B. Begin approved eradication and recovery coordination now
C. Restore network access and monitor for recurrence first
D. Reimage the server before any forensic review is completed
Best answer: B
Explanation: Eradication should occur after the team has contained the threat and preserved evidence needed for investigation, legal, or regulatory purposes. In this scenario, the malicious mechanism is confirmed, the affected server is isolated, outbound C2 is blocked, and memory and disk evidence have been collected with chain of custody. Waiting longer would unnecessarily extend business impact, while acting earlier could destroy evidence or weaken the investigation. The right timing is to begin the approved eradication plan, such as removing persistence, rebuilding or cleaning the host, rotating affected credentials, and coordinating recovery validation. The key takeaway is that eradication should not outrun containment or evidence preservation, but it should not be delayed once those needs are satisfied.
Topic: Incident Response and Management
A SOC analyst is updating the incident impact assessment before recommending containment. Evidence collected so far shows:
Compromised account: HR analyst
Access: HR file share from unusual geography
Proxy/DLP: 1.8 GB uploaded to unsanctioned cloud storage
DLP match: high confidence for employee PII
File integrity monitoring: no changes detected
Service health: HR app and payroll systems normal
Business note: payroll processing deadline is today
Which impact assessment is the BEST professional decision?
Options:
A. Confirmed integrity impact requiring immediate file restoration
B. Critical availability impact because payroll has a same-day deadline
C. Low impact because no malware or file changes were detected
D. High confidentiality impact; no confirmed integrity, availability, or operational outage
Best answer: D
Explanation: Impact assessment should map visible evidence to confidentiality, integrity, availability, and business operations without overstating unsupported effects. The DLP and proxy evidence shows a likely confidentiality impact because employee PII was uploaded to unsanctioned cloud storage with high confidence. File integrity monitoring shows no detected changes, so integrity impact is not confirmed. Service health is normal, so availability impact is not confirmed. The payroll deadline increases business sensitivity, but the evidence does not show an actual payroll outage or interruption. The assessment should preserve that distinction while supporting escalation and scoping.
Topic: Incident Response and Management
An analyst confirms that a user laptop is actively connecting to an unauthorized file-sharing site after a data-loss alert. Legal requires preservation for a possible HR investigation, but the SOC must stop additional data transfer. Which preservation decision best meets both requirements?
Options:
A. Keep the laptop online until a full disk image is completed.
B. Log in as the user and copy suspicious files to a shared folder.
C. Reimage the laptop immediately and retain the SIEM alert as evidence.
D. EDR-isolate the laptop, document custody, and acquire hashed images before remediation.
Best answer: D
Explanation: Evidence preservation should maintain integrity, provenance, and usefulness while still supporting urgent containment. In this scenario, ongoing transfer creates a need to stop communications, but legal also needs defensible evidence. Using EDR network isolation is a minimally disruptive containment action that helps prevent further exfiltration. Documenting who handled the system, when actions occurred, and how evidence was collected supports chain of custody. Acquiring forensic images and calculating hashes before remediation helps show that collected evidence was not altered during analysis. The key is to avoid destructive remediation until evidence is preserved, while not leaving an active loss path open.
Topic: Incident Response and Management
A SOC team is deciding whether to return an isolated application server to production after a ransomware-related incident. Review the handover note and choose the best next action.
Exhibit: Incident handover
Asset: APP-07
Status: isolated from user VLAN
Backup: clean restore point identified
Containment: EDR network isolation active
Eradication evidence:
- Malicious service removed from APP-07
- Two scheduled tasks with same hash still present on DB-03
- EDR shows last beacon from DB-03 18 minutes ago
Recovery request: business owner asks to reconnect APP-07 now
Options:
A. Move directly to the post-incident lessons-learned meeting
B. Reconnect APP-07 and monitor for reinfection
C. Keep recovery on hold and continue containment/eradication validation
D. Restore APP-07 from the clean backup immediately
Best answer: C
Explanation: Recovery should begin only after containment is stable and eradication evidence is sufficient for the affected scope. The exhibit shows APP-07 may be ready locally, but DB-03 still has matching scheduled tasks and recent beaconing. That means the incident may not be fully contained or eradicated across related systems. Reconnecting APP-07 could reintroduce exposure or allow reinfection from a still-compromised host. The appropriate action is to hold recovery, continue containment and eradication, and validate that persistence, command-and-control activity, and affected assets are cleared before restoring normal operations.
Topic: Incident Response and Management
A SOC analyst has high-confidence evidence that an attacker used a compromised service account to access an HR application that stores employee PII. IT operations can disable the account and isolate the application segment, but doing so may interrupt payroll processing scheduled in 3 hours. Legal has requested evidence preservation, and compliance needs to determine whether notification obligations apply. What is the best coordination step?
Options:
A. Notify affected employees before containment decisions are made
B. Have IT operations immediately take the HR application offline
C. Wait for full forensic analysis before notifying stakeholders
D. Start a cross-functional incident bridge with defined owners
Best answer: D
Explanation: Escalation and response coordination should bring the right stakeholders together when an incident affects sensitive data and business operations. Here, the SOC has credible evidence, IT has a containment option, payroll creates business impact, and legal/compliance requirements affect how actions are taken and documented. A cross-functional incident bridge or incident command process lets SOC, IT operations, legal, compliance, and the business owner agree on immediate containment, evidence handling, communication, and notification analysis. The key is coordinated action, not delaying response or acting unilaterally.
Topic: Incident Response and Management
An IR lead asks for a framework mapping that will improve incident analysis while avoiding unsupported claims about attribution or attacker intent.
Exhibit: Incident handover
Host: FIN-WS-044
10:14 User opened invoice.zip from an external sender
10:16 outlook.exe spawned powershell.exe
10:17 HTTPS connections every 60 seconds to update-check.example
10:22 EDR blocked a credential-dumping attempt
Threat-intel note: domain seen in similar campaigns; attribution to Group A is low confidence
No confirmed data exfiltration or ransom note
Which mapping is best supported by the exhibit?
Options:
A. Cyber Kill Chain: actions on objectives with confirmed data exfiltration
B. MITRE ATT&CK: ransomware impact objective confirmed
C. Diamond Model: adversary unknown; capability phishing and PowerShell; infrastructure domain; victim host
D. Attribution report: assign the incident to Group A
Best answer: C
Explanation: The Diamond Model is well suited for structuring incident analysis around adversary, capability, infrastructure, and victim while allowing unknowns and confidence levels. The exhibit supports a victim host, phishing delivery, PowerShell execution, periodic outbound infrastructure, and a blocked credential-dumping attempt. It does not support confirmed exfiltration, ransomware impact, or confident attribution to Group A. A useful mapping improves analytic clarity without turning weak threat-intelligence correlation into a firm attacker identity or intent claim.
The key takeaway is to map what the evidence supports and explicitly preserve uncertainty where confidence is low.
Topic: Incident Response and Management
A file-transfer server incident has been contained and systems are back online. The incident lead is updating the post-incident action plan. Which improvement most directly addresses the root cause shown in the exhibit?
Exhibit: After-action summary
| Finding | Evidence |
|---|---|
| Initial access | Known file-transfer CVE exploited |
| Patch status | Vendor patch released 21 days earlier |
| Asset coverage | Server missing from authenticated scans after ownership transfer |
| Recovery completed | Server rebuilt and files restored from clean backup |
Options:
A. Extend endpoint log retention on the server
B. Restore the server from backup after each incident
C. Add ownership checks to asset inventory and scan scope
D. Rotate all file-transfer user passwords quarterly
Best answer: C
Explanation: Post-incident improvement should target the condition that allowed the incident to occur or persist, not just the steps that returned service to normal. The exhibit shows a known CVE with an available patch, but the server was missed by authenticated vulnerability scans after an ownership transfer. The most useful improvement is to strengthen asset ownership and scan-scope governance so transferred systems remain inventoried, scanned, assigned to an owner, and tracked through remediation validation. Restoring from backup is recovery, not root-cause correction. Better logging and password rotation may be useful controls, but they do not address the missed vulnerability management process that enabled exploitation.
Use the CompTIA CySA+ CS0-004 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try CompTIA CySA+ CS0-004 on Web View CompTIA CySA+ CS0-004 Practice Test
Use the full IT Mastery practice page above for the latest review links and practice page.