Domain 3
CompTIA CySA+ Incident Response & Management | Free Practice + Anki Decks

Ref:📕CompTIA CySA+ Study Guide: Exam CS0-003 (Sybex Study Guide) 3rd Edition

CySA+ (CS0-003) – Domain 3 – Incident Response and Management

1 / 68

Which roles are typically represented on a Cybersecurity Incident Response Team (CSIRT)?

A. Database administrators only

B. Cybersecurity professionals, legal counsel, and public relations staff

C. Human resources and system engineers only

D. Desktop experts only

2 / 68

Which of the following accurately describes the process that should be followed regarding evidence after an incident is concluded?

A. All evidence should be immediately destroyed to prevent further cyber incidents

B. Evidence should be placed in a secure repository, with the decision to retain or destroy it depending on factors such as potential for criminal action and impact on the organization

C. Evidence should be handed over to law enforcement regardless of the organization’s policy

D. The evidence should be exposed to the public to increase awareness of cyber incidents

3 / 68

What is the importance of testing the Incident Response Plan (IRP)?

A. To reassure the organization that the plan will function properly in an actual incident

B. To save up on firm’s cybersecurity budget

C. To avoid routine monitoring of security events

D. To prove the IRP’s irrelevance in real world scenarios

4 / 68

What is the primary responsibility of IT managers and senior leadership in incident response efforts?

A. To shutdown critical servers during an incident

B. To provide the authority, resources, and time required to respond appropriately to a security incident

C. To communicate with law enforcement or the general public during an incident

D. To assess the impact of an incident on key stakeholders

5 / 68

Which of the following is NOT typically within the scope of the CSIRT as defined by the organization’s incident response policy?

A. What triggers the activation of the CSIRT

B. Whether the CSIRT is responsible for certain business units

C. If the CSIRT is authorized to communicate with law enforcement

D. The procedures for annual company-wide training

6 / 68

In the incident recovery effort, what is the recommended approach for patching systems and applications?

A. Patch all systems simultaneously

B. Patch the systems that were not involved first

C. Patch systems in a phased approach starting with those directly involved in the compromise

D. Prioritize patching new systems and applications

7 / 68

What are the two testing resources that you must know for the CySA+ exam?

A. NIST 800-30 and ISO 27001

B. OSSTMM and OWASP Web Security Testing Guide

C. ISO 27002 and COBIT 5

D. ISO 31000 and COSO

8 / 68

What is the purpose of isolating attackers in a sandbox environment?

A. To provide attackers with valuable information

B. To distract the attackers with useless information

C. To allow continued observation in a safe, contained environment

D. To stop the attackers’ activities immediately

9 / 68

What is the purpose of validating data integrity during preservation activities?

A. To ensure that the data captured and retained matches the original data

B. To make sure data investigators draw correct conclusions

C. To calculate a hash based on the original file, volume, or drive

D. All of the above

10 / 68

What do Indicators of Compromise (IoCs) consist of?

A. Information about activity, events, and behaviors related to potentially malicious behavior

B. Data about actual attacks or compromises

C. Detailed information about threat actors and their goals

D. List of potential vulnerabilities in a system

11 / 68

What are the three options for the secure disposition of media containing sensitive information according to NIST?

A. Analyze, Erase, Stub

B. Clean, Shred, Burn

C. Clear, Purge, Destroy

D. Wipe, Overwrite, Expunge

12 / 68

Which of the following is NOT one of the common examples of behavior-based Indicators of Compromise (IoC)?

A. Unusual privileged account behaviors

B. Addition of users to groups with lesser rights

C. Bot-like behaviors

D. Understanding of user and account behavior-based identification

13 / 68

What is the objective of isolating affected systems in a network?

A. To restrict access to the affected systems.

B. To allow the attacker to access other systems in the network.

C. To continue to allow the attacker to access the isolated systems but restrict their ability to access other systems.

D. To enable communication between the affected systems and all systems in the network.

14 / 68

What is a common technique used by attackers to conceal their activities and evade detection?

A. Use encrypted protocols like TLS to protect web traffic

B. Send the traffic through popular sites

C. Cause a DDOS attack to distract security

D. Create spoofed traffic to confuse security system

15 / 68

What should a CSIRT team do if they believe the evidence they’ve gathered may be used in court?

A. Discard the evidence immediately after reviewing

B. Consult attorneys before discarding any evidence

C. Store the evidence for two years only

D. Send the evidence to U.S. federal government agencies

16 / 68

What should not be included in the incident response policy?

A. Definition of cybersecurity incidents and related terms

B. Procedure documents specifying response procedures and evidence-gathering techniques

C. Organizational structure including roles, responsibilities, and level of authority

D. Performance measures for CSIRT

17 / 68

Which of the following is NOT a recommended action for improving the effectiveness of incident analysis according to NIST 800-61?

A. Profile networks and systems to measure the characteristics of expected activity

B. Create a logging policy that specifies the information that must be logged by systems, applications, and network devices

C. Synchronize clocks across servers, workstations, and network devices

D. Rely solely on automated tools and systems without seeking assistance from external resources

18 / 68

What is the primary purpose of the eradication phase while responding to a cybersecurity incident?

A. Identifying the attacker

B. Removing any remaining artifacts of the incident from the network

C. Rebuilding the organization’s network

D. Updating malware signatures

19 / 68

What is the functional impact of a security incident?

A. The degree of impairment that it causes to the organization

B. The economic impact of a security incident on the organization

C. The number of security incidents investigated by CSIRT members

D. The financial thresholds included in the economic impact categories

20 / 68

How should a CSIRT classify each incident that occurs?

A. A CSIRT should classify an incident by the type of threat only

B. A CSIRT should classify an incident according to a standardized incident severity rating system only

C. A CSIRT should classify an incident by both the type of threat and the severity according to an original incident severity rating system

D. A CSIRT should classify an incident by both the type of threat and the severity according to a standardized incident severity rating system

21 / 68

What is one purpose of maintaining a chain-of-custody of evidence during incident response activities?

A. To ensure that data is properly encrypted

B. To track evidence through its lifecycle including collection, preservation, and analysis

C. To avoid unnecessary data duplication

D. To accelerate the data acquisition process

22 / 68

What are the four activities that should always be included in the incident recovery validation effort?

A. Verify user accounts, proper restoration of permissions, system and data integrity, and logging capabilities.

B. Conduct vulnerability scans, data backup, checking antivirus updates, and verifying user accounts.

C. Verifying user accounts, system and data integrity, network monitoring, and incident reporting.

D. Data encryption, system and data integrity, proper restoration of permissions, and verifying user accounts.

23 / 68

What is an important aspect while gathering and handling evidence during the incident response containment phase?

A. Only limiting damage to the organization

B. Keeping a detailed evidence log

C. Speeding up the containment process

D. Focusing solely on internal purposes

24 / 68

Why is it not sufficient to merely correct the identified security issue in a compromised system?

A. The potential vulnerability may be reintroduced in the system.

B. The corrective actions can degrade the system performance.

C. The rest of the system will continue to function normally.

D. The attacker might not be able to compromise the system again.

25 / 68

Which of the following is a typical indicator of compromise (IoC) that involves networking?

A. Unusual network traffic

B. Abnormal system processor usage

C. Data leakage to a social media platform

D. Unusually high data storage

26 / 68

What are some considerations when deciding to retain an incident response provider?

A. The types of incidents that can be handled internally

B. The provider’s guaranteed response time

C. The organization’s plan to respond to an incident before the provider gets involved

D. All of the above

27 / 68

According to the NIST Computer Security Incident Handling Guide, what does it suggest about identifying an attacking host?

A. It is a top priority during a cybersecurity incident.

B. It is a time-consuming and futile process that may prevent a team from minimizing the business impact.

C. It is easily achievable with the right tools and resources.

D. It should be avoided at all costs.

28 / 68

Why are attack frameworks useful according to the CompTIA CySA+ study guide?

A. They provide a structured way to understand, categorize and respond to attacks

B. They provide a way to create completely original attack models

C. They are required by all cybersecurity organizations

D. They are helpful for communicating with attackers

29 / 68

What can make distributed DoS attacks difficult to identify and stop?

A. They come from a single system

B. They often originate from systems inside your network

C. They can come from many machines

D. They typically exploit service vulnerabilities

30 / 68

What is the main objective of post-incident activity in cybersecurity?

A. To improve the company’s public image

B. To determine what actually occurred during an incident

C. To punish the perpetrator

D. To develop new software

31 / 68

What is ’impossible travel’ IoC?

A. When an employee is using VPN resulting in a false location

B. When a single user logs in from multiple different geographic locations within a short period

C. An irregular schedule of user logins and rights usage

D. When an employee logs in from a location hundreds of miles away minutes or just a couple of hours after logging in from their normal location

32 / 68

What technique does NIST’s hypothetical attacker use to identify when their compromised system has been removed from the network?

A. The attacker monitors HTTP requests sent to an external server.

B. The attacker monitors incoming traffic from the network administrator.

C. The attacker sets up a periodic ping request to an external host and monitors the results.

D. The attacker sets up a botnet to overload the network with traffic.

33 / 68

What are the three key measures used in the incident severity assessment according to the NIST guidelines?

A. Scope of Impact, Functional Impact, and Recoverability Effort

B. Functional Impact, Economic Impact, and Recoverability Effort

C. Scope of Impact, Economic Impact, and Time of Service Unavailability

D. Functional Impact, Economic Impact, and Time of Service Unavailability

34 / 68

What is the purpose of a ’Legal Hold’?

A. To preserve data and produce it as part of a legal process when a legal counsel issues a legal hold notice

B. To track evidence through its life cycle, including the collection, preservation, and analysis of the evidence.

C. To ensure that captured and retained data matches the original data.

D. To prevent law enforcement involvement in evidence acquisition.

35 / 68

What is involved in the preparation phase of setting up a CSIRT?

A. Creating a policy document and assigning staff

B. Training, testing, documentation of procedures, assembling the necessary tools, and building strong cybersecurity defenses

C. Building the Foundation for Incident Response and Creating an Incident Response Team

D. All of the above

36 / 68

Which of the following measures are used to determine the severity of a security incident?

A. The amount of users affected

B. The degree of impairment and the types of data affected.

C. The economic impact only

D. The functional and economic impact only

37 / 68

Which of the following best describes the importance of combining IoCs in identifying a compromise?

A. To detect single IoCs that occur in isolation

B. To update existing IoCs feed

C. To ensure that multiple IoCs add up to a likely compromise

D. To avoid the usage of log and log analysis tools

38 / 68

What are the stages included in ATT&CK matrices to represent the complete threat lifecycle?

A. Access, Execution, Persistence, Escalation, and Exfiltration

B. Detection, Mitigation, Reporting, Review, and Upgrade

C. Installation, Compilation, Testing, Deployment, and Monitoring

D. Identification, Validation, Sanitization, Protection, and Verification

39 / 68

Why do incident response processes have loops that allow responders to return to prior phases during response to a cybersecurity incident?

A. To allow responders to take breaks during an intensive response

B. To reanalyze and verify if an incident has been successfully resolved

C. To enable responders to perform other security tasks that don’t involve the current incident

D. To keep track of the duration and cost of the response effort

40 / 68

According to the National Institute for Standards and Technology (NIST), which of the following is NOT classified as a security incident?

A. A user accessing a file stored on a server

B. A keylogger on an executive’s system to steal passwords

C. Accidental loss of sensitive information

D. A denial-of-service attack against a website

41 / 68

What are some of the important elements that should be covered in a post-incident report written by the CSIRT?

A. Chronology of events and root cause of the incident

B. Location of witnesses during the incident

C. Specific jokes made during the incident

D. Favorite foods of the incident responders

42 / 68

What are some key functions and objectives of a lessons learned session following a cybersecurity incident?

A. To criticize and blame individuals responsible for the security breach

B. To uncover critical information about the response and highlight potential deficiencies in the incident response plan

C. To exclusively focus on indicators of compromise (IOCs)

D. To ignore the proposed changes to the incident response plan

43 / 68

Why is it important for a cybersecurity analyst to perform root cause analysis in the aftermath of a security incident?

A. It helps in securing total recovery.

B. It helps to design more stringent security controls.

C. It allows for an understanding of how the breach occurred to prevent future similar incidents.

D. It serves to assign blame and take necessary disciplinary action.

44 / 68

Why should responders refer back to the change control and configuration management processes after an incident?

A. To understand the cause of the incident.

B. To document any emergency changes made during the incident response.

C. To bypass the organization’s processes in future emergency situations.

D. To prove compliance with legal and regulatory requirements.

45 / 68

What is the strongest containment technique in the cybersecurity analyst’s incident response toolkit?

A. Segmentation

B. Isolation

C. Encryption

D. Removal

46 / 68

What specific role does an independent facilitator serve during a Lessons Learned Review?

A. They handle management of the incident response.

B. They guide the discussion without advancing a hidden agenda.

C. They document the procedures that were followed.

D. They take actions that inhibited the recovery.

47 / 68

What is the focus of defense against the Exploitation stage in Lockheed Martin’s Cyber Kill Chain?

A. Gathering data about reconnaissance activities and prioritizing defenses based on that information

B. Conducting full malware analysis, building detections for weaponizers, and collecting files and metadata

C. Observing how the attack was delivered and what was targeted then inferring what the adversary was intending to accomplish

D. User awareness, secure coding, vulnerability scanning, penetration testing, endpoint hardening, and similar activities

48 / 68

What criticism has Lockheed Martin’s Cyber Kill Chain model received?

A. It only focuses on external threats

B. It mainly focuses on perimeter and antimalware-based defensive techniques and lacks focus on insider threats

C. It includes actions that occur outside of the defended network

D. All of the above

49 / 68

Which of the following correctly describes the term ’Scope of Impact’ in relation to incident response?

A. It is the amount of data lost as a result of the incident

B. It is the degree of impairment that a security incident causes the organization and the effort required to recover

C. It is a policy outlining how to communicate incident details to stakeholders

D. It is the potential revenue lost due to the incident

50 / 68

Which of the following attack vectors is associated with using brute-force methods to compromise, degrade, or destroy systems, networks, or services as described by NIST?

A. Web

B. Email

C. Attrition

D. External/Removable Media

51 / 68

The Diamond Model of Intrusion Analysis includes several specific terms. Which one of the following is not a term used in this analysis model?

A. Core Features

B. Meta-Features

C. Confidence Value

D. Threat Matrix

52 / 68

What are the two primary isolation techniques used during a cybersecurity incident response effort?

A. Isolating affected systems and isolating the firewall

B. Isolating affected systems and isolating the attacker

C. Isolating the attacker and isolating the network

D. Isolating the data and isolating the attacker

53 / 68

How can increases in resource usage indicate potential compromise?

A. Attackers may consume CPU or memory due to their use of tools or utilities

B. Network usage may increase as data is transferred

C. Unusual spikes in database read volume may indicate data gathering

D. All of the above

54 / 68

What activities are undertaken during the post-incident activity phase of incident response?

A. Relaxing and taking a break

B. Undertaking forensic procedures, performing a root cause analysis, conduct a lessons learned review, and ensuring that internal and external evidence retention requirements are met

C. Immediately starting the next task

D. Focusing only on fixing the damage caused

55 / 68

According to the NIST, what four data impact categories should cybersecurity analysts consider?

A. Privacy breach, proprietary breach, confidentiality breach, regulated information breach

B. Privacy breach, proprietary breach, integrity loss, none

C. Intellectual property breach, regulated information breach, confidentiality breach, none

D. Integrity loss, privacy breach, intellectual property breach, regulated information breach

56 / 68

What key elements should an incident response policy contain according to NIST recommendations?

A. Rating scheme for incidents, definition of cybersecurity incidents, performance measures for the CSIRT

B. Description of specific technologies, response procedures, and evidence-gathering techniques

C. Description of the CSIRT payroll structures, individual performance reviews, and disciplinary actions

D. List of clients and vendors, information about the organization’s CEO, transition procedures for policy change

57 / 68

What are the objectives of the containment, eradication, and recovery phase in incident response?

A. Select an arbitrary containment strategy and implement it

B. Select a containment strategy appropriate to the incident circumstances and implement it to limit the damage cause by the incident

C. Identify the attackers and attacking systems and eradicate their access without any further investigations

D. Recover normal operations without taking steps to limit the damage of the incident

58 / 68

What are the post-incident activities a CSIRT team should perform after immediate, urgent actions of containment, eradication, and recovery are complete?

A. Resting for an extended period

B. Implementing immediate new protocols

C. Managing change control processes, conducting a lessons learned session, and creating a formal written incident report

D. Conducting daily briefings about the incident

59 / 68

What is the purpose of playbooks developed by CSIRT teams?

A. To serve as an operational plan in response to a specific type of cybersecurity incident

B. To log and track all cybersecurity incidents within an organization

C. To protect the personal financial information of customers

D. To provide a list of incidents that the team is not supposed to deal with

60 / 68

What are commonly used intrusion detection systems for monitoring file system modifications?

A. Kaspersky and Norton

B. OSSEC and Tripwire

C. McAfee and Avast

D. BitDefender and Panda

61 / 68

What is the primary purpose of network segmentation in cybersecurity?

A. To create separate networks for different types of users

B. To allow compromised systems to continue operating while under observation

C. To prevent the spread of security incidents by isolating potential threats

D. To create a separate network for the transfer of sensitive information

62 / 68

What criteria does NIST recommend to develop an appropriate containment strategy during an incident response?

A. Only the potential damage to and theft of resources

B. Just the need for evidence preservation

C. The time and resources needed to implement the strategy

D. Potential damage to and theft of resources, need for evidence preservation, service availability, time and resources needed to implement the strategy, effectiveness of the strategy, duration of the solution

63 / 68

What is the function of a Chain-of-Custody in evidence acquisition and preservation during incident response activities?

A. It results in higher costs and administrative overhead for the organization

B. It is used to track evidence through its life cycle, including collection, preservation, and analysis

C. It is a tool used to perform data integrity validation

D. It is part of the eDiscovery process where legal counsel issues a hold notice

64 / 68

What should be given focus when documenting the incident response plan?

A. Improvisation during the incident occurrence

B. Creating tools that can be quickly interpreted during crisis

C. Avoiding the use of guidebooks to allow for innovative solutions

D. Making the document long and comprehensive

65 / 68

What is a characteristic of unusual DNS traffic that an organization may monitor?

A. Reduced number of DNS queries

B. Queries to normal, familiar domain names

C. Unusually low number of DNS query failures

D. Abnormal levels of DNS queries, particularly to unusual domain names

66 / 68

What is the Unified Kill Chain?

A. It is a combination of several cyber security models including Lockheed Martin’s Cyber Kill Chain and MITRE’s ATT&CK framework

B. It is the same as MITRE’s ATT&CK framework

C. It is the official cyber attack model used by CompTIA CySA+

D. It is a cyber attack model designed by Lockheed Martin

67 / 68

What is the purpose of Chain of Custody in incident response activities?

A. Track the use of threat intelligence tools during incident response

B. Document the usage of virtual machines during incident response

C. Monitor the network traffic during the incident

D. Document and track evidence through its life cycle

68 / 68

What is the first step in the Containment, Eradication, and Recovery phase of incident response?

A. Detection and Analysis

B. Eradication

C. Recovery

D. Containment

Your score is

Share the Post:

Download Your FREE CompTIA CySA+(CS0-003) Anki Deck!

Email issues? [ [email protected] ]

CompTIA CySA+ Domain 3: Incident Response and Management

For those looking to enhance their career in security or transition into IT, we offer a free practice test for CompTIA CySA+ Domain 3: Incident Response and Management. This test is designed to mirror the actual exam format, boosting your confidence and readiness.

Explore Other CompTIA CySA+ Domains

Key Features

Realistic Exam Simulation: Familiarize yourself with the actual exam environment.
Detailed Explanations: Learn from comprehensive explanations for each question.
Identify Weak Areas: Focus your study on areas that need improvement.
Completely Free: Access our high-quality practice test at no cost.

Why Choose Our Practice Test?

Expertly Crafted: Developed by experienced cybersecurity professionals.
Career Advancement: Passing the CompTIA CySA+ can open new job opportunities.
Convenient and Accessible: No registration required, available online anytime. Also, download the Free Offline Deck for Anki app use.

Master Incident Response and Management for the CompTIA CySA+ (CS0-003) exam with our free practice test. Start enhancing your cybersecurity skills today! For more information on CompTIA CySA+ certification, visit the Official Site.

WGU Master’s Degree Rankings 2026 | I Asked 3 AIs 300 Times to Find the Best One
Table of Contents Which WGU Master’s Degree Is Actually Worth It? If you’re considering a master’s degree from WGU and can’t figure out which program to choose — cybersecurity, software engineering, AI/ML, data analytics — you’re not alone. The options are overwhelming, and most comparisons online are either outdated or purely opinion-based. So here’s a […]
How I Made $1.3 Million in Cybersecurity (With Exact Revenue Numbers)
Table of Contents If you’re stuck at $50K–$100K and wondering, “How the hell do people make seven figures?” this is for you.I’m Josh Madakor. In 2025, I made $1.3 million in cybersecurity. Not from a corporate job. Not from VC funding. And definitely not from selling a bullshit course.In this article, I’ll break down everything: […]
The Best Laptops for Cyber Security in 2026: Stop Over-Analyzing, Start Building
Table of Contents Let’s be real: most people think that to get into cyber security, you need to be a “super elite hacker” running 10 different virtual machines on a glowing, heavy-duty gaming laptop. Spoiler alert: That’s just not how the industry works. I’ve spent years in roles ranging from Senior Analyst to Security Engineer, […]

Hands-on
Cybersecurity Training
in a LIVE SOC
with Enterprise Security Tools

Internships Available.

Join Now!

Domain 3 CompTIA CySA+ Incident Response & Management | Free Practice + Anki Decks

Download Your FREE CompTIA CySA+(CS0-003) Anki Deck!

CompTIA CySA+ Domain 3: Incident Response and Management

Explore Other CompTIA CySA+ Domains

Key Features

Why Choose Our Practice Test?

Related Posts

Hands-onCybersecurity Training in a LIVE SOCwith Enterprise Security ToolsInternships Available.

Domain 3
CompTIA CySA+ Incident Response & Management | Free Practice + Anki Decks

Hands-on
Cybersecurity Training
in a LIVE SOC
with Enterprise Security Tools

Internships Available.