Log in Start practising free
CompTIA CySA+

Incident Response & Management

50 free practice questions with explanations

Practise all 50 questions free →

PassNova has 50 free CompTIA CySA+ practice questions on Incident Response & Management, each with a clear explanation. Practise them in the browser with instant feedback — 100% free, no sign-up, on any device. Updated for 2026.

Sample questions

Incident Response & Management: example questions & answers

Here are 6 example questions from this topic. Practise the full set of 50 free in the browser.

  1. The four phases of the NIST SP 800-61 incident response lifecycle are, in order:

    • A Preparation; Detection and Analysis; Containment, Eradication, and Recovery; Post-Incident Activity
    • B Containment; Preparation; Recovery; Reporting
    • C Detection; Recovery; Preparation; Eradication
    • D Reporting; Containment; Preparation; Lessons Learned

    Answer: NIST SP 800-61 defines the lifecycle as Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Incident Activity.

  2. During an active intrusion, the immediate priority after confirming a compromise is to limit the spread and prevent further damage. Which incident response phase is this?

    • A Lessons learned
    • B Preparation
    • C Recovery
    • D Containment

    Answer: Containment focuses on isolating affected systems to stop the attacker from spreading or causing further harm before eradication and recovery.

  3. When collecting digital evidence, an analyst documents every person who handled it and when, to ensure it is admissible. This documentation is called the:

    • A Service level agreement
    • B Acceptable use policy
    • C Business impact analysis
    • D Chain of custody

    Answer: Chain of custody records the seizure, transfer, and handling of evidence over time to preserve its integrity and legal admissibility.

  4. During forensic acquisition of a running system, which data should be collected first according to the order of volatility?

    • A Files on a powered-off external drive
    • B Printed documentation in storage
    • C CPU registers, cache, and RAM contents
    • D Data archived on offline backup tapes

    Answer: The order of volatility dictates capturing the most ephemeral data first, such as CPU cache and RAM, because it is lost when power or state changes.

  5. After eradicating malware and restoring systems, the team holds a meeting to identify what went well, what failed, and how to improve. This activity is the:

    • A Evidence acquisition phase
    • B Post-incident (lessons learned) review
    • C Initial detection phase
    • D Containment phase

    Answer: The post-incident or lessons-learned review evaluates the response after recovery to improve future preparedness and update playbooks.

  6. To preserve the integrity of a disk image so it can be proven unaltered later, an analyst should:

    • A Compress the image with a password
    • B Store the image on the same compromised host
    • C Generate a cryptographic hash of the image and verify it matches
    • D Rename the image file to evidence.bak

    Answer: Computing a cryptographic hash such as SHA-256 at acquisition and re-verifying it later proves the evidence has not been modified.

Start practising Incident Response & Management →
More CompTIA CySA+ topics

Practise another topic

Security Operations65 questions Vulnerability Management51 questions Reporting & Communication34 questions
← Back to CompTIA CySA+