CompTIA Security+ Practice Test of the Day 260219

Welcome to today’s CompTIA Security+ practice test!

This practice test uses our new UI!

Today’s practice test is based on subdomain 4.8 (Explain appropriate incident response activities.) from the CompTIA Security+ SY0-701 objectives.

This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.

These questions are not official exam questions, nor are they brain dumps, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.

Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.

To choose CompTIA Security+ practice tests based on specific domains/subdomains, click that link.

CompTIA Security+ Practice Test of the Day 260219

10 questions • Single best answer

Question 1

Before taking any remedial action on a compromised server, a forensic analyst creates a bit-for-bit disk image using a write blocker and logs every person who handles the evidence, the time, and the actions taken. What forensic principle does this logging protect?

A. Legal hold B. E-discovery C. Preservation of evidence D. Chain of custody

Question 2

An IR team confirms malware is active on four servers. They immediately disconnect the affected servers from the network and place them on an isolated VLAN to prevent lateral movement to other systems. Which incident response phase does this action represent?

A. Eradication B. Recovery C. Analysis D. Containment

Question 3

After containing a ransomware outbreak, the IR team removes all malware artifacts from affected systems, patches the exploited vulnerability, and closes the phishing email gateway gap that served as the initial access vector. Which IR phase does this represent?

A. Containment B. Recovery C. Lessons learned D. Eradication

Question 4

Legal counsel informs the security team that litigation is anticipated involving company email records from the past two years. The team immediately ensures those records cannot be deleted, modified, or overwritten — overriding normal retention policies until the matter is resolved. What process is being initiated?

A. Chain of custody documentation B. E-discovery collection C. Legal hold D. Forensic acquisition

Question 5

An IR team spends half a day in a conference room walking through a simulated ransomware scenario — verbally reviewing each team member's responsibilities, escalation paths, and decision points without touching any production systems. What type of IR test is this?

A. Simulation B. Failover test C. Tabletop exercise D. Parallel processing test

Question 6

After a data breach, the IR team determines that the attack began with an unpatched Apache vulnerability, the attacker then moved laterally using stolen credentials, and exfiltrated data via encrypted HTTPS to an external server. What post-incident activity produced these findings?

A. Threat hunting B. Lessons learned review C. Root cause analysis D. E-discovery

Question 7

A security analyst proactively searches through endpoint telemetry, DNS query logs, and network traffic records looking for subtle indicators of compromise that have not triggered any automated alerts. No specific incident has been reported. What security activity is this?

A. Incident detection and analysis B. Root cause analysis C. Threat hunting D. Vulnerability scanning

Question 8

A forensic analyst images a suspect hard drive using a write blocker device connected between the drive and the imaging workstation. The write blocker ensures no data is written to the original drive during the imaging process. What forensic principle does the write blocker specifically protect?

A. Chain of custody B. Legal hold compliance C. Preservation of evidence integrity D. E-discovery production

Question 9

After a phishing-driven compromise is fully resolved, the IR team holds a structured meeting to review the timeline of events, evaluate whether the IR plan was followed correctly, identify gaps in detection, and document recommended improvements. What IR phase is this?

A. Recovery B. Preparation C. Eradication D. Lessons learned

Question 10

A legal team requests all emails, instant messages, and documents related to a specific project from the past three years for use in a civil lawsuit. The security team uses specialized tools to search, collect, and export the relevant records for legal review. What process is this?

A. Legal hold B. Chain of custody documentation C. Forensic acquisition D. E-discovery

Take more CompTIA Security+ practice tests

CompTIA Security+ Practice Test of the Day 260219

Related Posts