CompTIA Security+ Practice Test of the Day 260523

Welcome to today’s CompTIA Security+ practice test!

This practice test uses our new UI!

Today’s practice test is based on Subdomain 4.8 (Explain appropriate incident response activities) from the CompTIA Security+ SY0-701 objectives.

This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.

These questions are not official exam questions, nor are they brain dumps, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.

Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.

To choose CompTIA Security+ practice tests based on specific domains/subdomains, click that link.

CompTIA Security+ Practice Test of the Day 260523

10 questions • Single best answer

Question 1

An analyst in a SOC receives an alert at 2 AM that a critical server is communicating with a known C2 IP. The analyst confirms the connection is active and malicious. Which incident response phase comes immediately after this detection step?

A. Eradication B. Containment C. Recovery D. Lessons learned

Question 2

A security team conducts a tabletop exercise where key stakeholders walk through a simulated ransomware scenario. No systems are actually affected. What is the PRIMARY purpose of this exercise?

A. To test the organization's backup and recovery tools under load B. To validate that endpoint detection software identifies ransomware signatures C. To evaluate the team's decision-making and communication processes during an incident D. To identify unpatched vulnerabilities in the environment

Question 3

During incident response, the team discovers that a compromised workstation must be preserved for legal proceedings. The hard drive image must be collected in a way that ensures it is admissible in court. Which practice is MOST critical?

A. Encrypting the drive image using AES-256 before storage B. Maintaining a documented chain of custody throughout the acquisition process C. Storing the image on an air-gapped system to prevent tampering D. Using write blockers and hashing the image to verify integrity

Question 4

After containing a breach, the incident response team removes the malware, closes exploited vulnerabilities, and resets compromised credentials. Which phase of the IR lifecycle are they performing?

A. Preparation B. Containment C. Eradication D. Recovery

Question 5

A company's IR plan requires that whenever sensitive data is potentially exfiltrated, legal counsel must be notified and certain records must be preserved before any system changes are made. This requirement reflects which digital forensics concept?

A. E-discovery B. Legal hold C. Chain of custody D. Acquisition

Question 6

A threat hunter suspects an attacker established persistence on a host months ago. Before any tools are run, the analyst wants to understand what the attacker may have done. Which activity BEST describes this pre-investigation approach?

A. Threat hunting B. Root cause analysis C. Simulation testing D. Lessons learned

Question 7

After resolving a data breach, the CISO schedules a meeting with all IR stakeholders to review the timeline, evaluate the team's response, and identify process improvements. Which IR phase does this represent?

A. Analysis B. Recovery C. Lessons learned D. Preparation

Question 8

A penetration tester hired to evaluate a hospital's defenses is asked to perform a realistic attack simulation that includes both red team offensive actions and blue team defensive responses occurring simultaneously. What type of exercise is this?

A. Tabletop exercise B. Simulation C. Red team assessment D. Purple team exercise

Question 9

During an IR investigation, the team needs to collect RAM contents from a live server without shutting it down. Which principle guides the ORDER in which data should be collected?

A. Data should be collected from most persistent to least persistent sources B. Data should be collected from least volatile to most volatile sources C. Data should be collected starting with the most volatile sources first D. Data collection order does not matter as long as hashes are recorded

Question 10

A security team's playbook requires that upon detection of a credential stuffing attack, all affected accounts are locked and the authentication service is rate-limited within 15 minutes. This playbook represents which component of the IR preparation phase?