Free CompTIA CySA+ Incident Response and Management Practice Test 2026 — CS0-004 Questions

This free CompTIA CySA+ Incident Response and Management practice test covers the incident response lifecycle, detection and analysis, containment, eradication, recovery, playbooks, and digital forensics fundamentals. Each question includes a detailed explanation with cybersecurity analysis context — perfect for CS0-004 exam prep.

Key Topics in CompTIA CySA+ Incident Response and Management

Free CompTIA CySA+ Incident Response and Management Practice Questions with Answers

Each question below includes 4 answer options, the correct answer, and a detailed explanation. These are real questions from the FlashGenius CompTIA CySA+ CS0-004 question bank for the Incident Response and Management domain (24% of the exam).

Sample Question 1 — Incident Response and Management

Artifact: 08:14 EDR alert: Suspicious rundll32.exe launched from C:\Users\jnorris\AppData\Local\Temp\a.dll 08:14 Action: Host FIN-WS22 automatically isolated from the network 08:15 User session: jnorris still logged in 08:16 IR lead note: "Primary goal right now is preserve evidence for root cause analysis before any rebuild." What should the analyst do next?

  1. A. Capture memory and active process or network connection data from FIN-WS22 (Correct answer)
  2. B. Reimage FIN-WS22 immediately and return it to service after the rebuild
  3. C. Delete the suspicious DLL and remove the alert from the queue
  4. D. Reboot FIN-WS22 to stop any remaining malicious activity

Correct answer: A

Explanation: Correct answer (A): Because the endpoint is already isolated, the best next step is to preserve volatile evidence before the system state changes. Memory contents, running processes, active sessions, and network connections may be lost after a reboot or reimage. In CySA+ incident handling, containment generally comes before eradication, and evidence preservation comes before destructive actions when root cause analysis is a stated goal. Why the other options are wrong: - Option B: Reimaging may be appropriate later for eradication and recovery, but it is not the best next step when the explicit goal is to preserve evidence first. - Option C: Deleting artifacts changes the system state and can destroy evidence needed to determine scope, cause, and attacker actions. - Option D: Rebooting may interrupt activity, but it also risks losing memory-resident evidence and is unnecessary because the EDR has already isolated the host.

Sample Question 2 — Incident Response and Management

Artifact: Organization severity rubric: - P1: regulated data on a business-critical system or outage affecting more than 50 users - P2: limited operational impact or sensitive data with narrow scope - P3: isolated endpoint issue with no sensitive data exposure 08:40 SIEM alert: rapid file rename and encryption behavior on HR-FS01 08:43 Analyst note: payroll share unavailable to 230 users 08:44 Data owner note: share contains employee SSNs and tax records 08:45 No domain controller impact observed at this time Based on the stated rubric, how should this incident be classified?

  1. A. P1, because the event affects a critical service and regulated employee data (Correct answer)
  2. B. P2, because the activity is limited to one file server and not the entire domain
  3. C. P3, because encryption was detected before domain controllers were affected
  4. D. False positive, because no evidence shows the attacker reached other servers yet

Correct answer: A

Explanation: Correct answer (A): The rubric drives the answer. This incident qualifies as P1 because it causes an outage affecting more than 50 users and involves regulated employee data. CySA+ severity decisions should be based on stated impact, scope, and data sensitivity, not just on whether the issue has spread to other systems. Why the other options are wrong: - Option B: One affected server can still be P1 when it supports a critical business function and stores regulated data. - Option C: Lack of domain controller impact does not reduce severity when the stated P1 criteria are already met. - Option D: Observed encryption behavior and confirmed service unavailability indicate a real incident, not a false positive.

Sample Question 3 — Incident Response and Management

Artifact: 09:02 WAF alert: suspicious POST requests to WEB-PROD-03 09:05 EDR alert: webshell-like file written to /var/www/tmp 09:06 Network telemetry: outbound connection from WEB-PROD-03 to 198.51.100.44:443 09:07 Operations note: public customer portal must remain available; standby server WEB-DR-01 is ready for failover 09:08 IR objective: stop attacker activity quickly while preserving evidence from the compromised host What is the best next action?

  1. A. Isolate WEB-PROD-03, fail traffic to WEB-DR-01, and preserve forensic evidence from the compromised server (Correct answer)
  2. B. Patch WEB-PROD-03 in place and leave it serving traffic while monitoring for new alerts
  3. C. Reboot WEB-PROD-03 to clear the webshell and then place it back into production
  4. D. Delete the suspicious files from WEB-PROD-03 and continue investigating on the live server

Correct answer: A

Explanation: Correct answer (A): This scenario explicitly requires three things: stop attacker activity, preserve evidence, and keep the customer portal available. Isolating the compromised server provides containment, failing over to the standby preserves business continuity, and preserving evidence supports investigation before eradication. The other options either alter evidence or leave the compromised system serving production traffic. Why the other options are wrong: - Option B: Patching in place leaves a known-compromised system active and changes evidence before investigation is complete. - Option C: Rebooting can destroy volatile evidence and is not a controlled containment strategy for a compromised production server. - Option D: Deleting suspicious files alters evidence, may miss persistence, and does not reliably stop attacker access.

Sample Question 4 — Incident Response and Management

Artifact: Evidence item: USB copy of DC01 security logs Collector: A. Patel Collection time: 10:12 Transfer record: blank Hash value: blank Storage location: blank Counsel asks whether evidence handling is adequate. Which addition is most important to meet chain-of-custody expectations?

  1. A. Document each handler, transfer time, integrity hash, and evidence storage location (Correct answer)
  2. B. Add the suspected malware family name and the incident ticket priority
  3. C. Convert the logs to CSV and remove entries that do not seem relevant
  4. D. Wait to complete the form until the incident is fully confirmed as malicious

Correct answer: A

Explanation: Correct answer (A): Chain of custody is about accountability and evidence integrity. A defensible record should show who handled the evidence, when it changed hands, how integrity was verified, and where it was stored. Those details should start at collection time, not after the incident is confirmed, and the evidence should not be altered before preservation. Why the other options are wrong: - Option B: Malware family guesses and ticket priority may help case management, but they do not document custody or integrity. - Option C: Editing the log set before preservation changes evidence and weakens reliability rather than improving it. - Option D: Chain-of-custody documentation should begin when evidence is collected, not later in the investigation.

Sample Question 5 — Incident Response and Management

Artifact: 11:21 Cloud IAM log: admin role assumed from 198.51.100.10 11:24 Audit log: access key report downloaded 11:26 IAM log: new API token created for acct-admin 11:29 Provider note: customer tenant audit logs are available for export for 7 days 11:31 Identity team action: acct-admin disabled What should the analyst do next to best support the investigation?

  1. A. Export the tenant audit, sign-in, and related workload logs for the affected account and preserve them (Correct answer)
  2. B. Wait for the cloud provider to complete its backend investigation before collecting any tenant data
  3. C. Re-enable the account briefly to reproduce the suspicious actions and confirm intent
  4. D. Rotate only the account password and close the case because the user is already disabled

Correct answer: A

Explanation: Correct answer (A): In a cloud incident, the customer still has investigation and preservation responsibilities for tenant-side evidence. The scenario explicitly states the logs are available for export for only seven days, so prompt collection matters. Disabling the account is containment, but it does not replace preserving audit trails needed to determine scope and attacker actions. Why the other options are wrong: - Option B: Waiting risks losing tenant logs and delays analysis of activity already visible to the customer. - Option C: Re-enabling a compromised admin account creates unnecessary risk and is not needed when the suspicious actions are already logged. - Option D: Credential changes help containment, but they do not preserve evidence or complete the investigation.

Sample Question 6 — Incident Response and Management

Artifact: 08:01 User opens a spoofed invoice attachment 08:03 powershell.exe downloads a payload 08:05 Host begins beaconing to 203.0.113.50 08:12 A new service is created on FILE-02 from the same workstation 08:14 Detection engineering asks for a framework-based summary that labels observed attacker tactics and techniques, not just broad attack stages Which approach is best?

  1. A. Map the behaviors to MITRE ATT&CK tactics and techniques for scripting, command-and-control, and lateral movement (Correct answer)
  2. B. Place the behaviors only into Cyber Kill Chain phases such as delivery, installation, and actions on objectives
  3. C. Use the Diamond Model as a substitute for the host, user, and network evidence already collected
  4. D. Avoid framework mapping because the timeline already shows enough technical detail for responders

Correct answer: A

Explanation: Correct answer (A): The request is specifically for a framework that labels observed tactics and techniques. MITRE ATT&CK is designed for that purpose and is useful for detection engineering because it maps behavior into reusable analytic categories. Cyber Kill Chain is better for describing attack progression stages, not for the more granular tactics-and-techniques view requested here. Why the other options are wrong: - Option B: Cyber Kill Chain can describe attack stages, but the prompt explicitly asks for tactics and techniques. - Option C: The Diamond Model can support analysis, but it does not replace the requested ATT&CK-style behavior labeling. - Option D: Ignoring framework mapping fails to meet the stated need from detection engineering.

How to Study CompTIA CySA+ Incident Response and Management

Combine these CompTIA CySA+ Incident Response and Management practice questions with hands-on work in SIEM platforms, vulnerability scanners, and analysis tools. The CS0-004 exam emphasizes applied analyst skills, so practice interpreting real telemetry and alerts to build the judgment that separates passing and failing scores.

About the CompTIA CySA+ CS0-004 Exam

Other CompTIA CySA+ Domains

Start the free CompTIA CySA+ Incident Response and Management practice test now | 10-question quick start | All CompTIA CySA+ domains | Get Premium Access