If you have taken a Security+ practice test, you know the incident response questions have a particular kind of cruelty to them. You read the scenario, you look at the four options, and all four are things a security team would actually do. Isolate the host. Reimage the machine. Notify management. Update the firewall rules. Every one of them is reasonable. So how is one of them the answer and the other three wrong?
The trick is that these questions are almost never asking "what is a good idea here." They are asking "what comes next, right now, given where we are in the process." Once you read them that way, a whole category of questions stops being a guessing game.
The phases, in the order CompTIA cares about
SY0-701 lists the incident response process as preparation, detection, analysis, containment, eradication, recovery, and lessons learned. Memorizing the list is the easy part. The exam tests whether you understand that the order is not negotiable.
Preparation happens before anything goes wrong: the policies, the tooling, the runbook, the contact list. Detection is when something trips an alert. Analysis is confirming it is real and scoping how far it reached. Containment is stopping the spread. Eradication is removing the cause. Recovery is getting back to normal operations. Lessons learned is the retro after the dust settles.
Here is the part that catches people. Containment comes before eradication. You stop the bleeding before you treat the wound. A scenario where a workstation is actively beaconing out to a command and control server is not asking you to wipe the disk. It is asking you to pull that machine off the network first. Reimaging is eradication, and if you reimage before you have contained and analyzed, you have destroyed your evidence and possibly left the rest of the environment exposed.
So when every option looks correct, ask one question: which phase are we in? The scenario almost always tells you. "An analyst notices unusual outbound traffic" puts you at detection or analysis. "The malware has been confirmed on three hosts" means you are ready to contain. The right answer is the next step from where the scenario drops you, not the most thorough step on the list.
The forensics version of the same trap
There is a sibling concept that runs on the exact same logic: order of volatility. When you collect evidence, you collect the most fragile data first, because it vanishes the fastest. That means CPU registers and cache, then RAM and running processes, then network connections and the ARP cache, then temporary files, then the disk, and finally archived logs and backups.
The classic wrong answer is to image the hard drive first, because the disk feels like the big important artifact. But memory is gone the moment the machine powers off, while a disk image will still be sitting there an hour from now. The exam rewards you for grabbing the volatile data first. It is the same skill as the incident response question: not "what matters most," but "what has to happen before the window closes."
How to practice this so it sticks
You cannot cram sequencing the way you cram a port number. What works is repetition against questions that force you to place yourself in the timeline. When you miss one, do not just read the correct answer and move on. Write down which phase the scenario was in and which phase your wrong answer belonged to. Most of the time you will find you picked a step that was correct but premature.
If you want a quick read on where you stand, the free diagnostic at secplusmastery.com/diagnostic will tell you whether security operations is a weak area before you pour hours into it. From there I have been grinding the incident response and forensics questions on secplusmastery.com, and the pattern above held across almost all of them: the scenario tells you where you are, and the answer is the next move.
One habit that makes it automatic
Before you read the options on any incident response question, cover them and answer in your head first: what phase is this, and what is the single next action. Then uncover the choices and find the one that matches. It feels slow the first few times you do it. By exam day it turns four plausible answers into one obvious choice and three traps, and it hands you back the time you need for the questions that are genuinely hard.
The vocabulary is the entry fee. The order is the exam.
Top comments (0)