Incident Response
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing CompTIA Security+ premium course — no separate purchase.
Included in this chapter:
- The incident response process: seven phases on a NIST spine
- Preparation, training, and testing: tabletop vs. simulation
- Root cause analysis, threat hunting, and lessons learned
- Digital forensics: chain of custody, order of volatility, e-discovery
The seven IR phases: goal and key activity
| IR phase | Goal | Key activity | NIST 800-61 mapping |
|---|---|---|---|
| Preparation | Be ready before an incident | IR plan, team, tools, training, testing | Preparation |
| Detection | Notice something is wrong | Alerts, IoCs, reports trigger triage | Detection and Analysis |
| Analysis | Confirm and scope the incident | Validate true positive, determine impact | Detection and Analysis |
| Containment | Stop the spread | Isolate hosts, segment, disable accounts | Containment, Eradication, Recovery |
| Eradication | Remove the root cause | Delete malware, patch flaw, rebuild clean | Containment, Eradication, Recovery |
| Recovery | Return to normal operations | Restore systems, monitor for recurrence | Containment, Eradication, Recovery |
| Lessons learned | Improve future response | Post-incident review, RCA, update plan | Post-Incident Activity |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.
Also tested in
- CISSP Certified Information Systems Security Professional
- CISSP Certified Information Systems Security Professional
- SC-200 Microsoft Certified: Security Operations Analyst Associate
- SC-200 Microsoft Certified: Security Operations Analyst Associate
- SC-200 Microsoft Certified: Security Operations Analyst Associate