If you are studying for Security+, incident response questions are really process questions. The exam wants to know whether you can stay calm, preserve evidence, communicate clearly, and avoid making the incident worse while trying to look useful.
The short version: identify the incident, contain the damage, preserve what matters, escalate through the right channel, then recover and document. Do not jump straight to wiping a laptop, deleting logs, or emailing the whole company because you saw one scary alert.
Use these practice questions to connect the Security+ vocabulary to real support work. Pair them with our Security+ phishing practice questions, Security+ access control practice questions, and Security+ study plan template if you are building a focused review block.
Quick incident response order for Security+
Security+ wording changes by scenario, but the safer answer usually follows this pattern:
| Step | What it means in plain English | Common exam trap |
|---|---|---|
| Preparation | Policies, playbooks, tools, backups, contacts | Making up the plan during the outage |
| Identification | Confirm what is happening and scope it | Treating every alert as a breach |
| Containment | Stop spread or limit impact | Destroying evidence while rushing |
| Eradication | Remove the cause | Declaring victory after one reboot |
| Recovery | Restore normal service safely | Bringing a dirty system back too fast |
| Lessons learned | Document and improve | Skipping notes because everyone is tired |
For help desk and junior security roles, the most realistic expectation is not “solo the breach.” It is: notice the signal, gather the right facts, avoid cowboy fixes, and escalate cleanly.
Question 1: Suspicious attachment reported
A user forwards a ticket saying they opened an invoice attachment, then realized the email address was misspelled. Their laptop is still online and they say, “Everything seems fine.” What should the help desk technician do first?
A. Delete the email from the user’s mailbox and close the ticket
B. Reimage the laptop immediately
C. Follow the phishing/incident procedure, preserve details, and escalate according to policy
D. Reply-all warning everyone in the company not to open invoices
Answer: C. Follow the phishing/incident procedure, preserve details, and escalate according to policy.
The key phrase is “according to policy.” Security+ likes disciplined process. You need the sender, subject, headers if available, attachment name, time opened, user actions, and current device status. If your environment has an email security team or SOC, they may need to pull copies from other mailboxes or detonate the attachment safely.
Deleting the email might remove evidence. Reimaging might be needed later, but it is not the first move without triage. A reply-all panic blast is how small incidents become bigger workplace incidents with more screenshots.
Question 2: Possible malware on one workstation
An endpoint alert says a workstation attempted to run known malware. The user reports pop-ups and slow performance. What is the best initial containment action?
A. Disconnect the workstation from the network while preserving power state if policy requires it
B. Run every cleanup tool you can find from the internet
C. Clear browser history and reboot
D. Ask the user to keep working until the next maintenance window
Answer: A. Disconnect the workstation from the network while preserving power state if policy requires it.
Containment means limiting spread. For a normal help desk scenario, that usually means isolating the device from wired, wireless, and VPN connectivity. In some environments, you should leave the system powered on because volatile evidence may matter. In others, the playbook may say to shut it down. Follow the procedure.
The wrong answers are tempting because they feel active. Random cleanup tools can make things worse, erase evidence, or introduce more junk. A reboot may destroy useful volatile data. Letting the user keep working is obviously not great unless your incident plan has a very specific reason.
Question 3: Logs are requested
A security analyst asks for logs from a server after a suspected compromise. What should the sysadmin do?
A. Edit out unrelated errors before sending the logs
B. Copy logs using the approved process and document who received them
C. Delete old logs so the analyst only sees recent events
D. Screenshot a few lines and call it good
Answer: B. Copy logs using the approved process and document who received them.
This is a chain-of-custody and evidence integrity question in normal clothes. You do not “clean up” logs before review. You do not delete context. You preserve the original source as much as possible and record what was collected, when, by whom, and where it went.
Even when the incident is not a legal case, sloppy evidence handling causes real problems. The team cannot build a timeline if everyone helpfully edits the timeline first.
Question 4: Ransomware note appears
A user calls and says their files have strange extensions and a ransom note is open on the desktop. Which action is most appropriate?
A. Tell the user to pay quickly before the timer expires
B. Isolate the device, escalate as a security incident, and avoid touching shared drives until scoped
C. Delete the ransom note and restore the user’s desktop wallpaper
D. Start copying files from the mapped drive to a USB stick
Answer: B. Isolate the device, escalate as a security incident, and avoid touching shared drives until scoped.
Ransomware is a containment problem first. One infected endpoint may be the visible symptom of a larger issue. Shared drives, sync clients, and mapped network paths can spread damage or reveal that damage already happened.
Do not copy potentially encrypted or infected files around. Do not pay from the help desk chair. Do not “tidy up” the ransom note. Preserve details, isolate, escalate, and help the incident lead scope the blast radius.
Question 5: False positive or real incident?
A vulnerability scanner flags an outdated service on an internal server. No suspicious activity has been detected. What is the best classification?
A. Confirmed security breach
B. Potential vulnerability that should enter normal risk/remediation workflow
C. Disaster recovery event
D. Physical security incident
Answer: B. Potential vulnerability that should enter normal risk/remediation workflow.
A vulnerability is not automatically an incident. Security+ expects you to separate exposure from exploitation. An outdated service may be risky and important, but without evidence of unauthorized activity, it is usually handled through patching, change management, risk acceptance, or compensating controls.
That does not mean ignore it. It means do not label every scan finding as a breach. Good security work depends on accurate severity, not dramatic ticket titles.
If you need more practice with this distinction, the Security+ risk management practice questions are a good follow-up.
Question 6: Executive asks for details
A manager asks the help desk technician to send them the names of users affected by a suspected credential theft incident. The technician is not assigned to incident communications. What should they do?
A. Send the list because managers outrank technicians
B. Post the list in the team chat so everyone is informed
C. Direct the request to the incident lead or approved communications channel
D. Refuse to talk to anyone until the incident is closed
Answer: C. Direct the request to the incident lead or approved communications channel.
Incident communication needs control. Not because people are trying to hide things, but because partial information spreads fast and can create legal, HR, privacy, or customer-impact problems. The incident lead should decide what is shared, with whom, and when.
This is also a good real-world habit. If you are junior, you can still be helpful without becoming the unofficial breach press office.
Question 7: User wants the laptop back now
A user’s laptop was isolated for suspected malware. The user says they have a customer meeting and demands the device back immediately. What is the best response?
A. Reconnect it because business urgency beats security
B. Explain that the device must stay isolated until cleared, offer a loaner or alternate access path, and update the ticket
C. Give them the local admin password so they can fix it themselves
D. Delete the ticket so there is no audit trail
Answer: B. Explain that the device must stay isolated until cleared, offer a loaner or alternate access path, and update the ticket.
Security+ loves “business need plus control.” You do not ignore the business problem, but you also do not break containment because someone is loud. A loaner laptop, webmail from a clean device, or temporary access through approved channels may solve the meeting problem without putting the environment at risk.
This is where support techs earn trust. You are not just saying no. You are giving a safer path forward.
Question 8: After-action review
After an incident is resolved, the team skips the debrief because everyone is busy. What is the biggest risk?
A. The ticketing system will automatically reopen the incident
B. The organization misses the chance to fix process gaps and prevent repeats
C. The firewall will stop logging traffic
D. Users will no longer be able to reset passwords
Answer: B. The organization misses the chance to fix process gaps and prevent repeats.
Lessons learned is not a ceremonial meeting where everyone says “communication could have been better” and leaves. Done well, it turns a bad day into better alerts, clearer escalation paths, better backups, cleaner documentation, or stronger training.
A simple after-action note should capture:
- What happened
- When it was detected
- Who was affected
- What containment worked
- What slowed the team down
- What needs to change before next time
If your tickets are messy after incidents, borrow structure from the help desk ticket notes examples. Incident notes need the same boring clarity, just with higher stakes.
Mini checklist for Security+ incident scenarios
Before choosing an answer, ask yourself:
- Does this preserve evidence or destroy it?
- Does this contain the issue or spread it?
- Is the person following policy or freelancing?
- Is this a vulnerability, an event, or a confirmed incident?
- Is communication going through the incident lead?
- Is the answer trying to recover before containment is complete?
- Does the final step include documentation and lessons learned?
If two answers both sound technical, pick the one that protects the process. Security+ is rarely asking you to be the smartest person in the room. It is asking whether you can be trusted when the room is on fire.
FAQ
Is incident response heavily tested on Security+?
Yes, but usually through scenarios rather than pure definitions. Expect questions about containment, evidence handling, escalation, communication, and the basic incident response lifecycle.
Should I memorize the exact order of incident response steps?
Know the order, but do not study it like a chant. Practice mapping scenarios to the phase: identifying an alert, containing a workstation, eradicating malware, recovering systems, and documenting lessons learned.
What is the difference between an event and an incident?
An event is something that happened, like a login failure or scanner alert. An incident is an event with actual or suspected negative security impact. The exam may test whether you escalate appropriately without overreacting.
What should help desk techs do during security incidents?
Follow the playbook, collect accurate details, isolate when instructed, preserve evidence, communicate through approved channels, and document cleanly. Do not improvise hero moves.
Next step
If you got most of these right, keep building the Security+ lane with cryptography and PKI practice questions. If you missed the process questions, spend one study session drawing the incident lifecycle and writing one example ticket for each phase. That is less glamorous than another cram video, but it sticks.