CompTIA Security+ Incident Response: Steps, Playbooks, and Exam Questions

Security+ is broad, vendor-neutral, and tied to real exam constraints. The current CompTIA exam is SY0-701. It costs $425, allows maximum of 90 questions in 90 minutes, and requires 750 on a scale of 100-900 to pass.

The incident response phases

Security+ tests incident response as part of Security Operations, which accounts for 28% of SY0-701. The six phases are: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. The exam tests whether you know the correct sequence and can identify the next step in a given scenario.

After Identification (confirming a compromise), the next step is always Containment — isolating affected systems to prevent further spread. Eradication (removing malware, closing the attack path) comes after Containment, not before. Recovery returns systems to production. Lessons Learned captures root cause and control improvements.

What exam questions test

Incident response questions typically present a scenario — an account authenticating from two countries simultaneously, unusual encryption activity, command-and-control traffic — and ask for the next step. The answer space rewards strict phase adherence. Jumping from Identification to Eradication before Containment is a wrong answer even if it seems efficient.

What should you do with this information next?

Our CompTIA Security+ study guide covers all five SY0-701 domains with a performance-based question walkthrough. Available at securitypluscertprep.com/guide.

SimpuTech's Security+ AI tutor can build a personalized study plan. Try it at SimpuTech.com.