Incident response process — SY0-701
Master the incident response process for CompTIA Security+ SY0-701 — phases, key terms, and common exam traps explained with NIST-grounded definitions.
WHAT IT IS
Incident response is "the mitigation of violations of security policies and recommended practices" (NIST CSRC Glossary, citing CNSSI 4009-2015). An alternative phrasing from the same glossary adds "remediation or mitigation," signaling that the process encompasses both stopping the harm and reducing its effects.
The triggering event — an incident — is "an occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies" (NIST CSRC Glossary, citing FIPS 200).
Organizations formalize their response through an incident response plan: "the documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attack against an organization's information system(s)" (NIST CSRC Glossary, citing NIST SP 800-34 Rev. 1).
Mental model
Think of incident response as a cycle, not a checklist. The process loops: each completed cycle feeds lessons back into the preparation for the next one. The value of the final phase is precisely that it improves the first.
The phases most commonly associated with incident response in practice flow in this order:
This cycle captures the intuition that post-incident activity feeds back into preparation — the loop is intentional, not decorative.
When to use it
A common point of confusion is distinguishing the incident response process from adjacent disciplines that are activated during or after it.
| Concept | Primary purpose | When it runs |
|---|---|---|
| Incident response | Mitigate the active violation of security policy | During and immediately after an incident |
| Digital forensics | Preserve and analyze evidence using validated scientific methods | During or after an incident; evidence must survive legal scrutiny |
| Root cause analysis | Identify underlying causes associated with a set of risks | After an incident, typically within post-incident activity |
| Threat hunting | Proactively search for threats not yet detected by automated tools | Continuous or pre-incident; not triggered by a known event |
The key boundary: incident response is reactive and operational; threat hunting is proactive and analytical. Digital forensics is a supporting discipline that may run in parallel with incident response but carries additional requirements — chain of custody, validated tools, and repeatability — because its output may be used in judicial proceedings.
COMMON MISCONCEPTION
The exam frequently exploits the assumption that "containment" and "eradication" are the same step, or that "recovery" means the process is finished.
They are not the same, and recovery does not end the process.
- Containment limits the scope and spread of the incident while investigation continues. The threat may still be present.
- Eradication removes the cause of the incident — for example, deleting malicious code or closing the vulnerability exploited.
- Recovery restores affected systems to operational status. But without the post-incident activity phase, the organization learns nothing and the same incident type recurs.
A second trap: candidates sometimes treat an indicator of compromise as synonymous with the incident itself. The NIST CSRC Glossary (citing NIST SP 800-61r3) defines an indicator of compromise as "technical artifacts or observables that suggest that an attack is imminent or is currently underway or that a compromise may have already occurred." An indicator triggers detection and analysis — it is evidence that an incident may exist, not the incident itself, and not the response.
A third trap: assuming that incident response and incident handling are different processes. The NIST CSRC Glossary treats them as synonyms, both defined as "the mitigation of violations of security policies and recommended practices."
How it shows up on the exam
Exam questions on this topic test sequence knowledge and phase boundary recognition. Candidates are asked to identify which phase of the process a described action belongs to, or to order a set of activities correctly. Common cognitive targets include:
- Distinguishing containment actions (limiting spread) from eradication actions (removing the cause)
- Recognizing that post-incident activity — including lessons learned — is a defined phase, not an optional add-on
- Understanding that an incident response plan provides "a predetermined set of instructions or procedures to detect, respond to, and limit consequences" — scope questions will test whether candidates know it covers detection, not just response
- Avoiding the conflation of threat intelligence with incident indicators: threat intelligence is "threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes" (NIST CSRC Glossary), which informs the response but is not itself the response
Questions may also present scenarios where digital forensics requirements (chain of custody, validated tools) constrain how incident responders may handle evidence. Candidates who treat forensics as simply "collecting logs" may choose answers that describe improper evidence handling.
Related concepts
Sources
Every claim on this page traces to the public exam blueprint and official documentation: