Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free OSIR Practice Questions

Pass your OffSec Incident Responder (OSIR, IR-200) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published by OffSec Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

Which Linux artifact is the canonical place to find authentication events such as successful and failed logins on Debian/Ubuntu?

A
B
C
D
to track
Same family resources

Explore More OffSec Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

OffSec OSEP Experienced Penetration Tester

Practice Questions

OffSec OSWE Web Expert

Practice Questions

OffSec OSCP Certified Professional

Practice Questions

OffSec Defense Analyst (OSDA)

Practice Questions

OffSec Exploit Developer (OSED)

Practice Questions

OffSec Exploitation Expert (OSEE)

Practice Questions
2026 Statistics

Key Facts: OSIR Exam

8 hrs

Practical Duration

OffSec OSIR Exam Guide

50/70

Passing Score

OffSec (Phase 1 + Phase 2)

$1,749

Learn One Bundle

OffSec IR-200 starting price

13

Course Modules

IR-200 syllabus

3 yrs

Certification Validity

OffSec policy (since 2023)

200-level

Difficulty

Foundational defensive cert

OSIR is OffSec's foundational defensive certification, earned by passing the IR-200 8-hour proctored hands-on incident response exam (Phase 1: 4 x 10 pts; Phase 2: 2 x 15 pts; pass at 50 of 70) plus a 24-hour report. The Learn One bundle starts at $1,749 and includes 13 modules, the Challenge Lab, and 2 exam attempts. Our 100 free OSIR practice questions are conceptual knowledge checks across NIST 800-61, MITRE ATT&CK, Volatility, Splunk, and Windows/Linux forensic artifacts; they do not replicate the practical exam. The credential is valid for 3 years.

Sample OSIR Practice Questions

Try these sample questions to test your OSIR exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which definition of a 'cybersecurity incident' best aligns with NIST SP 800-61r2?
A.Any single failed login attempt against a corporate system
B.A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices
C.Only confirmed malware infections on production servers
D.An external vulnerability disclosed by a researcher in a CVE advisory
Explanation: NIST SP 800-61r2 defines a computer security incident as a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. The word 'imminent' is important because it scopes incident response to cover events that have not yet succeeded but are highly likely to.
2What are the four phases of the NIST SP 800-61r2 incident response lifecycle, in order?
A.Identify, Protect, Detect, Respond
B.Preparation; Detection and Analysis; Containment, Eradication, and Recovery; Post-Incident Activity
C.Plan, Do, Check, Act
D.Reconnaissance, Weaponization, Delivery, Exploitation
Explanation: NIST 800-61r2 defines four phases: (1) Preparation, (2) Detection and Analysis, (3) Containment, Eradication, and Recovery, and (4) Post-Incident Activity. The lifecycle is iterative: lessons from phase 4 feed back into phase 1.
3Which activity belongs primarily to the Preparation phase of the NIST 800-61r2 lifecycle?
A.Isolating a compromised host from the network
B.Building and training the CSIRT, drafting playbooks, and provisioning forensic tooling
C.Wiping and reimaging a malware-infected workstation
D.Documenting lessons learned in an after-action report
Explanation: Preparation covers everything that is done before an incident: hiring and training the CSIRT, building runbooks, deploying logging and EDR, hardening systems, and stocking the jump kit. NIST treats preparation as the foundation of every other phase.
4An analyst observes a port scan from an external IP against the public-facing web server but no exploitation has occurred. NIST 800-61r2 calls this kind of signal a:
A.Precursor
B.Indicator
C.Compromise event
D.Eradication step
Explanation: NIST 800-61r2 distinguishes precursors (signs that an incident may occur in the future, like reconnaissance or threat-intel warnings) from indicators (signs that an incident may have occurred or is occurring). A port scan with no exploitation is a precursor.
5In ITIL incident management, how does an 'incident' differ from a 'problem'?
A.Incidents are always security-related; problems are operational
B.An incident is an unplanned interruption or quality reduction; a problem is the underlying root cause that may produce one or more incidents
C.A problem must be reported within 24 hours; an incident has no SLA
D.Incidents are tracked in change management; problems are tracked in incident management
Explanation: ITIL defines an incident as an unplanned interruption or reduction in the quality of an IT service. A problem is the underlying cause — known or unknown — of one or more incidents. IR-200 maps cyber incident management onto this ITIL vocabulary so that security teams can integrate with broader IT operations.
6Which CSIRT role is typically responsible for declaring an incident, setting priorities, and authorizing major containment actions?
A.Forensic Analyst
B.Incident Commander
C.SOC Tier 1 Analyst
D.Threat Intelligence Researcher
Explanation: The Incident Commander owns the incident: they declare it, set priorities, coordinate technical and non-technical streams, and authorize disruptive actions like isolating a production segment. Other roles execute under their direction.
7Which document captures the high-level strategy, authority, and scope for an organization's incident response capability and is normally signed by senior leadership?
A.Incident response runbook
B.Incident response policy
C.After-action report
D.Standard operating procedure (SOP)
Explanation: An incident response policy is the senior-leadership-signed document that establishes scope, authority, and high-level requirements for IR. Plans elaborate on the policy. Procedures and runbooks are the day-to-day technical documents.
8Which scenario best matches the definition of an 'opportunistic' attack rather than a 'targeted' attack?
A.An APT group spends six months mapping a defense contractor's vendor chain to deliver a custom implant
B.A commodity ransomware operator sprays Emotet phishing emails to thousands of inboxes, hoping a fraction click
C.Nation-state actors compromise a software update server to plant a backdoor in a specific vendor's product
D.A red team executes a pre-agreed scenario against a single target organization
Explanation: Opportunistic attacks scale broadly with low per-victim effort: commodity malware, mass phishing, internet-wide vulnerability scanning. Targeted attacks invest heavily in a specific organization or sector and use bespoke tooling and reconnaissance.
9Why do many organizations document an incident severity matrix (e.g., SEV1/SEV2/SEV3) before incidents occur?
A.Because cyber insurance carriers require it before paying claims
B.To pre-decide escalation paths, communication cadence, and resource commitment, removing ambiguity during a live incident
C.Because NIST 800-61r2 forbids responding without a severity classification
D.Because attackers must be informed of the severity tier under GDPR
Explanation: A pre-built severity matrix tells responders, executives, and external parties what happens at each tier — paging on-call, notifying legal, briefing the CEO, contacting law enforcement — without re-debating the rules under stress. It is one of the most important Preparation deliverables.
10Which 2021 incident is the canonical case study of ransomware impact on critical infrastructure that triggered a U.S. fuel supply disruption?
A.NotPetya outbreak at Maersk
B.Colonial Pipeline ransomware attack by DarkSide
C.MOVEit Transfer mass exploitation by Cl0p
D.MGM Resorts social-engineering breach
Explanation: In May 2021 the DarkSide ransomware affiliate disrupted Colonial Pipeline's billing systems, causing the company to shut down the largest U.S. refined-fuel pipeline. Colonial paid ~75 BTC; the FBI later recovered most of it. The case is studied for OT/IT segmentation gaps, leaked-credential VPN access, and ransom-payment policy.

About the OSIR Exam

The OffSec Incident Responder (OSIR), tied to the IR-200 course, validates foundational hands-on incident response skills: applying the NIST 800-61r2 lifecycle, mapping observed adversary behavior to MITRE ATT&CK, performing disk and memory forensics, triaging malware, investigating with Splunk SIEM, and executing containment, eradication, and recovery alongside professional communications and evidence handling.

Assessment

8-hour proctored hands-on IR practical with 2 phases (Phase 1: 4 x 10-pt exercises = 40 pts; Phase 2: 2 x 15-pt exercises = 30 pts), plus a 24-hour reporting window. Pass at 50 of 70.

Time Limit

8 hours practical + 24 hours reporting

Passing Score

50 of 70 points

Exam Fee

$1,749 (Learn One bundle includes course + 2 exam attempts) (OffSec online proctored)

OSIR Exam Content Outline

15%

IR Overview & Lifecycle

Cyber-incident definitions, NIST 800-61r2 phases (Preparation; Detection & Analysis; Containment, Eradication & Recovery; Post-Incident Activity), ITIL incident vs problem mapping, CSIRT roles (incident commander, technical lead, comms lead, legal liaison), severity matrices, opportunistic vs targeted attacks, case studies (Colonial Pipeline, SolarWinds, NotPetya, MOVEit, MGM 2023)

15%

Attack Techniques & Frameworks

MITRE ATT&CK tactics and techniques (T1566 Phishing, T1059 Command & Scripting, T1003 OS Credential Dumping, T1078 Valid Accounts, T1550.002 Pass the Hash), Cyber Kill Chain, Diamond Model, common incident types: ransomware, BEC, insider threat, supply chain, DDoS, APT vs commodity malware

15%

Detection & Identification

Passive alerting (SIEM, EDR, email security), active discovery and hypothesis-driven threat hunting, IOC sweeps, false-positive triage of legitimate admin tools, attack-chain reconstruction (initial access > execution > persistence > C2 > exfiltration), impact assessment across confidentiality/integrity/availability

15%

Digital Forensics for IR

Disk imaging (FTK Imager, dd, hardware write blockers, MD5/SHA-256 hashing, chain of custody), memory acquisition (FTK Memory, Magnet RAM Capture), Volatility 3 (pslist, psscan, netscan, malfind, dlllist, cmdline), Windows artifacts (Registry HKLM/HKCU, $MFT/$LogFile/$UsnJrnl, Prefetch, Event Logs, Sysmon, Amcache, ShimCache, ShellBags, Jump Lists), Linux artifacts (auth.log, journalctl, .bash_history, /var/log, audit.log, last/lastb, /etc/shadow), Plaso/log2timeline super timelines

10%

Malware Triage

PE-header analysis, strings, entropy, Detect-It-Easy, PEview, CFF Explorer, hash lookups via VirusTotal, dynamic sandboxing (Cuckoo, ANY.RUN, Joe Sandbox, Hybrid Analysis), YARA rule structure (meta, strings, condition, hex strings, anchors)

10%

SIEM Investigation (Splunk)

SPL search of Windows Event Logs (4624, 4625, 4688, 7045, 1102), transaction by host with maxspan, eval and stats count by ProcessName, dc() distinct counts, Common Information Model (CIM), ESCU correlation searches, Splunk SOAR/Phantom playbook automation, beaconing detection and blast-radius scoping

10%

Containment, Eradication & Recovery

Network isolation and EDR host quarantine, account disable and ticket revocation, firewall blocks, DNS sinkholes, malware and rootkit removal, image rebuilds, password and key rotation, recovery validation tests, heightened-monitoring window, post-incident hardening (patching, phishing-resistant MFA, network segmentation, Credential Guard, admin tiering)

10%

Communication & Evidence

Executive summaries and stakeholder updates, regulatory notifications (GDPR 72-hour, HIPAA 60-day, U.S. state breach laws), OFAC sanctions screening for ransomware payments, chain-of-custody documentation (who/what/when/where/how, hashes, signatures), original vs working copy handling, RFC 3227 order of volatility, post-incident lessons-learned and after-action reports

How to Pass the OSIR Exam

What You Need to Know

  • Passing score: 50 of 70 points
  • Assessment: 8-hour proctored hands-on IR practical with 2 phases (Phase 1: 4 x 10-pt exercises = 40 pts; Phase 2: 2 x 15-pt exercises = 30 pts), plus a 24-hour reporting window. Pass at 50 of 70.
  • Time limit: 8 hours practical + 24 hours reporting
  • Exam fee: $1,749 (Learn One bundle includes course + 2 exam attempts)

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

OSIR Study Tips from Top Performers

1Memorize the NIST 800-61r2 four phases in order — Preparation, Detection & Analysis, Containment/Eradication/Recovery, Post-Incident Activity — and which activities live in each
2Drill core Windows Event IDs (4624, 4625, 4672, 4688, 4697/7045, 1102) and Sysmon IDs (1, 3, 7, 11, 13, 22) cold; OSIR exercises lean heavily on log analysis
3Practice Volatility 3 plugins on a sample memory image: pslist vs psscan, netscan, malfind, cmdline, dlllist; know what each surfaces and what its limits are
4Get fluent in SPL: index=, EventCode=, transaction host maxspan=, stats dc(), eval if(), and CIM datamodels — speed in Splunk is the difference between 40 and 50 points
5Read real DFIR case-study reports (Mandiant, CrowdStrike, Red Canary, Microsoft DART) to see how seasoned responders structure findings, evidence, and recommendations
6Build a personal incident-report template — executive summary, timeline, root cause, impact, indicators, remediation, lessons learned — so you do not have to invent structure during the 24-hour reporting window

Frequently Asked Questions

Is the OSIR exam multiple choice?

No. OSIR is an 8-hour proctored hands-on incident response practical conducted via private VPN, followed by a 24-hour reporting window. Our 100 free practice questions are conceptual knowledge checks (NIST 800-61, MITRE ATT&CK, Volatility, Splunk, Windows/Linux artifacts) and do not replicate the exam scenario.

What is the OSIR passing score and structure?

You need 50 of 70 points. The exam has two phases: Phase 1 contains four exercise questions worth 10 points each (40 points total) and Phase 2 contains two exercise questions worth 15 points each (30 points total). Each exercise tests an end-to-end IR skill against the provided lab environment.

How long is the OSIR exam?

The practical portion is 8 hours, immediately followed by a 24-hour window to submit a professional incident report. Time management within the 8 hours is the candidate's responsibility — there are no scheduled breaks.

How much does OSIR cost?

The IR-200 Learn One bundle starts at $1,749 and includes the 13-module course, the Challenge Lab, and 2 exam attempts. Pricing is set by OffSec and may vary by region.

Which tools should I focus on for OSIR?

Focus on Splunk (SPL, transaction, stats, eval, CIM, SOAR/Phantom playbooks), Volatility 3 (pslist, psscan, netscan, malfind, cmdline, dlllist), Windows artifact parsers (Prefetch, Amcache, ShimCache, ShellBags, $MFT, Event Logs, Sysmon), Plaso/log2timeline, FTK Imager, and YARA. Hands-on practice in the IR-200 lab environment is essential.

How does OSIR compare to OSDA?

OSDA (SOC-200) focuses on detection in an Elastic SIEM with a 23h45m simulation. OSIR (IR-200) focuses on full-lifecycle incident response with Splunk and an 8-hour practical plus 24-hour report. OSDA leans toward SOC analyst skills; OSIR leans toward incident handler / DFIR analyst skills. Many candidates take both for a complete blue-team profile.

Does OSIR expire?

Yes. Since 2023 OffSec certifications are valid for 3 years. Maintain by retaking the exam or earning OffSec continuing-education credits per current policy.