4.1 Incident Response Management Overview

4.1 Incident Response Management Overview

Incident Response and Management is Domain 3 of the CompTIA CySA+ CS0-003 exam and counts for 20% of your score. The exam delivers a maximum of 85 questions in 165 minutes, mixing multiple-choice with performance-based questions (PBQs), and you pass with a scaled score of 750 on a 100-900 scale. PBQs in this domain often ask you to order lifecycle steps, classify an alert, or build a containment sequence, so rote definitions are not enough.

The NIST SP 800-61 lifecycle (memorize the order)

The single highest-yield fact in this domain is the four-phase NIST SP 800-61 Rev. 2 incident response lifecycle. Many questions ask which phase a described activity belongs to, or what comes next.

A frequent trap: candidates pick Detection and Analysis as the first phase. It is second. Preparation is always first because you cannot respond well to what you did not plan for.

Attack frameworks you must distinguish

Domain 3 explicitly lists "Apply the appropriate incident response procedures" alongside attack frameworks. Three appear repeatedly:

• MITRE ATT&CK -- a knowledge base of adversary tactics, techniques, and procedures (TTPs) mapped to real-world behavior; tactics are the why (e.g., Persistence, Lateral Movement) and techniques are the how (e.g., T1059 Command and Scripting Interpreter). Used to map observed behavior and find detection gaps.
• Cyber Kill Chain (Lockheed Martin) -- a linear 7-stage model: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control (C2), and Actions on Objectives. Best for understanding intrusion progression.
• Diamond Model -- four vertices (adversary, capability, infrastructure, victim) used for analytic pivoting during attribution.

Exam-ready mental model

For every Domain 3 stem, identify four things: the lifecycle phase the scenario sits in, the trigger (alert, IOC, user report), the next defensible action, and the evidence you must preserve. If an answer skips evidence preservation or chain of custody when forensics is implied, it is usually a distractor. When two answers both "work," choose the one that keeps the system in scope without destroying volatile data or tipping off the attacker.

The IR plan, runbooks, and playbooks

Preparation produces written artifacts the exam expects you to name. The incident response plan (IRP) is the strategic, organization-wide document defining authority, severity tiers, escalation paths, and the communication plan (who is told, when, and through which out-of-band channel). A runbook is the operational, step-by-step procedure an analyst follows for a defined task. A playbook chains runbooks into a response for a specific incident type (e.g., a phishing playbook, a ransomware playbook). When automation drives those playbooks, you have SOAR (Security Orchestration, Automation, and Response).

A stem asking "which document tells the analyst the exact steps to image a drive" wants the runbook, not the IRP.

Detection inputs and indicator concepts

Detection and Analysis consumes data from a SIEM (Security Information and Event Management) platform, endpoint detection and response (EDR), IDS/IPS, and threat-intelligence feeds. You correlate events into an incident by joining timestamps, hosts, and accounts. Two NIST terms recur: a precursor is a sign an incident may occur (a recon scan), while an indicator is a sign an incident is occurring or has occurred (antivirus alert, log entry of a deleted file). Expect a question that hands you a behavior and asks whether it is a precursor or an indicator.

How CS0-003 phrases these questions

Expect stems like "An analyst observes beaconing to an unknown IP -- which Kill Chain stage is this?" (answer: Command and Control) or "Which phase does a tabletop exercise belong to?" (answer: Preparation). Read for the verb: "establish channels" -> C2; "deliver a weaponized PDF" -> Delivery; "exploit a vulnerability to run code" -> Exploitation; "install a backdoor for persistence" -> Installation. Map the verb to the framework stage, then answer.

A second pattern asks you to choose the framework itself: if the stem emphasizes behavioral TTP mapping and detection gaps choose MITRE ATT&CK; if it emphasizes linear intrusion progression choose the Cyber Kill Chain; if it emphasizes analytic pivoting for attribution choose the Diamond Model. Do not overthink -- one cue word usually decides it.

Why this domain earns easy points

Unlike Vulnerability Management, which leans on CVSS math and scanner output, or Security Operations, which spans logs and malware behavior, Domain 3 rests on a small, stable set of named frameworks and one ordered lifecycle. CompTIA rarely changes these definitions between exam revisions, so memorizing them pays off. The roughly 17 scored questions implied by a 20% weight on an 85-question form are dominated by phase placement, framework identification, indicator classification, and containment ordering -- all answerable from the tables in this chapter.

Treat Domain 3 as a reliable point bank: over-prepare the lifecycle order, because a single reversed-sequence answer (recover before eradicate) can flip a borderline result into a fail near the 750 cut score.