IR Phases and Roles
Key Takeaways
- Security+ SY0-701 tests the NIST SP 800-61 lifecycle: Preparation; Detection and Analysis; Containment, Eradication and Recovery; Post-Incident Activity.
- Preparation builds playbooks, contact trees, logging, tooling, access, training, and chain-of-custody procedures before any incident.
- Triage separates an event (any observable) from an alert (a notification) from an incident (a confirmed or strongly suspected violation needing coordinated response).
- Roles must be assigned before an incident: incident commander, analysts, forensic lead, system owner, comms, legal, HR, and executive sponsor.
- On the exam, the phase implied by the scenario drives the correct answer: active attacker means contain first; clean systems being returned means recover and validate.
Why Incident Response Is on the Exam
Incident response (IR) is the organized process for handling events that may affect the confidentiality, integrity, or availability of data and systems. On the CompTIA Security+ (SY0-701) exam, IR sits in Domain 4.0 (Security Operations), which is the single largest objective area at 28% of the exam. SY0-701 is up to 90 questions in 90 minutes with a passing score of 750 on a 100-900 scale, and it mixes multiple-choice items with performance-based questions (PBQs) that often ask you to order IR phases or pick the next action. The goal of IR is never just to delete malware.
It is to limit harm, preserve evidence, restore trusted operations, communicate correctly, and improve the environment afterward.
The NIST SP 800-61 Lifecycle
Security+ aligns its IR coverage to NIST Special Publication 800-61 (Computer Security Incident Handling Guide). NIST defines four phases; CompTIA frequently expands the middle phase into separate steps you can be asked to sequence.
| NIST phase | Expanded steps you may see | Core work |
|---|---|---|
| Preparation | Preparation | Build playbooks, train staff, verify contacts, deploy logging, define severity tiers |
| Detection and Analysis | Detection, Analysis | Validate indicators, scope affected assets, open an incident record |
| Containment, Eradication, and Recovery | Containment, Eradication, Recovery | Isolate, remove the cause, restore from trusted sources |
| Post-Incident Activity | Lessons Learned | Review the timeline, assign corrective actions, update controls |
Note the lifecycle is a loop, not a line: lessons learned feed straight back into preparation. The exam rewards answers that treat IR as continuous improvement rather than a one-time cleanup.
Preparation Is the Most Tested Phase
Preparation is where most real-world IR success or failure is decided, and Security+ leans on it heavily because everything else depends on it. A scenario that asks what the organization should have done before the incident is almost always pointing at a preparation gap.
Concrete preparation deliverables include a written incident response plan (IRP) approved by management; playbooks (or runbooks) that give step-by-step procedures for common scenarios such as phishing, ransomware, and account compromise; a verified contact and escalation tree with after-hours numbers; defined severity tiers so responders know when to escalate; centralized logging in a SIEM with sufficient retention; pre-staged tooling such as EDR, forensic imaging kits, and write blockers; and prearranged chain-of-custody forms and evidence storage.
Preparation also means training: tabletop exercises and simulations build the muscle memory that lets a team move fast under pressure. A common exam distractor is buying a tool after the incident starts; the right preparation answer is that the capability should already exist and be tested.
Event vs. Alert vs. Incident
These three terms are tested precisely. An event is any observable occurrence in a system or network: a login, a file write, a firewall connection. An alert is a notification that an event may need attention, raised by tools such as EDR or SIEM. An incident is a confirmed or strongly suspected violation of security policy that requires a coordinated response.
- Millions of events occur daily; most are benign.
- A subset trigger alerts; many are false positives.
- Only validated, harmful activity becomes a declared incident.
The declaration is the pivot. Once activity is treated as an incident, the team opens an incident record, assigns roles, preserves evidence, and tracks every decision with a timestamp.
Worked Triage Example
08:12 alert EDR reports base64-encoded PowerShell on LAP-118
08:18 analysis Word (winword.exe) spawned PowerShell after invoice.docm opened
08:26 evidence DNS query to a domain registered 2 days ago
08:33 declare Incident opened: suspected phishing payload with C2 traffic
Notice the team did not declare an incident at 08:12 on a single alert. It correlated parent-child process behavior and a suspicious newly registered domain first. That validation step is what separates an alert from a confirmed incident.
Common IR Roles
| Role | Responsibility |
|---|---|
| Incident commander (IC) | Owns priorities, coordinates teams, tracks decisions; the single point of authority |
| Security analyst | Reviews alerts, gathers evidence, builds the timeline |
| Forensic analyst | Preserves and analyzes evidence with chain of custody when investigation depth is needed |
| System/data owner | Explains business function and approves operational changes |
| Network/endpoint engineer | Implements containment and recovery actions |
| Communications lead | Coordinates internal and external messaging with approval |
| Legal/privacy counsel | Advises on privilege, evidence handling, notification, and regulatory duties |
| Executive sponsor | Makes high-impact business risk decisions |
Scenario Timeline
A school district receives reports that staff cannot open shared lesson files; the help desk sees an unfamiliar file extension. Security opens an incident record.
| Time | Action | Owner |
|---|---|---|
| 09:05 | Help desk reports widespread file-access failures | Help desk lead |
| 09:11 | EDR alert on FS-04: a process is renaming files | Security analyst |
| 09:16 | Incident declared, severity High (shared file server) | Incident commander |
| 09:22 | SMB access limited to the affected share | Network engineer |
| 09:34 | Suspect service account disabled | IAM engineer |
| 10:20 | Snapshot and volatile data captured | Forensic analyst |
Common Traps
- Beginning eradication before preserving the evidence needed to scope the incident.
- Having no incident commander, so multiple teams take conflicting actions.
- Treating every alert as an incident with no triage.
- Waiting for perfect certainty while active damage continues.
- Letting business owners make technical evidence decisions, or letting security isolate critical systems without consulting operational owners.
Exam Focus
Watch for keywords: playbook, runbook, escalation, containment, eradication, recovery, lessons learned, incident commander. The best answer almost always matches the phase the scenario implies. If the attacker is still active, containment is the priority. If systems are verified clean and service is being returned, recovery and validation lead.
PBQ style: Place these incident response phases in the most appropriate order.
Arrange the items in the correct order
During a high-severity incident, who should coordinate priorities, decisions, and cross-team response actions?
Which preparation items make incident response more effective? Select three.
Select all that apply