CompTIA Security+ Operations & Incident Response MCQs (151–200) with Answers & Explanations

🔐 CompTIA Security+ Operations & Incident Response MCQs (151–200)

Security operations and incident response form the backbone of CompTIA Security. Professionals must understand logging, monitoring, disaster recovery, forensic procedures, intrusion detection systems, and response plans to protect organizations from evolving cyber threats.

In this section, we provide 50 carefully curated CompTIA Security+ MCQs (Q151–200) covering Security Operations & Incident Response. These questions are designed to test your practical knowledge of BCP/DRP, SOC operations, evidence handling, SIEM tools, and recovery strategies. Each MCQ includes the correct answer with a detailed explanation, ensuring you gain clarity and confidence

Q151.

Which of the following is the primary purpose of a Security Operations Center (SOC)?
A) To manage employee performance
B) To oversee business continuity planning
C) To monitor, detect, and respond to security incidents in real time
D) To handle HR and compliance audits

Answer: C ✅
Explanation: A SOC is responsible for continuous monitoring of networks, systems, and applications to identify suspicious activities, detect intrusions, and respond to incidents in real time. It’s the operational arm of cybersecurity defense.

Q152.

What is the first step in the Incident Response (IR) lifecycle as defined by NIST?
A) Detection and Analysis
B) Containment
C) Preparation
D) Eradication

Answer: C ✅
Explanation: According to NIST SP 800-61, the first step is Preparation, which includes developing policies, procedures, tools, and training to ensure readiness for incident handling.

Q153.

Which type of evidence is most reliable in a digital forensic investigation?
A) Documentary evidence
B) Best evidence (original data)
C) Secondary evidence
D) Hearsay evidence

Answer: B ✅
Explanation: In forensic investigations, best evidence (the original data, such as a hard drive image) carries the highest reliability in legal proceedings compared to secondary or hearsay evidence.

Q154.

Which type of backup stores only the files changed since the last full backup?
A) Differential backup
B) Incremental backup
C) Full backup
D) Snapshot

Answer: A ✅
Explanation: A differential backup includes all changes made since the last full backup. In contrast, incremental backups only store changes since the last backup (full or incremental).

Q155.

Which of the following best defines a Business Continuity Plan (BCP)?
A) A strategy to improve annual profits
B) A plan to ensure IT services only
C) A strategy to maintain critical business operations during and after a disruption
D) A financial budget plan for disaster

Answer: C ✅
Explanation: A BCP ensures that critical business functions continue during and after disruptive incidents (natural disasters, cyberattacks, power outages). It goes beyond IT recovery alone.

Q156.

What does RTO (Recovery Time Objective) represent?
A) The maximum tolerable downtime for a business process
B) The time to detect a cyberattack
C) The time required to recover backups
D) The amount of data that can be lost

Answer: A ✅
Explanation: RTO defines the maximum acceptable downtime for a system or process after a disruption. It is a key metric in disaster recovery planning.

Q157.

Which of the following is a proactive control to reduce incident impact?
A) Incident detection
B) Incident response
C) Incident prevention through controls (firewalls, IDS, access policies)
D) Evidence collection

Answer: C ✅
Explanation: Proactive controls like firewalls, IDS, authentication policies, and endpoint protection help prevent incidents before they occur, minimizing impact on business operations.

Q158.

During digital forensics, which principle ensures that collected evidence remains untampered?
A) Chain of custody
B) Recovery Point Objective
C) Due care
D) Least privilege

Answer: A ✅
Explanation: Chain of custody documents every step of handling evidence (collection, transfer, storage, and analysis), ensuring integrity and legal admissibility.

Q159.

Which system is designed to collect and analyze logs from multiple sources to detect anomalies?
A) Firewall
B) SIEM
C) IDS
D) VPN

Answer: B ✅
Explanation: A Security Information and Event Management (SIEM) system aggregates and analyzes logs across devices, helping detect abnormal patterns and security incidents.

Q160.

What is the main focus of a disaster recovery plan (DRP)?
A) To maintain employee productivity
B) To restore IT systems and data after a disruption
C) To improve business marketing strategies
D) To reduce operational costs

Answer: B ✅
Explanation: A DRP focuses specifically on restoring IT systems, data, and infrastructure after a disaster. It is a subset of the broader Business Continuity Plan (BCP).

Q161.

Which security principle ensures that employees only have the minimum level of access required to perform their duties?
A) Separation of duties
B) Need to know
C) Least privilege
D) Defense in depth

Answer: C ✅
Explanation: Least privilege restricts users to the bare minimum access needed for their roles, reducing the risk of insider threats and misuse of resources.

Q162.

In disaster recovery, what does RPO (Recovery Point Objective) represent?
A) The maximum tolerable downtime
B) The amount of data loss acceptable, measured in time
C) The cost of implementing backup solutions
D) The time taken to restore operations

Answer: B ✅
Explanation: RPO defines how much data loss (in terms of time) an organization can tolerate. For example, if RPO is 2 hours, backups must ensure no more than 2 hours of data loss.

Q163.

Which incident response phase involves identifying the root cause of an incident and removing malicious elements?
A) Containment
B) Eradication
C) Recovery
D) Lessons learned

Answer: B ✅
Explanation: The Eradication phase focuses on eliminating the root cause of the incident (e.g., deleting malware, closing vulnerabilities) to prevent recurrence.

Q164.

What is the primary purpose of fault tolerance in IT systems?
A) To increase system performance
B) To maintain system availability despite hardware or software failures
C) To reduce IT costs
D) To improve user authentication

Answer: B ✅
Explanation: Fault tolerance ensures a system can continue to operate, often at reduced performance, even after a component failure (e.g., RAID, clustering).

Q165.

Which of the following is an example of detective control?
A) Encryption
B) Access logs and audits
C) Antivirus prevention
D) Firewalls

Answer: B ✅
Explanation: Detective controls like logs, IDS, and audits help detect and analyze security events after they occur, unlike preventive controls that stop incidents.

Q166.

The process of verifying that a backup can be successfully restored is known as:
A) Replication
B) Validation
C) Recovery testing
D) Backup rotation

Answer: C ✅
Explanation: Recovery testing ensures that backup data can actually be restored and used, validating both the data integrity and recovery procedures.

Q167.

Which of the following is a hot site in disaster recovery planning?
A) A site with only power and cooling, no IT equipment
B) A fully equipped site, ready for immediate use
C) A site with partial equipment but not fully functional
D) A virtual cloud-based service only

Answer: B ✅
Explanation: A hot site is a fully operational backup facility with hardware, software, and network connectivity, ready for immediate business operations.

Q168.

Which document provides step-by-step instructions for recovering IT systems after an outage?
A) Security policy
B) Business Impact Analysis
C) Disaster Recovery Plan
D) Incident Response Playbook

Answer: C ✅
Explanation: A Disaster Recovery Plan (DRP) provides technical recovery procedures for IT systems, applications, and data after a disruption.

Q169.

Which type of attack is best detected using behavioral anomaly detection systems?
A) Known malware with signatures
B) Zero-day attacks
C) Spam emails
D) SQL Injection

Answer: B ✅
Explanation: Behavioral anomaly detection is effective for detecting zero-day attacks, where no signature exists, by identifying unusual patterns or deviations.

Q170.

What is the main objective of a post-incident review (lessons learned)?
A) To assign blame for the incident
B) To prevent future incidents by improving policies and controls
C) To estimate the financial losses
D) To create redundancy in IT systems

Answer: B ✅
Explanation: Lessons learned help organizations identify gaps in security controls, refine incident response processes, and strengthen resilience against future incidents.

Q171.

Which term describes the maximum tolerable downtime for a business process?
A) Recovery Point Objective (RPO)
B) Mean Time Between Failures (MTBF)
C) Recovery Time Objective (RTO)
D) Maximum Tolerable Downtime (MTD)

Answer: D ✅
Explanation: MTD is the longest period a business process can be unavailable before it causes unacceptable damage to the organization.

Q172.

What is the primary purpose of log monitoring in security operations?
A) Preventing attacks before they happen
B) Detecting suspicious or malicious activity
C) Reducing system load
D) Managing user productivity

Answer: B ✅
Explanation: Log monitoring allows SOC teams to identify unusual activity like unauthorized access, failed login attempts, or malware behavior.

Q173.

Which RAID level offers disk striping with parity to balance performance and fault tolerance?
A) RAID 0
B) RAID 1
C) RAID 5
D) RAID 10

Answer: C ✅
Explanation: RAID 5 uses striping with parity, allowing one disk failure while maintaining performance and data integrity.

Q174.

What is the main purpose of separation of duties (SoD)?
A) To increase system efficiency
B) To prevent a single individual from having excessive control
C) To enhance system performance
D) To reduce training costs

Answer: B ✅
Explanation: SoD ensures that no single person can perform critical functions alone, helping prevent fraud and insider abuse.

Q175.

Which type of backup only saves files that have changed since the last full backup?
A) Full backup
B) Incremental backup
C) Differential backup
D) Snapshot backup

Answer: C ✅
Explanation: Differential backup copies all files changed since the last full backup, requiring only two sets (full + differential) for restoration.

Q176.

During incident response, which phase ensures systems are safely restored to normal operations?
A) Containment
B) Eradication
C) Recovery
D) Lessons learned

Answer: C ✅
Explanation: The Recovery phase brings systems back online, validates they are clean, and ensures business operations resume securely.

Q177.

Which concept refers to duplicate computing facilities that are geographically separated to ensure resilience?
A) Hot backup site
B) Cloud redundancy
C) Geographic redundancy
D) Clustering

Answer: C ✅
Explanation: Geographic redundancy spreads computing resources across multiple locations, reducing risks from regional disasters.

Q178.

What is the main function of a Security Information and Event Management (SIEM) system?
A) Prevent malware infections
B) Centralize logging, correlation, and analysis of security events
C) Replace firewalls and IDS
D) Automate vulnerability scanning

Answer: B ✅
Explanation: SIEM tools collect, correlate, and analyze logs from multiple sources to detect threats and generate alerts for SOC teams.

Q179.

Which disaster recovery test is the least expensive but provides minimal assurance?
A) Full-interruption test
B) Simulation test
C) Parallel test
D) Checklist review

Answer: D ✅
Explanation: A checklist review is a simple desk-based verification of the plan without system activation. It’s the cheapest but least reliable.

Q180.

Which control ensures that a user’s actions can be traced back uniquely to them?
A) Non-repudiation
B) Accountability
C) Authentication
D) Integrity

Answer: B ✅
Explanation: Accountability ensures users’ activities can be tied to their identity, typically via audit logs and monitoring.

Q181.

Which metric refers to the average time to restore a system after a failure?
A) MTBF
B) MTTF
C) MTTR
D) MTD

Answer: C ✅
Explanation: Mean Time to Repair (MTTR) measures how quickly an organization can fix and restore a failed system.

Q182.

Which backup site is the most expensive but offers immediate availability?
A) Hot site
B) Warm site
C) Cold site
D) Mobile site

Answer: A ✅
Explanation: Hot sites are fully equipped, staffed, and operational facilities, ready for instant failover.

Q183.

What is the first step in incident response?
A) Containment
B) Detection & identification
C) Recovery
D) Lessons learned

Answer: B ✅
Explanation: The incident response lifecycle begins with detection and identification of suspicious activity or breaches.

Q184.

Which principle requires that users have only the permissions necessary to perform their job functions?
A) Need-to-know
B) Least privilege
C) Defense in depth
D) Separation of duties

Answer: B ✅
Explanation: Least privilege ensures users operate with minimal access rights to reduce risks of abuse or compromise.

Q185.

What does RAID 1 provide?
A) Striping without redundancy
B) Mirroring for fault tolerance
C) Parity-based redundancy
D) High speed without protection

Answer: B ✅
Explanation: RAID 1 uses disk mirroring for high availability, duplicating data on two disks.

Q186.

What is the primary purpose of a Business Impact Analysis (BIA)?
A) To identify the company’s competitors
B) To assess the effect of disruptions on critical operations
C) To reduce operating costs
D) To improve marketing

Answer: B ✅
Explanation: A BIA identifies critical processes, dependencies, and the impact of disruptions, guiding recovery strategies.

Q187.

Which RAID level offers best performance but no redundancy?
A) RAID 0
B) RAID 5
C) RAID 10
D) RAID 6

Answer: A ✅
Explanation: RAID 0 uses striping only, providing speed but no fault tolerance.

Q188.

What is the purpose of continuous monitoring in security operations?
A) To eliminate the need for audits
B) To detect and respond to security events in real time
C) To improve network speed
D) To reduce hardware costs

Answer: B ✅
Explanation: Continuous monitoring provides real-time visibility into system and security events, enabling faster detection & response.

Q189.

Which disaster recovery strategy involves running two environments simultaneously, with one as backup?
A) Hot site
B) Parallel processing
C) Warm site
D) Reciprocal agreement

Answer: B ✅
Explanation: Parallel processing means two systems run together, ensuring quick failover in case of disaster.

Q190.

What does mean time between failures (MTBF) represent?
A) The average lifespan of a system or component before failure
B) The time to repair after failure
C) The maximum downtime tolerated
D) The time between backups

Answer: A ✅
Explanation: MTBF measures reliability — how long systems typically run before failing.

Q191.

Which of the following is NOT a containment strategy during incident response?
A) Disconnecting a compromised host
B) Blocking malicious IP addresses
C) Reimaging affected systems immediately
D) Network segmentation

Answer: C ✅
Explanation: Reimaging belongs to the eradication phase, not containment.

Q192.

Which plan focuses on restoring IT systems and services after a disruption?
A) Business Continuity Plan (BCP)
B) Disaster Recovery Plan (DRP)
C) Incident Response Plan (IRP)
D) Crisis Communication Plan

Answer: B ✅
Explanation: A DRP specifically addresses the technical recovery of IT systems after disruptions.

Q193.

Which of the following best describes a warm site?
A) Fully equipped and ready for immediate use
B) Equipped with hardware but requires setup before use
C) Empty facility with only power and space
D) A mobile unit provided by a vendor

Answer: B ✅
Explanation: A warm site has infrastructure and hardware but requires some configuration before becoming operational.

Q194.

Which concept ensures that an action cannot later be denied by the user who performed it?
A) Integrity
B) Non-repudiation
C) Accountability
D) Authentication

Answer: B ✅
Explanation: Non-repudiation ensures users cannot deny actions, usually enforced through digital signatures.

Q195.

Which tool is commonly used for detecting rootkits?
A) SIEM
B) Nmap
C) Rootkit Revealer
D) Snort

Answer: C ✅
Explanation: Rootkit Revealer and similar tools are designed to uncover hidden rootkits in operating systems.

Q196.

In disaster recovery, what is a cold site?
A) A fully operational duplicate of the primary site
B) A facility with minimal resources, requiring equipment setup
C) A site that mirrors operations in real time
D) A vendor-managed mobile recovery unit

Answer: B ✅
Explanation: Cold sites provide only space and power, requiring setup before they can function.

Q197.

Which type of intrusion detection system (IDS) looks for deviations from normal behavior?
A) Signature-based IDS
B) Anomaly-based IDS
C) Stateful IDS
D) Passive IDS

Answer: B ✅
Explanation: Anomaly-based IDS detects threats by comparing activity against baseline behavior.

Q198.

What is the purpose of the lessons learned phase in incident response?
A) To restore business operations
B) To document improvements and prevent recurrence
C) To contain the incident
D) To identify attackers

Answer: B ✅
Explanation: The lessons learned phase improves future preparedness by analyzing mistakes and updating processes.

Q199.

Which disaster recovery test involves fully shutting down the primary site and shifting to the backup site?
A) Parallel test
B) Simulation test
C) Checklist test
D) Full-interruption test

Answer: D ✅
Explanation: A full-interruption test is the most realistic and risky, since the primary site is turned off completely.

Q200.

What is the main purpose of a continuity of operations plan (COOP)?
A) To ensure mission-critical functions continue during major disruptions
B) To minimize IT maintenance costs
C) To create user training schedules
D) To optimize network efficiency

Answer: A ✅
Explanation: A COOP ensures essential mission-critical operations can continue even in severe emergencies.

You’ve just completed CompTIA Security+ Security Operations & Incident Response MCQs (151–200), covering SIEM, BCP, DRP, incident response plans, and digital forensics.

👉 Next, continue your journey with:

Keep practicing daily, and you’ll be fully prepared to tackle the CISSP exam with confidence. 🚀