CompTIA Security+

Security+ exam domain #4: Operations and incident response [updated 2021]

Daniel Brecht
June 4, 2021 by
Daniel Brecht

Incident response (IR) is critical to today's businesses, as timely detecting and mitigating security events, such as data breaches or other types of cyberattacks that affect network resources and digital assets, is critical. It is paramount that a company can recover promptly by bringing all systems back to full operation to reduce financial loss as well as minimize the impact on clients and their trust in the organization. During the post-event activities, having the right IR team consisting of professionals with the skills and knowledge to be able to quickly fix security flaws or vulnerabilities and effectively prevent the same type of incident in the future, definitely makes the difference.

That’s where the CompTIA Security+ certification exam comes into play; the updated exam (SY0-501 retired on July 31, 2021, and is substituted by SY0-601) places more emphasis on improving baseline security readiness and incident response to act on today’s threats. 

“Cybersecurity professionals with CompTIA Security+ know how to address security incidents, not just identify them.”

The Security+ 601 credential will verify if the candidate has the practical knowledge and problem-solving skills required to identify, analyze and respond to operational needs impacted by security events and incidents. 

Domain 4: Operations and incident response

This Security+ domain covers operations and incident response and represents 16% of the exam. The section is about organizational security assessment and incident response procedures, such as basic threat detection, risk mitigation techniques, security controls and more. It covers the right analysis tools and skills to handle IR-related tasks through all phases of the incident lifecycle. These activities include preparing or updating an incident response plan, effectively following the incident response process and investigations and mitigation techniques. It also includes questions on the importance of policies and proper communication with all stakeholders.

Technical abilities are necessary to pass the exam with professionals tested on their familiarity with tools such as vulnerability scanners used to identify potential areas of risk and forensic applications; they also have to be aware of techniques associated with network reconnaissance and discovery:

  • Advanced forensic software (FTK, EnCase, Cellebrite, XRY and Helix)
  • System monitoring tools (SIEM and SOAR)
  • E-discovery tools (Clearwell, Relativity and NUIX) 

Professionals, however, also need to demonstrate ability in analyzing output logs, report on findings and suggest changes to policies and procedures to augment the company security posture. They ought to identify, differentiate and implement the following incident phases:

  • Preparation phase: creating an incident response plan. Figure out the security tools to facilitate incident detection, triage, containment and response. Also adopt preventive measures, such as conducting periodic risk assessments and increasing user awareness.
  • Identification phase: recognizing and detecting a security incident then determining the severity and the priority level of the detected incident.
  • Containment phase: checking how to isolate systems that have been affected by the attack to prevent damaging other systems.
  • Eradication phase: searching for the cause of the incident and eliminating the affected systems.
  • Recovery phase: returning affected systems to their normal operational environment.
  • Post-incident phase: documenting the entire incident; conducting a thorough investigation; detecting the cause of the incident; calculating associated costs and drafting a strategy aiming to prevent similar incidents.

The exam specifically addresses their understanding of the purpose of an incident response policy:

  • Documenting the procedures to be taken by the organization in case of an incident
  • Ensuring that the incident is systematically handled and communicated
  • Allowing the quick recovery of the affected core systems
  • Finding out the cause of the incident
  • Adopting preventive measures aiming to address future incidents

As well, the test covers the various plans that dictate the course of action and the guidelines to be followed in identifying the key elements of who, what, when, where and how.

  • Incident response plan (IRP) A valuable resource used to mitigate, respond and recover from threats in the course of any disruption of an organization's operations. The IRP should include both preparation and post-incident phases.
  • Business continuity plan (BCP) A useful resource to keep the company operating during or soon after an incident or disaster while the fixes are being made. The BCP details each person's roles and responsibilities in recovering from all kinds of business disruptions.
  • Disaster recovery plan (DRP) A helpful resource on the threats that wreak havoc to business operations. The DRP helps to respond to any disaster in a faster and more efficient manner. 

The IRP, BCP and DRP each play an important role in an organization's preparedness program. One may need to execute multiple plans in their incident/disaster recovery effort, and professionals need to be able to differentiate between incident response management (IRM), disaster recovery management (DRM) and business continuity management (BCM), as appropriate for the post-incident activities. They need to be ready to help any organizations establish IR procedures for IRM/DRM/BCM, deploy an IR policy and follow an IR checklist that provides guidelines to handlers on the major steps that should be performed. 

Exam objectives Domain 4 

Below is the outline and key points. For a comprehensive listing of all the content of this examination, testers can refer to the official CompTIA exam objectives. 

4.1 Given a scenario, use the appropriate tool to assess organizational security.

  • Network reconnaissance and discovery
  • File manipulation
  • Shell and script environments
  • Packet capture and replay
  • Forensics
  • Exploitation frameworks
  • Password crackers
  • Data sanitization 

4.2 Summarize the importance of policies, processes and procedures for incident response.

  • Incident response plans
  • Incident response process
  • Exercises
  • Attack frameworks
  • Stakeholder management
  • Communication plan
  • Disaster recovery plan
  • Business continuity plan
  • Continuity of operations planning (COOP)
  • Incident response team
  • Retention policies 

4.3 Given an incident, utilize appropriate data sources to support an investigation.

  • Vulnerability scan output
  • SIEM dashboards
  • Log files
  • syslog/rsyslog/syslog-ng
  • journalctl
  • nxlog
  • Retention
  • Bandwidth monitors
  • Metadata
  • Netflow/sflow
  • Protocol analyzer output 

4.4 Given an incident, apply mitigation techniques or controls to secure an environment.

  • Reconfigure endpoint security solutions
  • Configuration changes
  • Isolation
  • Containment
  • Segmentation
  • SOAR 

4.5 Explain the key aspects of digital forensics.

  • Documentation/evidence
  • Acquisition
  • On-premises vs. cloud
  • Integrity
  • Preservation
  • E-discovery
  • Data recovery
  • Non-repudiation
  • Strategic intelligence/counterintelligence 

Want more info? Check out this video with CompTIA’s Patrick Lane where he discusses all the changes CompTIA made, and why, to the updated Security+ 601 exam. And view our  Security+ certification hub.

How does the exam domain apply to IT jobs? 

Exam domain Description How it applies to IT jobs

Operations and incident response Includes organizational security assessments and incident response procedures, such as detection, mitigation and basic digital forensics of incidents. To support operations and the influx of recent cyberattacks, IT pros are called upon to perform incident response earlier in their careers. They must be able to apply basic mitigation techniques and security controls to protect systems.

Understanding Security+ Domain 4

Organizations are prone to cyber incidents with consequent interruptions or disruptions in operations that can have devastating effects on their reputation and, of course, revenues.  Professionals like incident responders, CSIRTs (Computer Security Incident Response Teams) or any cybersecurity technical staff with computer network incident handling (IH) and incident responding (IR) involvement are in demand to help organizations prevent or at least mitigate these events.

Professionals who are CompTIA Security+ certification holders can prove to their employers they have the knowledge and skills to ensure all events are handled properly as the exam tests the ability of candidates on a variety of topics that are essential in incident response and handling. In particular, the fourth domain ensures professionals are skilled in assessing the causes of security events and provide solutions to defend the network better against threats that might impact data and systems.

For more on the  Security+ certification, view our  Security+ certification hub.


Security+, CompTIA, Inc.

Security+: Your Questions Answered, CompTIA, Inc.

What Is CompTIA Security+ Certification?, CompTIA, Inc.

Security+ Certification Exam Objectives – Exam Number: SY0-601, CompTIA, Inc.

Daniel Brecht
Daniel Brecht

Daniel Brecht has been writing for the Web since 2007. His interests include computers, mobile devices and cyber security standards. He has enjoyed writing on a variety of topics ranging from cloud computing to application development, web development and e-commerce. Brecht has several years of experience as an Information Technician in the military and as an education counselor. He holds a graduate Certificate in Information Assurance and a Master of Science in Information Technology.