Incident Response: Detection, Triage and Containment
Published:
Questions
30
Duration
30 min
Faculty-reviewed
0
Updated
09 Jun 2026
About this mock
This test covers the practical craft of detecting, classifying, and containing security incidents before they escalate. Questions address the conceptual difference between indicators of compromise and indicators of attack, the log sources and tooling that feed detection pipelines, how SIEM and EDR platforms surface threats, and the frameworks used to assign severity. From there, the focus shifts to triage decision-making under uncertainty and to the dual-track approach of short-term versus long-term containment. The final cluster of questions addresses evidence preservation: the order of volatility that governs what to capture first on a live system, the procedural requirements for maintaining chain of custody, and the tension between keeping a system running for intelligence-gathering and pulling it offline for forensic integrity. All questions present applied scenarios drawn from internationally recognised practice.
Sources & references
Questions in this mock are written and verified against the following sources. Citations are recorded per question and shown in the explanation after submission.
- cited in 9 questions
NIST SP 800-61r2: Computer Security Incident Handling Guide
Section 3.2.3, Incident Classification and Scope
- cited in 5 questions
Applied Incident Response
Chapter 5, Credential-Based Attack Investigation
- cited in 4 questions
The Art of Memory Forensics
Chapter 6, Process Analysis and Rootkit Detection
- cited in 4 questions
SANS Institute: Incident Handler's Handbook
Section 4, Containment Decision Framework
- cited in 2 questions
Windows Forensic Analysis Toolkit
Chapter 9, Lateral Movement and Authentication Artefacts
- cited in 2 questions
ACPO Good Practice Guide for Digital Evidence
Principle 2 and Principle 3, Evidence Handling
- cited in 2 questions
RFC 3227: Guidelines for Evidence Collection and Archiving
Section 2.1, Order of Volatility
- cited in 2 questions
The Practice of Network Security Monitoring
Chapter 2, Security Data Sources and Collection Strategy
How our mocks are built
Questions are written and edited by the ForensicSpot team and cited from peer-reviewed forensic textbooks, official syllabi and primary case law. Each one is verified before publishing. Detailed explanations show after you submit, so the test stays a real test. See a mistake? Tell us.
Common questions
What does the Incident Response: Detection, Triage and Containment mock cover?+
This test covers the practical craft of detecting, classifying, and containing security incidents before they escalate. Questions address the conceptual difference between indicators of compromise and indicators of attack, the log sources and tooling that feed detection pipelines, how SIEM and EDR platforms surface threats, and the frameworks used to assign severity. From there, the focus shifts to triage decision-making under uncertainty and to the dual-track approach of short-term versus long-
How many questions and how long is the test?+
30 multiple-choice questions, 30 minutes total. Difficulty: medium. Tier: Premium.
Who is this mock for?+
Forensic science students and aspirants who want timed, exam-style practice with explanations and verified source citations on Incident Response and Management. Useful for postgraduate entrance preparation and for BSc / MSc forensic students testing their recall under time.
Are the questions reviewed?+
Each question carries a verified source citation. Faculty review for individual questions is in progress.
Do I need an account to take this mock?+
Yes, a free ForensicSpot account is required to start a timed attempt — this lets you save progress, see per-question explanations after submission, and track your topic-level performance over time.