CompTIA CySA+ (CS0-003) — Question 159

A cybersecurity analyst has recovered a recently compromised server to its previous state. Which of the following should the analyst perform next?

Answer options

• A. Eradication
• B. Isolation
• C. Reporting
• D. Forensic analysis

Correct answer: D

Explanation

The correct answer is D, Forensic analysis, as it is essential to investigate the breach's details to understand the attack vector and prevent future incidents. Eradication (A) and isolation (B) are part of the incident response process but are not the immediate next step after recovery. Reporting (C) is important but typically comes after forensic analysis to provide a complete understanding of the incident.