CompTIA CySA+ (CS0-003) — Question 162

A security analyst detects an email server that had been compromised in the internal network. Users have been reporting strange messages in their email inboxes and unusual network traffic. Which of the following incident response steps should be performed next?

Answer options

• A. Preparation
• B. Validation
• C. Containment
• D. Eradication

Correct answer: C

Explanation

The correct next step is Containment, as it involves stopping the spread of the incident and preventing further damage. Preparation involves planning for incidents, Validation checks the integrity of the system, and Eradication focuses on eliminating the threat, which comes after containment.