CompTIA Security+ (SY0-501) — Question 166

An incident response manager has started to gather all the facts related to a SIEM alert showing multiple systems may have been compromised.
The manager has gathered these facts:
✑ The breach is currently indicated on six user PCs
✑ One service account is potentially compromised
✑ Executive management has been notified
In which of the following phases of the IRP is the manager currently working?

Answer options

• A. Recovery
• B. Eradication
• C. Containment
• D. Identification

Correct answer: D

Explanation

The manager is in the Identification phase because they are gathering facts about the incident to understand its scope and impact. The Recovery phase focuses on restoring systems, Eradication is about removing threats, and Containment involves limiting the extent of the incident, which are not the tasks being performed at this stage.