CompTIA Security+ (SY0-501) — Question 740

A company recently experienced a security breach. The security staff determined that the intrusion was due to an out-of-date proprietary software program running on a non-compliant server. The server was imaged and copied onto a hardened VM, with the previous connections re-established. Which of the following is the NEXT step in the incident response process?

Answer options

• A. Recovery
• B. Eradication
• C. Lessons learned
• D. Containment
• E. Identification

Correct answer: C

Explanation

The correct next step is 'Lessons learned' because it involves reviewing the incident to understand what went wrong and how to prevent future occurrences. The other options, such as Recovery and Eradication, are earlier steps in the response process, while Containment and Identification are focused on immediate response actions rather than post-incident analysis.