CompTIA Security+ (SY0-601) — Question 504

In the middle of a cyberattack, a security engineer removes the infected devices from the network and locks down all compromised accounts. In which of the following incident response phases is the security engineer currently operating?

Answer options

• A. Identification
• B. Preparation
• C. Lessons learned
• D. Eradication
• E. Recovery
• F. Containment

Correct answer: F

Explanation

The correct answer is 'Containment' because the security engineer is actively working to limit the spread of the attack by isolating infected devices and securing compromised accounts. The other options, such as 'Identification' and 'Eradication', refer to different stages in the incident response process and do not align with the actions being taken at this time.