CompTIA Security+ (SY0-601) — Question 735

An organization has hired a red team to simulate attacks on its security posture. Which of the following will the blue team do after detecting an IoC?

Answer options

• A. Reimage the impacted workstations.
• B. Activate runbooks for incident response.
• C. Conduct forensics on the compromised system.
• D. Conduct passive reconnaissance to gather information.

Correct answer: B

Explanation

The correct answer is B because activating runbooks is a systematic approach for the blue team to follow in responding to incidents, ensuring a structured and efficient reaction. Options A and C, while important, are typically part of later stages in incident response, and D does not directly address the immediate actions required after detecting an IoC.