Security and system resilience
The Incident Playbook
Run the incident lifecycle in order: detect, contain, eradicate, recover, then learn, and keep the forensic chain of custody intact.
How the exam words it
- -The stem gives an in-progress incident and asks the next step, testing whether containment precedes eradication and recovery.
- -It names a monitoring tool and asks what it does, contrasting SIEM aggregation, an IDS that alerts, and an IPS that blocks.
- -It describes preserving evidence and asks about chain of custody or forensic handling.
- -It asks which incident-response phase (preparation, detection, containment, eradication, recovery, lessons learned) a task belongs to.
The playbook
- 1Follow the lifecycle order: prepare, detect and analyze, contain, eradicate, recover, then hold a lessons-learned review; contain the spread before removing the cause.
- 2Distinguish the tools: a SIEM aggregates and correlates logs, an IDS detects and alerts only, and an IPS detects and actively blocks.
- 3Preserve evidence with an unbroken chain of custody, documenting who handled it and when so it stays admissible.
- 4Close with lessons learned, updating controls and the response plan so the same incident does not recur.
The trap
Eradicating or rebuilding before containing the incident. Containment comes first to stop the spread; only then do you eradicate the cause and recover the systems.
How the exam varies it
The same pattern, re-skinned along these axes:
Incident lifecycle phase orderingMonitoring tool: SIEM versus IDS versus IPSEvidence handling and chain of custody versus the lessons-learned phase
Drill this pattern
8 questions of The Incident Playbook from across the AUD topics. Clear it by getting 5 right with a streak of 3.