sscp Domain Guide

Incident Response for SSCP: From Detection to Recovery

A clear walkthrough of the incident response lifecycle for SSCP — preparation, detection, containment, eradication, recovery, and lessons learned.

LearnZapp Team · 8 min read

SSCP incident response is one of those topics the exam tests in a very specific way. You don't just need to know the phases — you need to recognize which phase a scenario is in and pick the next correct action. Questions are built around sequence.

I've watched candidates score well across every other domain and still lose points in Domain 4 because they treat IR questions like technical problems. They aren't. They're decision-tree problems. The exam wants to see that you know the order and won't skip a step under pressure.

Domain 4 is 14% of the exam, which is enough to flip a pass/fail result if you're borderline elsewhere.

The six phases, in order

Preparation, Detection and Analysis, Containment, Eradication, Recovery, Lessons Learned.

Memorize that. Not roughly — exactly. If someone wakes you up at 2am you should be able to rattle it off. Questions lean heavily on sequence, and any hesitation about which phase comes next will cost you on several questions.

One pattern I've noticed: candidates who get this domain wrong usually aren't missing technical knowledge. They skip Preparation in their memorization because it "happens before" and doesn't feel like a real phase. Then they miss the questions about what should have been done beforehand.

Preparation

This is the phase that doesn't feel like a phase, and that's exactly why the exam tests it.

Everything an organization does before an incident fits here — the written IR plan, the defined CSIRT roster with clear roles, communication templates and escalation paths, tooling (SIEM, EDR, log aggregation, forensic workstations), tabletop exercises, pre-negotiated relationships with outside forensics firms and legal counsel, evidence handling procedures, chain of custody templates.

When you see a question like "what should the organization have done?" after an incident goes badly, the answer is almost always something from that list. Missing playbook. No defined roles. No practice runs.

Detection and Analysis

Somewhere between a noisy SIEM alert and a formally declared incident is a judgment call, and that's what this phase is about.

The distinction the exam really wants you to know: an event is any observable occurrence on a system. An incident is an event that negatively impacts security. Every incident started as an event, but most events never become incidents. If a question describes "unusual login activity detected," that's an event. If it describes "attacker used compromised credentials to access the customer database," that's an incident.

You'll also need to separate IOCs from IOAs. Indicators of compromise are artifacts — a specific file hash, a known malicious IP, a registry key. Evidence that something already happened. Indicators of attack are behaviors — rapid privilege escalation, credential stuffing patterns, data staging. Evidence that something is happening right now. Both matter, but they lead to different response postures.

Containment — where most mistakes happen

This is the phase I'd spend the most study time on. It's also where real-world IR teams mess up most often, which is why the exam tests it hard.

Containment has two modes. Short-term is the fire-stop: isolate affected systems, disable compromised accounts, block attacker IPs. You're not fixing anything yet. You're stopping the bleeding. Long-term is what you do while the full eradication is being planned — patching, network segmentation, additional monitoring to prevent the incident from spreading while the broader remediation gets figured out.

Between containment and eradication, you have to preserve evidence. This is where the exam gets specific. If you rebuild a system before capturing its state, volatile data is gone and you'll never recover it. The order of volatility, from most to least:

  1. CPU registers and cache
  2. RAM
  3. Network state (active connections, routing tables, ARP cache)
  4. Running processes
  5. Temporary files
  6. Disk
  7. Archival media (backups, tapes)

Collect top-down. Memory first, registers first if possible, then network state, all the way down to archives. The reasoning is practical — if you shut down or reboot first, everything above disk is gone forever.

A common exam trap: a scenario describes an infected system and asks what to do first. "Rebuild the system" is the wrong answer even when it's technically what will eventually happen. "Preserve volatile evidence" or "image the system" comes first.

Chain of custody starts here too. The moment you touch evidence, you're on the hook to document who handled it, when, and what they did. Any gap invalidates it in court.

Eradication

Remove the cause. Close the vulnerability. Reset compromised credentials. Rebuild from known-good sources where the damage is deep enough.

The exam's favorite eradication failure: rushed cleanup that misses a backdoor, attacker returns within days. If you see a scenario where an incident recurs shortly after response, the answer is almost always incomplete eradication. The right approach is usually thorough — often a complete rebuild — even when it feels excessive.

Recovery and the metrics that matter

Getting systems back online is the obvious part. The tested part is the metrics that define what "back online" means.

Metric What it measures
RTO (Recovery Time Objective) Maximum tolerable time to restore a service
RPO (Recovery Point Objective) Maximum tolerable data loss, measured in time
MTD (Maximum Tolerable Downtime) Hard ceiling on how long a service can be down before causing irreparable damage
WRT (Work Recovery Time) Time after systems are restored before business operations actually normalize

The relationship you need to remember: RTO + WRT must be less than or equal to MTD. If it isn't, your recovery plan doesn't meet business requirements and you either invest in faster recovery or accept that the service can be down longer than originally planned.

All of these numbers come from the Business Impact Analysis, which is part of preparation. If a scenario describes an organization that doesn't know its RTO, that's a preparation failure, not a recovery failure.

Lessons Learned

Formal review meeting, root cause analysis, documentation, updates to the IR plan. Metrics like mean time to detect and mean time to contain.

The exam tests one idea in this phase: lessons learned must result in actual changes. If a scenario describes a post-incident meeting with no follow-through, the answer is usually "update the plan" or "implement the recommended improvements." Documenting for the sake of documenting isn't lessons learned.

Forensics essentials

Chain of custody is the one forensic concept you absolutely have to know. Every person who handles evidence, every time they handle it, what they did. Gaps break defensibility.

Evidence integrity is maintained via cryptographic hashes — hash when you collect, hash again later to prove nothing changed. Write-blockers prevent accidental modification of evidence drives during analysis. Always work from a bit-for-bit forensic image, never the original.

Investigation types, from lowest to highest evidentiary bar:

  • Operational investigations are routine and internal. Lowest evidentiary bar.
  • Regulatory investigations are compliance-driven (HIPAA, PCI DSS) with specific statutory standards.
  • Civil investigations come from lawsuits, with a "preponderance of evidence" standard.
  • Criminal investigations involve law enforcement, with the "beyond reasonable doubt" standard.

If a scenario mentions law enforcement, you're in criminal territory and chain of custody matters most.

BCP vs DR

One-line summary: BCP keeps the business running during disruption. DR restores the tech side after disruption. BCP is broader — people, process, technology. DR is technology and data specifically.

Alternate site types show up constantly in scenario questions:

  • Hot sites are fully operational with data replicated. Fastest recovery, highest cost.
  • Warm sites are partially equipped with some data in place. Moderate on both axes.
  • Cold sites are basic facilities. You bring the systems and data. Slowest recovery, lowest cost.
  • Mobile sites are containers or trailers, used for niche cases.
  • Cloud-based recovery is increasingly common and usually functions as a hot or warm equivalent.

Backup types:

  • Full backups capture everything every time. Longest to run, simplest to restore.
  • Differential backups capture changes since the last full backup. Fewer tapes to restore than incremental.
  • Incremental backups capture changes since the last backup of any kind. Shortest to run, most tapes to restore.

Scenario pattern: a question gives you recovery requirements (fast RTO, low tolerance for data loss) and asks which site type or backup strategy fits. Match the tolerance to the option.

What actually matters for Domain 4

If I had to pick the five things that'll earn you the most points here:

  1. The six phases in order, with zero hesitation
  2. Preserve evidence before eradication — the order of volatility
  3. Chain of custody for anything that might become legal
  4. RTO, RPO, MTD, WRT and the relationship between them
  5. Alternate site and backup strategy matching

You don't need to be a forensics expert. You need to reliably pick the right next step when a scenario drops you into the middle of an incident.

A free SSCP diagnostic

Knowing the lifecycle is one thing. Recognizing it in the half-dozen ways the exam can phrase a question is another. Both come from reps.

LearnZapp has a free SSCP diagnostic — no signup required — that'll show you where you actually stand on Domain 4 and the other six domains. The content is built on Wiley's Official SSCP Study Guide, paired with adaptive practice questions matched to the real exam format.

Take a free SSCP diagnostic test

sscp Domain Guide ← Back to Blog

Contact Us

Have a question or feedback? We typically respond within 24 hours.

We'll reply to your email address. No spam, ever.