TTechclick ⚡ XP 0% All lessons
ISC2 · CISSP Domain 7 · Security OperationsInteractive · L1 / L2 / L3

CISSP Domain 7 Security Operations: SOC, IR & Forensics — SOC, IR & Forensics

Master CISSP Domain 7 Security Operations — the 13% slice where the exam tests whether you can actually run a SOC, drive incident response, preserve evidence, and keep the business alive when things break.

📅 2026-06-03 · ⏱ 14 min · 1 interactive demo · 5 infographics · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

CISSP Domain 7 Security Operations deep-dive: SIEM monitoring, NIST SP 800-61r3 incident response, digital forensics chain of custody, and DR/BC resilience. Worth 13% of the exam.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Monitoring, SIEM & threat intel

SIEM detects and correlates; SOAR automates response; hunt TTPs, not just IOCs.

 2

Incident response

Contain and preserve evidence before you eradicate; severity sets response speed.

 3

Digital forensics

Collect most-volatile-first, image before you wipe, hash both copies, and never lose the chain of custody.

 4

Resilience operations

BIA sets RTO/RPO; those drive backup tier and failover design — and test it.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. During live incident response, you must capture forensic data from a running, compromised server. Following the order of volatility, which should you collect FIRST?

Answered in Monitoring, SIEM & threat intel.

2. A business impact analysis sets a Recovery Point Objective (RPO) of 1 hour for a database. What does that actually constrain?

Answered in Digital forensics.

3. Which control pairing is the BEST example of preventing fraud by ensuring no single person controls an entire sensitive process?

Answered in Incident response.

Most engineers think…

Security Operations is the "easy, common-sense" domain — backups, badges, and patching — so you can skim it and bank the points.

It is 13% of the exam (joint-largest with Domain 1) and the most scenario-heavy, ordering-trap domain there is: ISC2 will ask what you do FIRST in a live incident, whether you contain before you eradicate, and which volatile data you grab before pulling the plug. "Common sense" is exactly where candidates lose points — the right answer is the documented, sequence-correct one, not the intuitive one.

Security Operations is where cybersecurity stops being a diagram and becomes a 2 a.m. phone call. Domain 7 carries 13% of the CISSP exam — tied for the heaviest — and ISC2 tests it almost entirely through scenarios: a SIEM alert fires, a server is compromised, evidence must hold up in court, and the business needs to be running again by morning. This deep-dive covers the four pillars the way a manager actually lives them — Monitoring, SIEM & threat intel; Incident response; Digital forensics; and Resilience operations — plus how AI-native SOCs and SOAR are reshaping the work. Get the order right (contain before eradicate, RAM before disk, BIA before RTO) and this domain becomes points; treat it as "common sense" and it quietly drains your score.

Figure 1 — Domain 7 in the CBK
Where Domain 7 sits inside the eight-domain CISSP Common Body of Knowledge.The eight CISSP domains as tiles with their exam weights; Domain 7 (Security Operations) is highlighted to show its place in the wider certification.Domain 7 in the bigger picture1Security & Risk Mgmt16% of the exam2Asset Security10% of the exam3Architecture & Eng13% of the exam4Network Security13% of the exam5IAM13% of the exam6Assessment & Testing12% of the exam7Security Operations13% of the exam · YOU ARE HERE8Software Dev Security10% of the exam
Domain 7 is undefined of the CISSP exam. This deep dive is one of eight — the others are linked at the bottom.
Colour key:active / key steppass / allowedcautionfail / attacker
Figure 2 — The four areas of Domain 7
The four areas that make up CISSP Domain 7: Security Operations.Domain 7 broken into its four study areas — Monitoring, SIEM & threat intel, Incident response, Digital forensics, Resilience operations — each with its single most important takeaway.The four areas of Domain 71Monitoring, SIEM & threat intelSIEM detects and correlates; SOAR automatesresponse; hunt TTPs, not just IOCs.2Incident responseContain and preserve evidence before youeradicate; severity sets response speed.3Digital forensicsCollect most-volatile-first, image before youwipe, hash both copies, and never lose4Resilience operationsBIA sets RTO/RPO; those drive backup tier andfailover design — and test it.
This blog walks all four areas in order. Tap the path cards above to jump to any one.

Domain 7 at a glance

Flip each card for the one-line essence of each area before you dive in.

🧩
Monitoring, SIEM & threat intel
tap to flip

SIEM detects and correlates; SOAR automates response; hunt TTPs, not just IOCs.

🔎
Incident response
tap to flip

Contain and preserve evidence before you eradicate; severity sets response speed.

🛠
Digital forensics
tap to flip

Collect most-volatile-first, image before you wipe, hash both copies, and never lose the chain of custody.

🧠
Resilience operations
tap to flip

BIA sets RTO/RPO; those drive backup tier and failover design — and test it.

Monitoring, SIEM & threat intel

Think of a SOC as a hospital ICU for your network: monitors beep on the SIEM, nurses (analysts) triage, and a crash-cart playbook (SOAR) fires the instant a patient codes. The Security Operations Center is the people-process-technology hub that watches your estate 24x7. Under the ISC2 2024 outline, Domain 7 folds logging, monitoring, intrusion detection, SIEM, continuous monitoring, threat intelligence, threat hunting, and UEBA into one tested objective.

Logging is the raw fuel. You collect from firewalls, endpoints, identity providers, and apps, then ship them to a central, time-synced (NTP) store so timelines line up. The SIEM ingests, normalizes, and correlates these events to surface what a single log never shows: a failed-login burst followed by a successful login and a privilege change. SIEM detects and alerts; it does not act. SOAR is the next layer that orchestrates and automates the response via playbooks, isolating a host or disabling an account in seconds. The 2024 outline explicitly tests this SIEM-versus-SOAR distinction.

Continuous monitoring means the SIEM is never "set and forget" - you tune rules, retire noisy alerts, and update detections as the estate changes. Threat intelligence feeds this loop with context. IOCs are the easy-to-change bottom of David Bianco's Pyramid of Pain; TTPs (mapped in MITRE ATT&CK) sit at the painful top because attackers cannot easily change their behavior. Threat hunting is the proactive, hypothesis-driven search for adversaries who slipped past alerts - assume breach, then go look.

Exam tip

If the question says "aggregate and correlate logs, then alert," pick SIEM. If it says "automatically execute a response playbook," pick SOAR. Hunting is proactive and hypothesis-driven; monitoring is continuous and alert-driven.

Priya at HDFC faces this

The SIEM fired 4,000 "impossible travel" alerts overnight and analysts ignored all of them, so a real account takeover from 172.16.40.12 went unactioned for nine hours.

Likely cause

Alert fatigue from an untuned rule - continuous monitoring was skipped, so noisy correlation drowned the true positive.

CISSP move

Tune the rule and enrich with threat intel, then wire a SOAR playbook to auto-disable the session and open a case for analyst review.

Quick check · Q1 of 10

A SOC analyst needs the platform that ingests logs from firewalls and endpoints, normalizes them, and correlates events to raise alerts. Which technology is this?

Correct: a. SIEM ingests, normalizes, and correlates multi-source logs to detect and alert. SOAR automates the response after detection; DLP prevents data exfiltration; UEBA profiles behavior anomalies.

Pause & Predict

In one line, what is the single most important idea in "Monitoring, SIEM & threat intel"? Type your guess.

Answer: Re-read the recap box above — if you can say it in one sentence, you own it.

Incident response

Think of incident response like a hospital's emergency ward: you don't invent the protocol when the patient arrives — you drilled it for months. NIST's updated SP 800-61 Revision 3 (2025) reframes incident response around the six CSF 2.0 functions: Govern, Identify, Protect, Detect, Respond, Recover. The first three (Govern, Identify, Protect) are the preparation wrapper — broader risk-management work that makes response possible, but not the response itself. Actual incident handling lives in Detect, Respond, Recover.

For the exam, ISC2 still tests its classic seven-step sequence, so map the two cleanly: (1) Detect & Analyze — confirm an event is truly an incident, scope it, and classify severity. (2) Respond / Contain — limit blast radius (short-term isolation, then long-term containment) while preserving evidence. (3) Mitigate — minimize active damage. (4) Report — runs throughout; one dedicated liaison briefs management, regulators, and customers so responders stay focused. (5) Recover — restore systems to known-good production. (6) Remediate — root-cause analysis to stop recurrence (begins in parallel with mitigation). (7) Lessons Learned — the post-incident review that feeds improvements back into Preparation.

Severity drives speed: rate incidents by impact (data sensitivity, systems affected) and urgency, then assign P1–P4 so a ransomware hit pages people at 2 AM while a single phishing click waits for business hours. The CSIRT has defined roles (incident commander, analysts, comms lead, legal), and playbooks codify exact steps per incident type so nobody improvises mid-crisis.

Exam tip

Containment comes BEFORE eradication and recovery — never "fix the box" before isolating it. ISC2 wants you to stop the bleeding and preserve evidence first.

Priya at HDFC faces this

An analyst sees Cobalt Strike beacons from host 10.20.4.55 and immediately wipes and re-images it to "clean up fast."

Likely cause

Skipping containment and evidence preservation — reimaging destroyed forensic artifacts and the team lost scope on lateral movement.

CISSP move

Isolate the host on the network first, snapshot memory and disk, then eradicate. Follow the P1 playbook order, don't shortcut it.

Quick check · Q2 of 10

Aditya, an L2 analyst at Infosys, confirms a worm is actively spreading across a /24 subnet during business hours. Following ISC2's lifecycle, what is his correct FIRST action?

Correct: c. Containment comes first to limit blast radius and preserve evidence. Root-cause (remediation), recovery, and external reporting all follow — eradicating or restoring before containment risks reinfection and destroys forensic data.
Figure 3 — The incident response lifecycle
The incident response lifecycle — the ordered steps, where step 2 is the decisive one.The incident response lifecycle: Prepare → Detect & analyze → Contain → Eradicate & recover → Lessons learned.The incident response lifecycle1Prepare2Detect & analyze3Contain4Eradicate &recover5Lessons learned
The incident response lifecycle — examiners test the ORDER, so learn it as a sequence, not a list.

▶ The incident response lifecycle

Press Play to step through it, then Break it to see how it fails.

① Step 1Prepare
② Step 2Detect & analyze
③ Step 3Contain
④ Step 4Eradicate & recover
Press Play to walk the healthy path. Then press Break it.

Digital forensics

Think of a crime scene where the murder weapon is melting ice — wait too long and your evidence literally evaporates. Digital evidence behaves the same way, which is why forensics is a race against decay. Digital forensics follows a strict pipeline: identify, preserve, collect, analyse, and present — and every step must protect the evidence's integrity.

The order of volatility tells you what to grab first. Capture the most perishable data before it vanishes. The standard sequence (RFC 3227): CPU registers and cache, then RAM and running processes, then network state and ARP cache, then temporary files and swap, then disk, then remote logs, and finally archival media. RAM dies the instant you pull power, so you image live memory before you ever shut the box down.

The chain of custody is your courtroom lifeline. Document who collected each item, the exact time and location, and every transfer or access afterwards. One undocumented gap and a defence lawyer gets the whole exhibit thrown out.

Exam tip

The golden rule: image before you wipe — and never analyse the original. Make a bit-for-bit forensic copy using a hardware write blocker, hash both the source and the copy (SHA-256), and confirm the hashes match. All analysis runs on the working copy; the original stays sealed.

For admissibility, courts demand evidence that is authentic, accurate, complete, and reliable. Matching hashes prove the copy was not altered. A clean chain of custody proves nobody tampered with it. Skipping either makes even a perfect investigation legally worthless.

Sneha at HDFC faces this

A finance laptop suspected of data theft is found powered on; a junior analyst's first instinct is to shut it down and ghost the disk.

Likely cause

Powering off destroys RAM-resident evidence — decryption keys, live malware, open network sessions — and skipping the forensic image risks altering the original.

CISSP move

Honour order of volatility: capture live RAM first, then image the disk via a write blocker, hash everything, and start the chain-of-custody log before touching the data.

Quick check · Q3 of 10

Karthik responds to a suspected breach on a running server at a Pune startup. He must capture CPU cache, RAM, the ARP/network state, and the archived backup tapes. Following the order of volatility, which does he collect FIRST?

Correct: b. Order of volatility (RFC 3227) collects the most perishable data first. CPU registers and cache are the most volatile of the listed items, so they come before RAM, network state, disk, and archival tapes.
Figure 4 — Backup types
Backup types — side by side so the trade-off is obvious.A comparison of Full versus Incremental versus Differential across Copies, Backup speed, Restore speed.Backup typesFullIncrementalDifferentialCopiesEverythingChanges since last backupChanges since last fullBackup speedSlowFastMediumRestore speedFastSlow (many sets)Medium (2 sets)
Backup types — most domain questions hinge on telling these apart.

Pause & Predict

Without scrolling up: name the biggest difference in "Backup types". Type your guess.

Answer: If it didn't come instantly, that comparison is your highest-value revision target.

Resilience operations

Think of resilience operations like maintaining a Mumbai local train: you swap parts on a schedule (change management), you keep spare coaches ready (backups), and you have a plan to reroute when a track floods (DR). The goal is simple — survive disruption without losing data or trust.

Change, configuration, and patch management form the first layer. Configuration management maintains a secure baseline — a documented standard for every server, firewall, and endpoint. Change management is the governance gate: every modification goes through request, review by a Change Advisory Board, testing, approval, scheduled deployment, and rollback planning. Patch management is a specialised slice of change management. The key exam nuance: patches are externally driven (a vendor releases a fix), while configuration changes are internally initiated. The patch cycle is monitor, acquire, test, prioritise by risk, schedule, deploy, verify, and update the baseline. Never patch production without testing first.

Backup strategies protect the data itself. A full backup copies everything — slowest, most storage, fastest restore. An incremental copies only what changed since the last backup (any type) — fast backups, but restore needs the full plus every increment in order. A differential copies everything changed since the last full — middle ground, restore needs only full plus the latest differential. The 3-2-1 rule eliminates single points of failure; the modern 3-2-1-1-0 extension adds one immutable/air-gapped copy and zero verification errors for ransomware resilience.

Common trap

Do not confuse incremental and differential restore. Incremental = full + all increments. Differential = full + only the last differential. Exam questions hide this in restore-time wording.

Priya at HDFC faces this

A ransomware hit encrypts the primary database; the nightly backup share is also encrypted because it was online and writable.

Likely cause

Backups sat on a network-reachable, mutable volume — no air-gap, violating 3-2-1-1-0.

CISSP move

Restore from the immutable off-site copy, then enforce one air-gapped backup and routine restore testing.

Executing BCP/DR turns plans into action. RTO sets how fast a process must return; RPO sets how much data loss is acceptable. A four-hour RTO and one-hour RPO together drive your design: hot site plus hourly replication, not weekly tape. Failover shifts production to a standby site; failback returns to primary once stable. Both RTO and RPO come from the Business Impact Analysis, and you must test failover regularly — an untested DR plan is just hopeful paperwork.

Quick check · Q4 of 10

A startup in Pune runs a weekly full backup on Sunday plus daily incremental backups Monday through Saturday. The database is corrupted on Thursday afternoon. To restore fully, which sequence must the admin apply?

Correct: d. Incremental backups capture only changes since the previous backup of any type. A full restore therefore needs the last full (Sunday) plus every incremental in sequence up to the failure (Mon, Tue, Wed). Option A and C describe differential behaviour; option D ignores that an incremental holds only one day's changes.

Domain 7 in the AI era (2026)

SOC 2.0 is the "agentic SOC." The old promise was SIEM-plus-SOAR: a SIEM correlates logs into alerts, a SOAR runs a fixed playbook. The 2025–2026 shift is AI agents that reason through an alert instead of following a rigid script. Gartner named "AI SOC agents" a representative category for the first time in its 2025 Innovation Insight report, placing it at the early "Technology Trigger" stage — real, but immature.

The driver is brutal math: large SOCs see 100,000+ daily alerts where only 1–5% are true positives. AI agents now auto-triage Tier-1 alerts — gathering evidence, enriching IOCs, correlating signals across tools, and suppressing false positives. Google Cloud's Alert Triage and Investigation Agent and Microsoft Security Copilot's agents are shipping examples; vendors report AI cutting MTTR by 45–55% and automating ~70% of investigations. The maturity ladder is crawl (summarise/enrich) → walk (judge alerts) → run (auto-contain on high confidence).

"Run" is where governance bites. Letting an agent isolate a host or disable an account is consequential — and risky. OWASP's Top 10 for Agentic Applications (released December 2025) catalogues goal hijacking and rogue-agent risk; the NIST AI RMF (Map/Measure/Manage/Govern) is the steering frame. The accepted model is human-on-the-loop: agents handle volume, humans own consequential judgment, and high-impact actions require deterministic escalation — not the agent deciding when to ask a human. A WEF-cited survey found 88% of enterprises investing in security AI agents, yet flagged governance gaps as the top concern.

At Pune-based Saanvi Kulkarni's MSSP, an agent auto-quarantined a finance laptop at 2 a.m. for beaconing; her playbook required a human sign-off before account disablement, so the agent escalated to on-call analyst Rohan Iyer — containment fast, identity action gated.

Strengths tip: if you're analytical, build the escalation policy — deciding which actions an agent may take alone vs. must defer is the highest-value SOC 2.0 skill.

The AI-era angle, in four cards

What 2026 adds to this domain — flip to see why each matters.

🚨
L1 Auto-Triage
tap to flip

AI agents enrich, correlate, and suppress false positives on the 100k+ daily alerts, freeing analysts for the 1-5% real threats — cutting MTTR ~45-55%.

🪜
Crawl-Walk-Run
tap to flip

AI maturity ladder: enrich (crawl) → judge alerts (walk) → auto-contain on high confidence (run). 'Run' is where governance risk concentrates.

🧑‍⚖️
Deterministic Escalation
tap to flip

Your policy — not the agent — decides which actions need a human. Consequential actions like account disablement must always gate to a person.

🎯
Goal Hijacking
tap to flip

OWASP Agentic risk: an attacker poisons an agent's input to redirect its objective. Why response agents need scoped permissions and audit trails.

Pause & Predict

Name one thing AI changes about Domain 7 — and one fundamental it does NOT change. Type your guess.

Answer: AI shifts the tooling and widens the attack surface, but the four areas above still decide the right answer. Tools change; principles don't.

🎯 Prove it — your Domain 7 practice exam

You have read the theory. Now do the reps. This is the free, timed Techclick assessment built for exactly this domain, with full reasoning on every question — plus the full-length mock for when you are close to your exam date.

📝 Domain 7 assessment → Full CISSP mock → 8-week roadmap →

Part of the 8-part series · start from the CISSP overview → · all assessments live on exam.techclick.in (sign in with your Techclick account).

Figure 5 — Domain 7 on one card
Domain 7 on one card: the four areas plus the two things examiners love to test.A one-glance revision card for CISSP Domain 7 with each area's key takeaway and the core comparison and process to memorize.📌 Domain 7: Security Operations — one-card recapArea 1 · Monitoring, SIEM & threat intelSIEM detects and correlates; SOAR automatesresponse; hunt TTPs, not just IOCs.Area 2 · Incident responseContain and preserve evidence before youeradicate; severity sets response speed.Area 3 · Digital forensicsCollect most-volatile-first, image before youwipe, hash both copies, and never lose the chainof custody.Area 4 · Resilience operationsBIA sets RTO/RPO; those drive backup tier andfailover design — and test it.RememberBackup types: know the trade-off cold.RememberThe incident response lifecycle — memorize theorder.
Print this for the night before. Everything in Domain 7 on a single page.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from ISC2 docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Analyze

During a hunt, Karthik at Wipro blocks the attacker's IP and file hash, but the intrusion continues from new infrastructure within hours. Per the Pyramid of Pain, what should he target instead to cause the attacker the most pain?

Correct: c. IPs, hashes, and domains are trivial for attackers to rotate, so blocking them buys little. TTPs sit atop the Pyramid of Pain because behavior is costly to change; detecting them via MITRE ATT&CK forces real adversary effort.
Q6 · Analyze

After a breach at a Bengaluru fintech startup, Meera notices the same misconfigured S3 bucket caused two incidents in three months because fixes were never documented. Which lifecycle weakness does this MOST directly reveal?

Correct: b. Repeating the same root cause shows the post-incident review never closed the loop into Preparation/remediation. Lessons Learned exists precisely to update controls and playbooks so identical incidents don't recur; the other options describe unrelated phases.
Q7 · Evaluate

In court, Meera's team presents a stolen-data disk. The defence shows the analyst worked directly on the original drive without a write blocker, and no hash was recorded before analysis. How should the team evaluate this evidence's standing?

Correct: a. Working on the original without a write blocker or pre-analysis hash means you cannot prove the evidence was unaltered. Without demonstrable integrity, authenticity fails and the evidence is likely inadmissible — a complete custody log alone cannot rescue it.
Q8 · Apply

Meera, a security lead at Infosys, is told a critical payments service has an RPO of 5 minutes and an RTO of 30 minutes. Which recovery design best satisfies both requirements?

Correct: d. A 5-minute RPO demands near-continuous replication, and a 30-minute RTO demands an already-running hot site with automated failover. Nightly tape (A) and weekly backups (D) lose hours of data, breaking RPO. A cold site (B) takes days to stand up, breaking RTO.
Q9 · Analyze

An MSSP deploys an AI agent that auto-isolates hosts on high-confidence malware alerts but requires human sign-off before disabling user accounts. Analysing this design, what governance principle is being applied?

Correct: b. The design encodes which actions the agent may take alone (host isolation) versus which must defer to a human (account disablement) via a fixed policy — the definition of human-on-the-loop deterministic escalation. Account disablement is consequential and identity-affecting, so it is gated. It is not defense in depth (no layered controls), least privilege (about access scope, not action gating), or separation of duties (about splitting human roles).
Q10 · Evaluate

A CISO argues that because the agentic SOC auto-resolves 70% of alerts and cut MTTR by half, the firm can treat the AI vendor as accountable for any missed breach. Evaluating this stance against CISSP and NIST AI RMF principles, what is the best critique?

Correct: a. A core CISSP and NIST AI RMF (Govern) principle is that accountability cannot be outsourced to a tool or vendor — the organisation owns the risk. The AI agent is a control that must be tested, monitored, and governed under the RMF Manage/Govern functions. Certification (option 3) does not transfer accountability, and the critique is not about the percentage being too low (option 4) — it is about the mistaken transfer of accountability itself.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: Without looking, walk a colleague through what you do the moment a SIEM alert fires on a compromised production server — name each incident-response phase in order, say where containment sits relative to eradication, and explain why you image memory before disk. Then compare to the expert version.

Expert version: A solid answer follows the ISC2 sequence: Detection (the SIEM/UEBA alert and triage to confirm it's a real incident, not a false positive) → Response (activate the IR team, classify severity) → Mitigation/Containment (isolate the host — short-term containment to stop spread, e.g. network quarantine — BEFORE eradication, so you don't tip off the attacker or destroy evidence) → Reporting (notify stakeholders; note breach-notification clocks like India's DPDP or GDPR may start here) → Recovery (rebuild from known-good, restore service, validate) → Remediation (root-cause fixes, patch the exploited weakness) → Lessons Learned. Crucially, you capture VOLATILE data first per the order of volatility — registers/cache, then RAM, then network state — because memory dies the instant you power off, while the disk image survives; all of it logged under an unbroken chain of custody (who, what, when, where) so it's legally admissible. Bonus: note NIST SP 800-61r3 (2025) reframes this as a continuous CSF 2.0 cycle where "improve" runs throughout, not just at the end.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

SIEM
Security Information and Event Management - aggregates and correlates logs from many sources to detect and alert on threats.
SOAR
Security Orchestration, Automation and Response - runs automated playbooks to respond to alerts, e.g. isolating a host.
TTP
Tactics, Techniques, and Procedures - an adversary's behavioral patterns, mapped in MITRE ATT&CK and hardest for attackers to change.
CSIRT
Computer Security Incident Response Team — the pre-staffed group with defined roles (commander, analysts, comms, legal) that executes incident response.
Containment
Stopping an incident from spreading — short-term isolation then long-term measures — done before eradication to preserve evidence.
Playbook
A documented, step-by-step procedure for a specific incident type (ransomware, phishing, DDoS) so responders follow a tested sequence under pressure.
Order of volatility
RFC 3227 sequence telling you to collect the most perishable evidence first (RAM before disk before archives).
Chain of custody
A documented, unbroken record of who handled evidence, when, where, and why — required for court admissibility.
Forensic image
An exact bit-for-bit copy of the original media, made with a write blocker, on which all analysis is performed.
RTO (Recovery Time Objective)
The maximum acceptable downtime — how fast a system or process must be restored after an outage.
RPO (Recovery Point Objective)
The maximum acceptable data loss measured in time — how far back the last good recovery point can be.
3-2-1-1-0 rule
Three copies of data, on two media types, one off-site, one immutable/air-gapped, with zero backup-verification errors.
Agentic SOC
A security operations model where autonomous AI agents reason through alerts and investigations dynamically, rather than following the fixed scripts of a traditional SOAR playbook.
Human-on-the-loop
A governance posture where AI acts autonomously on low-risk tasks while a human supervises and is pulled in via deterministic policy for consequential or uncertain decisions.
OWASP Top 10 for Agentic Applications
A risk catalogue released December 2025 classifying agentic-AI threats such as goal hijacking and rogue agents — the first systematic attempt to standardise these risks.

📚 Sources

  1. ISC2 — CISSP Certification Exam Outline (Effective April 15, 2024), Domain 7 Security Operations = 13%. isc2.org
  2. NIST — SP 800-61 Rev. 3: Incident Response Recommendations and Considerations for Cybersecurity Risk Management — A CSF 2.0 Community Profile (April 2025). csrc.nist.gov
  3. NIST — SP 800-86: Guide to Integrating Forensic Techniques into Incident Response (collection, examination, analysis, reporting). nvlpubs.nist.gov
  4. NIST — Cybersecurity Framework (CSF) 2.0, Govern/Identify/Protect/Detect/Respond/Recover functions. nist.gov
  5. NIST — SP 800-34 Rev. 1: Contingency Planning Guide for Federal Information Systems (BIA, RTO/RPO/MTD, recovery sites). csrc.nist.gov
  6. ISO/IEC — 27037:2012 Guidelines for identification, collection, acquisition and preservation of digital evidence (chain of custody). iso.org
  7. MITRE — ATT&CK Enterprise Framework (adversary TTP mapping for detection engineering). attack.mitre.org
  8. Ministry of Electronics & IT, India — Digital Personal Data Protection (DPDP) Act, 2023 (data-breach intimation obligations relevant to IR reporting). meity.gov.in

What's next?

Domain 7 done. Keep the momentum — next is Domain 8: Software Dev Security.

Next · Domain 8: Software Dev Security → Practice on exam.techclick.in →