Question 2 - ISC2 SSCP Real Exam Questions [March 2026 Update]

Q: 2

A multinational corporation has detected unusual activity suggesting that an attacker has gained access to the hypervisor layer of their virtual environment. What is the most critical immediate step the security team should take to mitigate the threat?

Options

Discussion

Olivia P. Feb 25, 2026 12:39 am

C imo. Cutting the hypervisor off the network is key for containment before anything else.

Ivy P. Feb 24, 2026 9:46 pm

Why not check the official guide or incident response playbooks for escalation steps on hypervisor compromise?

Priya B. Feb 25, 2026 11:38 pm

D , ISC2 puts too much weight on disconnecting but patching feels more actionable sometimes.

Kevin F. Feb 22, 2026 2:31 pm

Its D

Emma K. Feb 16, 2026 7:37 am

Containment always takes priority so definitely C here.

Luna M. Mar 4, 2026 10:05 pm

Why does ISC2 keep mixing up patching with containment on these? C/D always causes noise, but here it’s C.

Chris W. Feb 23, 2026 9:35 am

Not B, C. Restarting VMs (B) won't help if the attacker already has hypervisor access-they could just get back in or pivot again. Disconnecting (C) is classic containment, lines up with incident response basics. Open to discussion if someone sees it differently.

QuietLearner3612 Mar 1, 2026 3:47 am

Likely C is the way to go. Disconnecting the hypervisor cuts off attacker access right away, which matches IR best practices for containment. D trips some folks up since patching is important, but it doesn't stop what's already happening. Open to corrections if I missed something.

Mason O. Mar 1, 2026 2:25 pm

Probably C. If the attacker still has access, disconnecting the hypervisor contains any network-based compromise right away.

Daniel I. Feb 27, 2026 11:08 am

C tbh

Be respectful. No spam.

Correct Answer:

Explanation

A compromised hypervisor represents a complete failure of the virtualization security boundary, granting the attacker potential control over all hosted virtual machines (VMs) and a powerful pivot point for lateral movement. The most critical immediate step, according to established incident response principles, is containment. Disconnecting the hypervisor from the network immediately severs the attacker's command and control (C2) channel and prevents them from exfiltrating data or attacking other systems on the network. This action isolates the threat, limiting the scope of the damage, which is the primary objective in the initial phase of handling a critical security incident.

Why Incorrect

A. Increase the monitoring frequency of virtual machine logs.

This is a detective, not a mitigative, action. It does not stop the active attack, and the attacker could potentially alter the logs from the compromised hypervisor.

B. Restart all virtual machines hosted by the hypervisor.

This is ineffective because the compromise is at the hypervisor level. The attacker would retain control of the hypervisor and could simply re-compromise the VMs upon restart.

D. Apply the latest hypervisor patches and updates.

Patching is a preventative and recovery measure, not an immediate containment step for an active breach. It will not eject an attacker who is already in the system.

References

1. NIST Special Publication 800-61 Rev. 2

Computer Security Incident Handling Guide. Section 3.3.2

"Containment

" states that a major decision is "how much to disconnect the affected systems from the network." For a severe compromise

complete disconnection is a primary strategy to prevent the attacker from causing further damage.

2. NIST Special Publication 800-125

Guide to Security for Full Virtualization Technologies. Section 5.3

"Hypervisor

" describes the hypervisor as the most critical component. A compromise at this level is catastrophic

implicitly requiring immediate and decisive containment actions like network isolation to prevent the compromise from spreading.

3. Souppaya

& Scarfone

K. (2011). NIST Special Publication 800-146

Cloud Computing Synopsis and Recommendations. Section 5.2.2

"Network Security

" discusses the risk of a compromised hypervisor allowing an attacker to "gain access to the underlying physical infrastructure and from there to other tenants." This highlights the urgency of preventing lateral movement

which is best achieved by network isolation.

4. Garfinkel

& Rosenblum

M. (2005). When Virtual is Harder than Real: Security Challenges in Virtual Machine Based Computing. Proceedings of the 10th conference on Hot Topics in Operating Systems

Vol. 10. This foundational academic paper discusses the severe implications of a Virtual Machine Monitor (hypervisor) compromise

noting that it "subverts the security of every guest OS running above it

" reinforcing the need for immediate

drastic containment measures.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE