https://community.isc2.org/t5/Tech-Talk/IDS-vs-IPS-Active-Response-Confusion-in-CISSP-Materials/m-p/89147#M5410 <P>I found this table, hopefully, it helps.</P><P>&nbsp;</P><P>Feature<SPAN class=""><SPAN>&nbsp;</SPAN></SPAN> IDS (Passive) IPS (Active)</P><TABLE><TBODY><TR><TD><STRONG>Primary Action</STRONG></TD><TD>Detects and Alerts</TD><TD>Detects and Prevents</TD></TR><TR><TD><STRONG>Placement</STRONG></TD><TD>Out-of-band (Passive)</TD><TD>Inline (Active)</TD></TR><TR><TD><STRONG>Response</STRONG></TD><TD>Manual</TD><TD>Automated</TD></TR><TR><TD><STRONG>Risk</STRONG></TD><TD>Minimal impact on traffic</TD><TD>Potential for false positives</TD></TR><TR><TD><STRONG>Goal</STRONG></TD><TD>Visibility</TD><TD>Protection</TD></TR></TBODY></TABLE> Sun, 12 Apr 2026 15:29:33 GMT dcontesti 2026-04-12T15:29:33Z https://community.isc2.org/t5/Tech-Talk/IDS-vs-IPS-Active-Response-Confusion-in-CISSP-Materials/m-p/89003#M5405 <P>Hello everyone,</P><P>&nbsp;</P><P>I hope I’m posting this in the right place. I looked through the different sections, and since my question is quite technical, the Tech Talk forum seemed appropriate. Please let me know if it would be better suited elsewhere.</P><P>&nbsp;</P><P>I’m currently preparing for the CISSP using multiple resources, including the official study guide by Mike Chapple. While studying Chapter 17 (Domain 7 – Security Operations), I came across a section discussing IDS and IPS.</P><P>&nbsp;</P><P>The book clearly explains that an IDS can rely on both signature-based (knowledge-based) detection and behavior-based detection. So far, so good.</P><P>&nbsp;</P><P>However, in the section specifically titled “IDS Response”, it mentions that an IDS can have:</P><P>&nbsp;</P><UL><LI>A passive response (e.g., alerting/notification), and</LI><LI>An active response, where it may modify the environment (for example, updating firewall ACLs to block traffic from a malicious IP).</LI></UL><P>This suggests that an IDS is not strictly limited to passive behavior.</P><P>&nbsp;</P><P>That said, I encountered a practice question (from the official practice tests by the same author) where the correct answer implied that an IDS is always passive, and that only an IPS provides active responses.</P><P>&nbsp;</P><P>I understand the nuance often mentioned: when an IDS performs active responses, it is sometimes considered to be functioning as an IPS. I also understand the architectural distinction — an IPS is inline and can block traffic in real time, whereas an IDS is typically out-of-band (e.g., via a SPAN port), observing traffic rather than directly controlling it.</P><P>&nbsp;</P><P>Still, from a technical standpoint, I’m struggling with the apparent contradiction:</P><P>&nbsp;</P><UL><LI>The study guide states that an IDS can take active actions (like modifying firewall rules),</LI><LI>Yet exam-style questions seem to treat IDS as strictly passive.</LI></UL><P>&nbsp;</P><P>So my questions are:</P><P>&nbsp;</P><UL><LI>For CISSP exam purposes, should we always treat IDS as passive and IPS as active, even if that simplifies reality?</LI><LI>Is the distinction primarily about inline vs out-of-band architecture, rather than the actual capability to trigger changes in the environment?</LI><LI>Or is the idea that any “active response” effectively reclassifies the system as an IPS?</LI></UL><P>I’m trying to reconcile the theoretical explanation with the exam expectations, especially since both sources come from the same author.</P><P>&nbsp;</P><P>Thanks in advance for your insights!</P><P>&nbsp;</P><P>JP</P> Sat, 04 Apr 2026 18:57:50 GMT https://community.isc2.org/t5/Tech-Talk/IDS-vs-IPS-Active-Response-Confusion-in-CISSP-Materials/m-p/89003#M5405 JPMARTIN 2026-04-04T18:57:50Z https://community.isc2.org/t5/Tech-Talk/IDS-vs-IPS-Active-Response-Confusion-in-CISSP-Materials/m-p/89013#M5406 <P>Without actually seeing the material, it is a little difficult to know what the author may/may not have meant.</P><P>&nbsp;</P><P>My understanding is that an IDS is indeed a passive monitoring tool that identifies potential threats and alerts administrators and <STRONG>IF</STRONG> integrated with a FIREWALL&nbsp; can send instructions to the Firewall to update its policies.&nbsp; The IDS is still passive and still alerting.</P><P>&nbsp;</P><P>Others, I could be wrong?&nbsp; Also, let's ask the team at ISC2 their opinion.&nbsp;&nbsp;<a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/1533099493">@CBMExamTeam</a>&nbsp;your thoughts?</P><P>&nbsp;</P><P>d</P> Sun, 05 Apr 2026 12:05:31 GMT https://community.isc2.org/t5/Tech-Talk/IDS-vs-IPS-Active-Response-Confusion-in-CISSP-Materials/m-p/89013#M5406 dcontesti 2026-04-05T12:05:31Z https://community.isc2.org/t5/Tech-Talk/IDS-vs-IPS-Active-Response-Confusion-in-CISSP-Materials/m-p/89106#M5409 <P>Thank you for your quick reply.</P><P>Unfortunately, I have read so many questions that I cannot trace it back ahah.</P><P>&nbsp;</P><P>So despite the fact an IDS could definitely send instructions to a FW, it does not make him an active device because it is no in line with the traffic (which in this case, would be considered an IPS)?</P><P>&nbsp;</P><P>I thought passive = alerting, active = take action like send instructions, even if it is not real time because on the SPAN port.</P><P>&nbsp;</P><P>Thanks again,</P><P>JP</P> Thu, 09 Apr 2026 19:55:26 GMT https://community.isc2.org/t5/Tech-Talk/IDS-vs-IPS-Active-Response-Confusion-in-CISSP-Materials/m-p/89106#M5409 JPMARTIN 2026-04-09T19:55:26Z https://community.isc2.org/t5/Tech-Talk/IDS-vs-IPS-Active-Response-Confusion-in-CISSP-Materials/m-p/89147#M5410 <P>I found this table, hopefully, it helps.</P><P>&nbsp;</P><P>Feature<SPAN class=""><SPAN>&nbsp;</SPAN></SPAN> IDS (Passive) IPS (Active)</P><TABLE><TBODY><TR><TD><STRONG>Primary Action</STRONG></TD><TD>Detects and Alerts</TD><TD>Detects and Prevents</TD></TR><TR><TD><STRONG>Placement</STRONG></TD><TD>Out-of-band (Passive)</TD><TD>Inline (Active)</TD></TR><TR><TD><STRONG>Response</STRONG></TD><TD>Manual</TD><TD>Automated</TD></TR><TR><TD><STRONG>Risk</STRONG></TD><TD>Minimal impact on traffic</TD><TD>Potential for false positives</TD></TR><TR><TD><STRONG>Goal</STRONG></TD><TD>Visibility</TD><TD>Protection</TD></TR></TBODY></TABLE> Sun, 12 Apr 2026 15:29:33 GMT https://community.isc2.org/t5/Tech-Talk/IDS-vs-IPS-Active-Response-Confusion-in-CISSP-Materials/m-p/89147#M5410 dcontesti 2026-04-12T15:29:33Z https://community.isc2.org/t5/Tech-Talk/IDS-vs-IPS-Active-Response-Confusion-in-CISSP-Materials/m-p/89166#M5411 <P>It does! And the comprehensive view you just shared confort me, as I do have the same understanding.</P><P>Thank you!</P> Mon, 13 Apr 2026 13:27:36 GMT https://community.isc2.org/t5/Tech-Talk/IDS-vs-IPS-Active-Response-Confusion-in-CISSP-Materials/m-p/89166#M5411 JPMARTIN 2026-04-13T13:27:36Z