Interesting Security Incident response question #1

"You discover that a critical server has been communicating with a known malicious IP for the past 3 days. You’ve already blocked the connection. What is the first step you would take next — and why?"

Curious to hear how fellow IR folks will approach this! Drop your thoughts below 👇 Would you focus on containment? Forensics? Notification? Something else? Let’s share ideas and learn together.