CompTIA CySA+ (CS0-002) — Question 310

An analyst is responding to an incident within a cloud infrastructure. Based on the logs and traffic analysis, the analyst thinks a container has been compromised.
Which of the following should the analyst do FIRST?

Answer options

• A. Perform threat hunting in other areas of the cloud infrastructure.
• B. Contact law enforcement to report the incident.
• C. Perform a root cause analysis on the container and the service logs.
• D. Isolate the container from production using a predefined policy template.

Correct answer: D

Explanation

The correct first step is to isolate the compromised container to prevent further damage to the production environment. This containment action is vital to stop any potential spread of the incident. The other options, while important, should be considered after the immediate threat has been contained.