What best describes a remediation event?

• A. A routine daily patch and update cycle within the IR team.
• B. A massive coordination of groups outside of the IR team that enact a burst of network changes over a short period of time. Usually occurs over a weekend when an organization can commit to purging an adversary from its network.
• C. An internal audit of security controls after an incident.
• D. A long-term strategic project with continuous changes over months.

Answer: (B)

Remediation events are rapid, high-intensity efforts to remove threats and restore a secure, functioning environment after an incident. They require coordinating multiple teams—often including groups outside the IR team—to implement a burst of network changes and other containment/eradication actions within a short window. This tight, cross-functional purge aims to purge adversaries, close attacker footholds, and resecure systems quickly, sometimes with a blackout window like a weekend to reduce risk to normal operations.

Routine patching is ongoing maintenance, not a targeted incident purge. An internal audit after an incident focuses on evaluating controls and processes, not actively cleansing the environment. A long-term project with continuous changes over months is a gradual, strategic effort, not a concentrated remediation burst.