What is the problem identified with the Six-Step incident response process?

• A. Not enough containment.
• B. Too much focus on intelligence development.
• C. Overreliance on automated tools.
• D. Moving to eradication too early before true scoping and understanding of the incident occurs.

Answer: (D)

Rushing to eradication before you truly scope and understand what happened leads to incomplete removal and potential re‑compromise. If the investigation hasn’t mapped the full extent of the breach—which systems were touched, how the attacker moved, what persistence mechanisms exist, and what artifacts are present—you might eliminate only a subset of the footholds and miss others, allowing the attacker to re-enter or remain hidden. Eradication should be informed by solid understanding gathered during identification, containment, and analysis, so you can remove all malicious artifacts, neutralize credentials, and patch exposed paths without destroying critical forensic evidence. By waiting until you have a clear picture of scope, you craft a precise cleanup plan that effectively eliminates the threat across all affected assets and reduces the chance of reinfection, rather than acting on a partial or incorrect view.