[&] What is a defining feature of a SOC-based incident response team?
- They are separate from the SOC and operate independently
- They are only activated in case of severe incidents
- They focus mainly on developing security policy
- They directly respond to alerts from monitoring tools -- Correct

[&] What is a key characteristic of a distributed incident response team (DIRT)?
- They are best for small enterprises
- They operate across different time zones -- Correct
- Team members only operate during regular business hours
- They focus on centralized management

[&] What is the primary goal of a CSIRT?
- To conduct business continuity planning
- To evaluate and certify security products
- To minimize damage and restore normal operations -- Correct
- To manage public relations during a security incident