[&] What is the main goal of scoping during the first response phase?
- To contain the incident by shutting down all affected systems immediately
- To identify and document the full extent and impact of the incident -- Correct
- To clean and reimage any potentially compromised endpoints
- To notify law enforcement and begin the legal escalation process

[&] What outcome should be achieved within the first five minutes of incident response?
- Approval from management to proceed with incident handling.
- Initial validation of the incident's authenticity and preliminary scope. -- Correct
- A documented strategy for enterprise-wide remediation.
- Full eradication of the threat from the network.

[&] Why is preserving volatile evidence during first response critical?
- Because preserving it prevents further network access
- Because volatile data can be lost quickly after system shutdown or tampering -- Correct
- Because it can help in restoring deleted files
- Because it contains backup configurations used for restoring the system

[&] Which of the following is NOT typically part of the first response process?
- Estimating the scope and risk of the incident
- Preserving volatile evidence from RAM and log buffers
- Validating the alert to eliminate false positives
- Conducting a full investigation and root cause analysis -- Correct

[&] What is the primary purpose of "first response" or "hot triage" in incident management?
- To schedule maintenance downtime with IT
- To immediately delete malicious files from affected systems
- To quickly assess and validate the severity of the incident -- Correct
- To perform a detailed forensic analysis of the incident

[&] What does 'containment decision' entail in the context of first response?
- Notifying all employees of a potential security breach.
- Completing the incident report for management.
- Ensuring no further communication about the incident occurs.
- Deciding whether to apply immediate isolation measures. -- Correct