During the initial response to a suspected credential-stuffing attack, a junior SOC analyst exports firewall and authentication logs, maps which IP ranges are touching which application servers, and lists the business units that rely on those hosts. The analyst deliberately postpones rating the criticality of the compromised data, estimating a remediation timeline, and deciding which systems should be restored first. According to incident-response methodology, what activity is the analyst performing?
Scoping asks two main questions: Which assets have been touched and how far has the attacker spread? By compiling a list of impacted servers, IP ranges, and dependent business units, the analyst is defining the incident's boundaries-this is scoping. Severity assessment, priority assignment, and scheduling remediation occur after scope is known, so those distractors are incorrect.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does it mean to scope an incident?
Open an interactive chat with Bash
Why is scoping performed before assessing severity or assigning priority?
Open an interactive chat with Bash
How would a firewall or authentication log help during scoping?