# Responder brief — S5 (identical across both arms)

**Your role:** Incident Commander for a multi-host enterprise intrusion in progress. You own the response
across the affected environment.

**Your simulated tooling / telemetry (this is everything you have):**
- **EDR** deployed across workstations and servers — process creation, process-memory access, driver loads,
  lateral-movement indicators, per-host agent health.
- **Active Directory / Windows Security logs** — authentication (4624/4672), service installs (7045), remote
  execution, admin activity.
- **Network telemetry** — east-west (internal) flow monitoring and perimeter egress.
- **SIEM** aggregating and retaining the above.

**Response latitude:** isolate hosts, disable / rotate accounts, block network paths (internal and egress),
force credential rotations (incl. krbtgt), and deploy or re-prioritize detections. You may act at any point in
the chain.

**Turn cap:** 5.
