🔥 3-day streak
Professional Security Operations Engineer37 / 241
Question 37 of 241

After containing a compromised GKE workload, your team must reconstruct the attacker's activity timeline for the post-incident report. During the incident, an analyst manually terminated the malicious pod before capturing forensic artifacts, and the SOAR playbook's evidence-collection step was skipped due to a connector timeout. You need to determine the earliest reliable point of initial access. Which approach provides the most defensible timeline reconstruction given the missing artifacts?

Reviewed for accuracy · Report an issueNext question