The SOC team has just contained a cyber threat. Which two of the following post-incident activities should they perform? (Choose two.)

Once a cyber threat has been contained, the following two post-incident activities should typically be performed:

1. Forensics: After containment, it is important to investigate how the breach happened, which systems were affected, and the extent of the damage. Digital forensics involves a detailed analysis to uncover the full scope of the incident and to ensure that no traces of the threat remain. It also helps in collecting evidence if there is a legal aspect to the breach.
2. Creating post-incident reports, such as “lessons learned” from the incident: This involves documenting the details of the incident, what was done to respond, what worked well, what didn’t, and what could be done better in the future. This report is essential for improving future incident response efforts and security posture.

The other options listed — triage, eradication, and quarantining — are parts of the incident response process but they are not post-incident activities. Triage is the initial phase of assessing and prioritizing incidents, eradication is the process of removing the threat from the environment (which might still be part of the active response rather than post-incident), and quarantining is a containment measure to prevent the spread of the threat, typically done before or during the incident response, not after.