A security team sees a bad login on a computer. The first person checks and confirms it's a real attack. What is the very next big step they take to fix the problem, and who on the team usually does the actual work to stop the bad guy right away?

After a security team confirms a bad login is a real attack, the very next big step they take to fix the problem is containment. Containment is the process of limiting the scope and impact of a security incident to prevent further damage, unauthorized access, or data exfiltration. This involves taking immediate actions to stop the attacker's current activity and prevent them from spreading within the environment. For instance, common containment actions include isolating the compromised system from the network, disabling the breached user account, or blocking the attacker's IP address at the firewall. The individual on the team who usually does the actual work to stop the bad guy right away by executing these technical containment actions is typically a Security Analyst or an Incident Responder. A Security Analyst is responsible for monitoring security systems, detecting threats, and executing initial response actions. An Incident Responder is a more specialized role, focused on actively managing and resolving security incidents through direct technical intervention to mitigate threats immediately.