Given limited SOC resources, how would you prioritize incident containment actions when business operations must continue?

When SOC resources are limited, the practical approach is to triage incidents by the risk they pose to the business and act first on what would cause the most harm while keeping operations running. Focus on impact to critical assets because protecting the systems and data that support essential services prevents the biggest operational and financial losses. Then weigh the likelihood and severity of the attack to prioritize scenarios that are both probable and damaging, so scarce responders tackle the threats most likely to escalate. Consider potential data exposure to minimize confidentiality breaches and regulatory risk, ensuring containment also guards sensitive information. Finally, select containment actions that achieve effective protection with the least disruption to ongoing operations, aligning with business continuity needs. This risk-based, impact-focused approach makes the best use of limited resources and avoids wasting effort on lower-risk issues, while also avoiding delays from waiting for external guidance or bending to departmental preferences.