Sarah, a financial analyst at a multinational corporation, is suspected of leaking sensitive financial data...

Initial containment for suspected data exfiltration by a specific user account should prioritize immediately restricting that account’s ability to access and transfer data. “Access control” is the broad containment category that includes disabling the account, suspending sessions, revoking tokens, removing access to sensitive shares, and applying conditional access blocks. This is the fastest way to stop ongoing data loss while preserving evidence for investigation. “Change passwords regularly” is a general security hygiene practice, not an initial incident containment action, and it may not stop exfiltration quickly if active sessions or tokens remain valid. “Isolate the storage” can be appropriate if a particular repository is being actively exfiltrated, but it can be disruptive to business operations and may not address the actor’s continued access paths across other systems. DCAP is a programmatic capability for monitoring and controlling data access over time; it is valuable, but it is not the immediate first step when the SOC must rapidly stop suspected exfiltration. From a SOC playbook view, the initial action is to reduce attacker/insider access immediately (account restriction), then scope what data was accessed, preserve logs, and coordinate with HR/legal for insider procedures.