The team receives an alert about a ransomware incident affecting the organization’s email infrastructure.

These actions align most strongly with eradication because they are removing the root cause of compromise and eliminating the adversary’s ability to persist. Applying an emergency patch to the exploited mail server closes the vulnerability that enabled initial access. Updating mail filtering rules to block the malicious payload reduces reinfection risk and removes the delivery path. Network segmentation can be a containment measure, but in this context it is being implemented as a corrective control to prevent continued lateral movement and re-compromise as part of eliminating the threat’s operational pathways. Evidence gathering is already implied by the forensic identification of the exploited CVE; recovery would involve restoring services and data after the threat is removed. In SOC practice, containment stops immediate spread (isolate servers, block traffic), while eradication focuses on removing malware, closing exploited vulnerabilities, removing persistence, and making the environment safe for return-to-service. Because the scenario explicitly includes patching and control changes aimed at eliminating the exploit vector and stopping recurrence, eradication is the best fit.