“Can we delete the file?”
Single-file thinking. Treats every detection as an isolated event. Works on the artifact, not the incident.
- Deletes or quarantines one file
- Misses runtime, scripts, and process behavior
- Leaves persistence, config changes, and lateral risk
- No insight into how the attack started