@Allison Regan Correct Answer: B. Require microsegmentation aligned to a Zero Trust reference architecture Explanation (CISSP logic): Extending a flat VLAN into the cloud propagates the existing trust boundary problem and violates least common mechanism. CISSP Domain 4 expects the architect to redesign trust zones during migration, not preserve legacy assumptions. Microsegmentation enforced under Zero Trust principles addresses the root cause: implicit trust between workloads. Breakdown: A. Encryption protects data in transit but does nothing about lateral movement once an attacker is inside the trusted segment. B. ✅ Correct. Establishes identity-based, per-workload trust boundaries appropriate for hybrid cloud. C. East-west IDS is a detective control bolted onto a flawed design; you're monitoring a problem you should have architected away. D. A CASB governs SaaS and user-to-cloud activity, not internal workload segmentation in a VPC. Think like a manager: Don't extend yesterday's trust model into tomorrow's architecture. Redesign the boundary, then encrypt and monitor inside it.

@Antony Onamu Correct Answer: B. Conduct a data flow and risk assessment to classify exposure boundaries Explanation (CISSP logic): You cannot negotiate, architect, or control what you have not yet assessed. Domain 3 and the ISC2 AI Exam Guidance both anchor AI procurement in assess before you act: identify what data crosses the trust boundary, what classification it carries, and what regulatory or privilege obligations attach. Privileged legal data adds attorney-client and potential cross-border concerns that change the entire control conversation. Skip the assessment and every downstream control is guesswork. Breakdown: A. Contract addendum - Strong governance move, but you cannot draft meaningful contract language without first knowing what data is in scope and what risk you are transferring. B. ✅ Correct. Establishes the data classification, trust boundary, and regulatory exposure that drive every subsequent control decision. C. Tenant-isolated model - A solid architectural control, but it is an implementation answer to a question that has not yet been assessed. Right step, wrong sequence. D. DLP redaction - Useful operational control, but redacting privileged content from contract summaries often defeats the business purpose. Premature without a risk decision. Think like a manager: Assess the data, then architect the deal. Controls without context are just expensive guesses.

@Ms. Marlow Correct Answer: C. Snapshot the instances and preserve CloudTrail logs for forensic analysis Explanation (CISSP logic): The financial pain is loud, but evidence preservation comes first. Domain 7 sequencing is Detect → Respond → Preserve → Contain → Eradicate → Recover. Terminating instances or rotating keys before capturing volatile state destroys the forensic trail you need to scope the breach, prove fraud to AWS, and satisfy legal/insurance requirements. Containment without evidence is a self-inflicted wound. Breakdown: A. Terminate instances - Stops the bleeding but destroys volatile memory, attacker artifacts, and lateral movement evidence. Cost panic is not an IR principle. B. Rotate the key - Necessary, but doing it first tips off the attacker and may trigger destructive scripts before you've captured state. C. ✅ Correct. Snapshots and CloudTrail preserve the chain of custody, enable root cause analysis, and support the AWS fraud claim and any legal action. D. Contact AWS billing - A finance recovery step, not an incident response step. Premature without an evidence package to substantiate the fraud claim. Think like a manager: Preserve before you purge. The bill can be negotiated; destroyed evidence cannot be recovered.

@David Dacorro Correct Answer: B. Continuous authentication is re-evaluating trust signals and revoking sessions Explanation (CISSP logic): Zero Trust is built on the principle of "never trust, always verify." Unlike a traditional VPN that authenticates once at the perimeter and trusts the session for hours, Zero Trust continuously evaluates trust signals throughout the session: device posture, location, behavioral anomalies, time of day, risk scores. When any signal degrades (a device misses a check-in, IP changes, MFA token expires, posture drifts), the policy engine can revoke or step-up the session mid-use. The "unpredictable" access breaks users describe are the symptom of policy enforcement working as designed, just with thresholds tuned too aggressively or signals too noisy. Breakdown: A. IdP bandwidth issues would manifest as login failures or slow authentication, not mid-session access breaks throughout the day. This is a plausible operational concern but it doesn't match the symptom pattern. B. ✅ Correct. Continuous trust evaluation is the defining behavior of Zero Trust Architecture. When users describe access "breaking unpredictably throughout the day," that's the policy engine doing its job: re-checking posture, location, or risk and revoking trust when signals shift. The fix is signal tuning, not architecture replacement. C. DNS failures cause connection-level errors, not selective access drops to specific apps at irregular intervals. This is a network troubleshooting answer, not a Zero Trust answer. D. Certificate pinning conflicts produce hard, repeatable failures (the app simply won't connect), not intermittent breaks. Pinning either works or it doesn't. Think like a manager: Zero Trust isn't broken when sessions get revoked, that's the feature. The work is in tuning the signals, setting the thresholds, and educating users on why "always-on access" is no longer the default.