A global enterprise adopts a strict zero-trust network architecture. All workloads—on-prem, cloud, and containerized—must mutually authenticate before communicating. To comply with regulatory requirements, the company must also maintain full packet-level visibility for threat analysis and incident response. Which solution BEST satisfies all of these requirements simultaneously? A. Deploy full end-to-end TLS between all workloads and rely on IDS/IPS to inspect only metadata and flow logs. B. Use a TLS termination proxy at network choke points and decrypt all internal traffic for inspection before re-encrypting. C. Implement mutual TLS within a service mesh that supports encrypted telemetry export and out-of-band traffic mirroring for deep packet inspection. D. Use host-based agents to perform inline decryption on each workload and send decrypted payload streams to the central IDS via secure channels.

Which of the following BEST describes the role of Interactive Application Security Testing (IAST) in a DevSecOps pipeline, as emphasized in modern software development security practices? A. It scans source code for vulnerabilities without executing the application, focusing on syntax and structure. B. It analyzes running applications in a simulated environment to identify runtime vulnerabilities like injection attacks. C. It instruments the application to combine static and dynamic analysis, providing real-time feedback on vulnerabilities during execution. D. It examines third-party components and dependencies for known vulnerabilities and license compliance issues.

A ransomware attack encrypts multiple servers, including systems that store financial transaction data. Management activates the disaster recovery plan to restore from clean backups and resume business operations as quickly as possible. Meanwhile, law enforcement and internal investigators request that the affected systems remain offline to preserve evidence for criminal prosecution. What is the BEST course of action? A. Prioritize rapid system recovery and resume operations immediately using backups to meet RTO objectives. B. Delay full recovery until investigators complete forensic imaging and evidence collection. C. Restore essential systems first, while creating verified forensic images of compromised hosts before reinitialization. D. Refuse to proceed with any restoration until the court issues a warrant authorizing evidence handling.

Which of the following actions BEST balances regulatory obligations with evidence integrity and due diligence? A. Release preliminary findings immediately, clearly labeled as “provisional,” and continue full forensic analysis. B. Delay all external communication until the full investigation is complete and validated. C. Provide regulators with a high-level incident acknowledgment, outline the investigation timeline, and commit to an official report after evidence validation. D. Provide sanitized technical logs to regulators immediately while withholding full forensic images until legal review.

A global enterprise has implemented federated identity management using SAML between its internal Active Directory domain and multiple cloud SaaS providers. During testing, a partner organization asks to use the same SAML assertions from the enterprise’s identity provider (IdP) to access shared applications hosted in the partner’s environment. Which of the following must the enterprise ensure FIRST before extending this trust? A. The partner’s service provider (SP) certificate is issued by the same certificate authority (CA) as the enterprise’s IdP. B. The partner’s SP enforces attribute-based access control (ABAC) using SAML attributes. C. A formal trust agreement defines assertion validity, encryption standards, and identity-proofing responsibilities between both organizations. D. The enterprise IdP is configured to issue assertions with short lifetimes (e.g., < 5 minutes) to limit misuse.