- How did the attacker get into your environment?
- How did they laterally move within your environment
- What was the timeframe of the attack?
- What systems and/or data did they access?
- What were their actions and objectives?
- Did any data exfiltration occur?
- How can you minimize the risk of a future attack?