Attack simulations provide realistic, hands-on scenarios that mirror true incidents, allowing SOC analysts to practice detection, analysis, and response skills under real-world pressure. These simulations are crucial for developing and reinforcing SOC procedures and incident workflows.
Phishing assessments (A) are targeted, limited training.
OpenVAS (B) is a vulnerability scanner, not a training tool.
SOAR (D) is a response automation tool.
Honeypots (E) help observe attacker behavior, but aren't training-focused.
Reference:
CS0-003 Objectives 3.3 - Incident Response Training
Mya Heath All-in-One - Chapter 14: Post-Incident Activities and Training

The given firewall logs indicatehigh outbound traffic with low IP reputation, sustained over time, which is a strongindicator of cryptomining activity.
* Option A (Anomalous activity)is a general term but does not specifywhythe activity is suspicious.
* Option B (Bandwidth saturation)occurs when network traffic is overwhelming, but cryptomining typicallyuses CPU/GPU powerrather than overwhelming bandwidth.
* Option D (Denial of service - DoS)would result incontinuous large requests, but cryptomining generatesconsistent, high-bandwidth outbound trafficrather than bursts of large requests.
Thus,C is the correct answer, as cryptomininggenerates unusual outbound network activity from internal hosts to mining pools.

Eradication is a step in the incident response process that involves removing any traces or remnants of the incident from the affected systems or networks, such as malware, backdoors, compromised accounts, or malicious files. Eradication also involves restoring the systems or networks to their normal or secure state, as well as verifying that the incident is completely eliminated and cannot recur. In this case, the analyst is remediating items associated with a recent incident by isolating the vulnerability and actively removing it from the system. This describes the eradication step of the incident response process.