Incident response maturity splits on "how quickly, consistently, without human intervention" threats are contained. If GuardDuty takes 5 minutes to detect C2 communication from a compromised EC2, but a person takes 30 minutes to read that finding on console and isolate the instance, the attacker has already completed lateral movement. The essence of an automated remediation pipeline is event-driven automation that converts detection signals into deterministic actions. The exam key is precisely drawing the flow: "what event, routed through what, executed by what engine, with what authority?"