This week we covered the second axis of threat management: Response. Auto response pipelines (EventBridge + SSM + Lambda), compromised instance isolation and forensics, credential exposure revocation, and the NIST IR framework that unifies all of it. Today we integrate these into a single response decision system. The exam tests not isolated APIs but "in what order, by what mechanism, and with what automation/human judgment does this incident flow through the response phases?" The key is 3D thinking: phase (NIST) × target (instance/credential) × actor (auto/human).