This week covered the entire threat detection layer: GuardDuty (agentless threat detection), Detective (finding investigation, root cause), Inspector (vulnerability scanning), and Security Hub-centric unified architecture. Today we bind these into one decision framework. Exams test less on individual service features and more on "which detection tool, in what role, deployed where for this situation?" The key is 2D thinking: purpose (what do you want to know?) × integration (how do you bind it into one pipeline?).