jjenkyn
I’d challenge your suggestion that the first thing you should do in the case of a compromised host is to stop it immediately. Forensically, that’s one of the last things you would look to do. Move it into a forensic security group (isolate), tag it as compromised, snapshot the disk, then snapshot the memory (margarita shotgun)… And then you can stop the host.