An analyst reviewing network traffic captures detects a large outbound transfer of data to an external IP address that matches no approved egress policy. What is the NEXT step?

Correct answer: Investigate the source system and determine if it's compromised or authorized

Option C is correct because the appropriate next step in incident response is to investigate the source system to determine whether the transfer was authorized, whether the system is compromised, and what data may have been exfiltrated before taking disruptive action. Option A is incorrect because an absence of known-malicious reputation does not mean the transfer is benign; unknown or new destinations can still represent exfiltration, and ignoring the event violates incident response obligations. Option B is incorrect because immediately blocking all traffic without investigation could disrupt legitimate services, destroy forensic evidence, and alert an adversary prematurely before scope is understood. Option D is incorrect because alerting only the user without first investigating assumes good faith and skips the triage step that determines whether the user is a victim or an insider threat.