You are responding to a security incident affecting a production environment, and you are expected to lead through containment, recovery, and follow-up rather than treating the event as complete once the immediate issue is mitigated.
How would you demonstrate ownership during the incident itself and then drive post-incident improvement afterward?