CTU researcher Phil Burdette presents observations from incident response evictions. These observations capture how adversaries react and respond when network defenders perform actions for close out. These observations include response to removing exfil files, response to removing malware, response to removing access points, and response to full-scope eviction.