The IT team's requirement is automatic, real-time detection of abnormal session activity using predefined rules and traffic signatures. That description aligns most directly with an Intrusion Detection System (IDS), particularly a network IDS (NIDS) that monitors traffic, compares it to known patterns (signatures) and/or behavioral rules, and generates alerts when suspicious activity is detected. Session hijacking attempts often produce recognizable anomalies-unexpected packet sequences, suspicious flags, unusual injection patterns, resets, or protocol misuse-that IDS rules can be designed to detect across many hosts and segments without requiring an analyst to manually inspect each capture.
The scenario explicitly contrasts this desired capability with "manual analysis," which rules out option B.
Tools like packet sniffers are valuable for investigation and confirmation, but they do not provide organization-wide automated alerting by themselves. An IDS is built for continuous monitoring and alert generation, making it appropriate for detecting red-team-simulated packet injection and session manipulation attempts.
Why the other options are less suitable:
Checking for predictable session tokens (A) is an application-layer defensive review (and a good hardening practice), but it does not automatically detect packet injection behaviors occurring on the network in real time.
Monitoring for ACK storms (C) can be one specific indicator in some TCP manipulation or desynchronization scenarios, but it is too narrow and does not represent a general detection system. The requirement is broader: a monitoring system that flags suspicious session activity using rules and signatures-an IDS fits that role.
Manual packet analysis (B) is explicitly what they want to avoid.
Therefore, the correct answer is D. Use an Intrusion Detection System (IDS).

According to the CEH Network Scanning module, a SYN scan works by analyzing TCP handshake responses.
SYN # SYN/ACK = Port OPEN
SYN # RST = Port CLOSED
No response = FILTERED
Option A is correct.
CEH emphasizes SYN scanning as stealthy because the handshake is never completed.

In CEH v13 Mobile, IoT, and OT Hacking, firmware-level attacks on Programmable Logic Controllers (PLCs) are categorized as high-impact and stealth-oriented threats, often designed to evade traditional network-based defenses. Malicious firmware compromises the integrity of the device itself, allowing attackers persistent and covert control over industrial processes.
The first and most critical step is to verify the integrity of the firmware and software running on the PLCs.
CEH v13 emphasizes that before containment or mitigation actions are applied, accurate identification and confirmation of compromise must occur. Firmware inspection enables analysts to detect unauthorized code injections, modified logic blocks, altered checksums, or tampered boot loaders-hallmarks of OT malware such as Stuxnet-like attacks.
Immediate isolation (Option A) may be necessary later, but premature isolation can disrupt industrial operations and destroy volatile forensic evidence. IDS enhancements (Option C) focus on traffic patterns and are ineffective against firmware-resident malware. Restricting remote access (Option D) is preventative but does not validate or remove an existing firmware compromise.
CEH v13 stresses that OT environments require forensic verification at the device level, especially when abnormal behavior originates from controllers themselves. Firmware validation using vendor-approved tools and hash verification is the correct first step to confirm compromise and plan remediation without risking operational safety.

The scenario points directly to information gathering from the robots.txt file. A robots.txt file is typically located at the root of a website (e.g., https://example.com/robots.txt) and is intended to instruct search engine crawlers which paths should or should not be indexed. During web reconnaissance, testers often review robots.
txt because it can unintentionally disclose sensitive directories, administrative panels, staging paths, backup locations, or restricted areas that the organization hoped would remain obscure. The scenario explicitly says Sofia found "a crawler directive at the server's root" that "allows unintended indexing of restricted areas," and that this "reveals internal paths." That is exactly the kind of leakage that can come from misconfigured or overly revealing crawler directives.
This is considered an early-stage reconnaissance / information gathering technique because it does not require exploitation. It leverages publicly accessible configuration hints to map the application's hidden structure.
Even when robots.txt is used correctly, the listed disallowed entries can still serve as a roadmap of interesting targets; if configured incorrectly (for example, allowing indexing or exposing sensitive paths), it can increase exposure by helping those paths surface in search results or be discovered faster by attackers.
Why the other options are less accurate:
Vulnerability Scanning (A) implies using scanners to identify known flaws; here, the tester is manually
/strategically inspecting a crawler directive for exposed paths.
Web Server Footprinting/Banner Grabbing (C) focuses on identifying server type/version and technologies via headers or responses, not discovering hidden paths from crawler directives.
Directory Brute Forcing (D) uses wordlists to guess directories; Sofia's discovery comes from a disclosed list of paths, not brute-force guessing.
Therefore, the technique is B. Information Gathering from robots.txt File.

CEH v13 explains that the Deep Web contains content not indexed by search engines, including exposed databases, misconfigured portals, leaked credentials, and internal documents.
This makes it a critical area to assess unintended data exposure. The Deep Web is not primarily for attacker profiling or insider detection.
Thus, Option D is correct.