A financial services company detects unauthorized access to a critical database containing customer records. The security team immediately revokes compromised credentials and isolates affected systems. Which phase of the NIST SP 800-61 incident management framework does this action BEST represent?