The best answer is C. Isolation.
The question describes an application that can no longer be patched, meaning the organization must continue operating it while accepting some risk. To reduce exposure, the application should only be used by a limited number of network services. This points to isolation, which means restricting the application’s interaction with the rest of the environment to contain risk.
Isolation is commonly used for:
By isolating the application, the organization limits the paths through which it can be attacked and reduces the chance that a compromise will spread to other systems.
Why the other options are incorrect:
A. PatchingThe question clearly states that no additional patches can be applied.
B. SegmentationSegmentation is related and often used as a method to isolate systems, but the question asks for the best description of the mitigation approach overall. Since the application is being restricted because it is risky and unpatchable, isolation is the stronger answer.
D. MonitoringMonitoring helps detect issues but does not directly reduce exposure in the way described.
From the SY0-701 perspective, when a vulnerable or unsupported application must remain in use, the preferred mitigation is often to isolate it from the broader environment. Therefore, C is the best answer.
