Yeah #2 is a big one. I’ve had to deal with a user who got hit by a supply chain attack, and doing forensics on their box was invaluable.

If they’d wiped their desktop as soon as it got compromised, we’d have nothing to go off of. I’d expect that user to be in some pretty serious trouble tbh for violating our security policy by not notifying us immediately.