The correct answer is to implement a Sensor Visibility Exclusion on the particular host. An SVE suppresses visibility for specified activity so that known, approved testing does not flood the Falcon console with detections or events that leadership does not need to track. This is more targeted than disabling all detections on a host and more appropriate than generating additional workflow notifications. Using RTR to kill the process would interfere with the authorized penetration test. Temporarily disabling detections may remove existing detections and suppress all detection reporting from that host, which is broader and riskier than applying a scoped exclusion. CCFA exclusion guidance stresses selecting the narrowest exclusion type that matches the operational requirement while preserving meaningful security visibility elsewhere.