During an active incident, the best command is the one that answers a narrow question quickly and safely. Start with process lists, open sockets, disk usage, and tailed structured logs before reaching for heavier tools.