Containment

Containment is the cybersecurity practice of isolating compromised systems or networks to prevent malware or attackers from spreading to other parts of an organization's infrastructure.

This critical incident response step involves quickly identifying affected systems and implementing measures to limit the scope and impact of a security breach.

Effective containment strategies may include disconnecting infected machines from the network, blocking malicious IP addresses, disabling compromised user accounts, or segmenting network traffic. The goal is to "quarantine" the threat while preserving evidence for forensic analysis and maintaining business operations wherever possible.

Containment requires balancing speed with thoroughness—acting too slowly allows threats to spread, while overly aggressive measures might disrupt legitimate business functions or destroy valuable forensic evidence. Organizations typically develop containment playbooks that outline specific procedures for different types of incidents, enabling security teams to respond quickly and consistently when breaches occur.