Containment stops the incident from spreading. Balance urgency against evidence preservation and business impact.
Short-term containment:
- Isolate affected systems from the network
- Block malicious IP addresses
- Disable compromised accounts
- Stop malicious processes
Long-term containment:
- Patch exploited vulnerabilities
- Strengthen access controls
- Add monitoring for attack patterns
- Prepare clean systems for recovery
Inform stakeholders about containment impact. A decision to isolate a server affects everyone who uses it.