Containment is a decision, not a reflex
Immediate actions can include session revocation, account disablement, endpoint isolation, network blocking, service restriction, credential rotation, or temporary segmentation. Monitoring-only can also be a valid decision when evidence is weak or disruptive action would create more harm. Containment should state its objective, scope, owner, reversibility, and evidence impact.
Decision points
| Consider | Question |
|---|---|
| Ongoing harm | Is activity active, spreading, or affecting a sensitive service? |
| Evidence strength | What is observed locally, and what is still a hypothesis? |
| Criticality | What user, safety, data-loss, or operational dependency could action disrupt? |
| Reversibility | Can the action be rolled back, and what evidence might it remove? |
Workflow
- State the decision objective: reduce harm, preserve evidence, protect an identity, or limit reachability.
- Compare immediate, short-term, and long-term options with the owner and response lead.
- Record the chosen control, scope, time, approver, rollback plan, and monitoring requirement.
- Reassess as evidence changes; containment does not replace eradication or recovery.
Common mistakes
Do not isolate every endpoint automatically, rotate credentials without checking persistence and sessions, or block a shared dependency without business context. A containment action can reduce risk while introducing visibility or continuity gaps.