Knowledge Base

Containment Decision Making

Choose a proportionate containment action while preserving evidence and business continuity.

Containment is a decision, not a reflex

Immediate actions can include session revocation, account disablement, endpoint isolation, network blocking, service restriction, credential rotation, or temporary segmentation. Monitoring-only can also be a valid decision when evidence is weak or disruptive action would create more harm. Containment should state its objective, scope, owner, reversibility, and evidence impact.

Decision points

ConsiderQuestion
Ongoing harmIs activity active, spreading, or affecting a sensitive service?
Evidence strengthWhat is observed locally, and what is still a hypothesis?
CriticalityWhat user, safety, data-loss, or operational dependency could action disrupt?
ReversibilityCan the action be rolled back, and what evidence might it remove?

Workflow

  1. State the decision objective: reduce harm, preserve evidence, protect an identity, or limit reachability.
  2. Compare immediate, short-term, and long-term options with the owner and response lead.
  3. Record the chosen control, scope, time, approver, rollback plan, and monitoring requirement.
  4. Reassess as evidence changes; containment does not replace eradication or recovery.

Common mistakes

Do not isolate every endpoint automatically, rotate credentials without checking persistence and sessions, or block a shared dependency without business context. A containment action can reduce risk while introducing visibility or continuity gaps.