What is containment?
Containment means taking steps to stop a cyber incident from spreading or causing more damage while preserving the ability to investigate.
Simple example
A compromised laptop is removed from the network while responders check whether other systems were affected.
Why it matters
Good containment balances speed, business impact, and evidence preservation.
Common warning signs
- The activity is unexpected or unusual for the business context.
- The request or system behaviour creates pressure to act quickly.
- Normal approval, verification, or security processes are bypassed.
- There are signs of unauthorised access, data exposure, or system change.
- Staff are unsure whether the request, message, or system behaviour is legitimate.
Cyber Doc view
This term should be understood in business context, not only as a technical issue. Good protection usually combines clear processes, appropriate technical controls, staff awareness, and a calm response plan.
What to do
Proactive steps
- Prepare containment steps in advance for common incidents.
- Know how to disable accounts and isolate devices.
- Keep network diagrams and admin contacts available.
- Use logging to understand spread.
- Define who can approve containment decisions.
Reactive steps
- Isolate affected accounts, devices, or systems as appropriate.
- Avoid wiping systems before evidence is preserved.
- Document actions and times.
- Check whether the incident has spread.
- Plan recovery only after the situation is understood.
Related terms
- Incident response
- Evidence preservation
- Lateral movement