Back to Glossary

Glossary Term

Containment Phase

A critical incident response step focused on limiting the spread and impact of an active cyber incident before eradication and recovery.

1 min read

Share this definition

Post it to your feed or send it to teammates.

What it is

Containment is the incident response phase where teams stop an active threat from expanding its impact. Actions can include isolating compromised systems, disabling affected accounts, blocking malicious IP addresses, or segmenting parts of the network. It typically follows detection and analysis and can include short-term containment (immediate actions) and long-term containment (temporary fixes that allow safe business continuity).

Why it matters

Without effective containment, attackers can move laterally, escalate privileges, exfiltrate data, or deploy additional malware. Fast, well-planned containment reduces business disruption, limits data loss, and prevents a manageable incident from escalating into a full-scale breach.

How to reduce risk

  • Maintain a documented incident response plan with clear containment steps.
  • Use network segmentation to limit lateral movement.
  • Enable endpoint detection and response (EDR) for rapid isolation.
  • Train teams using incident simulations and tabletop exercises.