Skip to content
Log in

Containment strategy

Definition

A deliberate decision about how to limit an incident's spread, balancing the need to stop harm immediately against the risk of alerting an attacker before evidence is collected. Strategies range from immediate network isolation to monitored cohabitation (letting the attacker stay while evidence is gathered).

Related terms

Eradication
The phase in which the root cause of an incident is removed from the environment: deleting malware, patching exploited vulnerabilities, revoking compromised...
After-Action Report (AAR)
The formal document produced during Lessons Learned that records the incident timeline, decisions made, outcomes, and recommended improvements. The AAR drives updates...
Incident declaration
The formal decision, made during the Identification stage, that a detected event meets the organisation's criteria for a security incident. Declaration triggers...
Incident response lifecycle
The structured sequence of phases NIST SP 800-61 defines for handling computer security incidents: Preparation, Detection and Analysis, Containment/Eradication/Recovery, and Post-Incident Activity....
Incident response plan
A formal document that defines an organisation's approach to incident handling: roles and responsibilities, escalation paths, communication procedures, legal and regulatory obligations,...
Indicators of compromise (IoCs)
Artefacts observed on a network or system that suggest an intrusion or malicious activity has occurred, such as unusual outbound connections, known-malicious...
Lessons-learned meeting
A structured post-incident review, recommended by NIST within approximately two weeks of incident resolution, that examines what happened, what the response did...
NIST SP 800-61
The US National Institute of Standards and Technology's Computer Security Incident Handling Guide. It defines a four-phase IR lifecycle: Preparation; Detection and...
PICERL
Acronym for the six SANS IR stages: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. The model is cyclical: the final stage...

Explained in these topics

  • The NIST SP 800-61 Incident Response LifecycleA deliberate decision about how to limit an incident's spread, balancing the need to stop harm immediately against the risk of alerting an attacker before evid...
  • The SANS PICERL ModelThe plan for limiting the spread and impact of an incident. Containment may be short-term (isolate the affected host immediately) or long-term (maintain limite...

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account