Containment is the incident response phase in which the spread of a security incident is actively stopped. The goal is to limit damage and protect additional systems from being compromised.
Containment measures include: network isolation of affected systems, locking compromised accounts, blocking command-and-control communication, and shutting down affected services. A distinction is made between short-term containment (immediate isolation) and long-term containment (a temporary solution that maintains operations while remediation is prepared). Rapid containment is critical — the longer an attacker retains access, the greater the damage.