***
Skip to content

Containment & Eradication

Cybersecurity Cloud Security Context OT/ICS Security Context SaaS Security Context Respond (Cybersecurity Incident Response) Communications & Disclosure Containment & Eradication Incident Intake & Triage Investigation & Forensics Lessons Learned & Improvement
Cybersecurity Cloud Security Context OT/ICS Security Context SaaS Security Context Respond (Cybersecurity Incident Response) Communications & Disclosure Containment & Eradication Incident Intake & Triage Investigation & Forensics Lessons Learned & Improvement
New to this diagram? Learn about the method: Use Case Tree · Use Case · Outcome

Limit the spread and business impact of an incident through timely containment, then remove the attacker’s foothold and close the underlying weaknesses.

Containment decisions must balance speed with business impact: isolating the right systems quickly while avoiding unnecessary disruption.

Outcomes

  • Reduced blast radius and faster stabilization of critical services
  • Lower likelihood of repeat compromise from the same foothold
  • More predictable response actions with clear approvals
  • Better coordination between security and service owners

Typical scope

  • Containment playbooks (network isolation, credential resets, blocking)
  • Decision rights and approvals for disruptive actions
  • Eradication steps (remove persistence, patch exploited weaknesses)
  • Verification of clean state before restoration

GenAI-enabled execution

Agents can propose containment options and draft execution checklists, but high-impact actions should require human approval and produce traceable evidence of what was done and why.