Cyber Doc logo Cyber Doc
Cybersecurity Term

What is containment?

Steps taken to stop an incident from spreading or causing more damage.

Incident Response Last reviewed: 2026-05-20

← Back to Learn Centre

What is containment?

Containment means taking steps to stop a cyber incident from spreading or causing more damage while preserving the ability to investigate.

Simple example

A compromised laptop is removed from the network while responders check whether other systems were affected.

Why it matters

Good containment balances speed, business impact, and evidence preservation.

Common warning signs

  • The activity is unexpected or unusual for the business context.
  • The request or system behaviour creates pressure to act quickly.
  • Normal approval, verification, or security processes are bypassed.
  • There are signs of unauthorised access, data exposure, or system change.
  • Staff are unsure whether the request, message, or system behaviour is legitimate.

Cyber Doc view

This term should be understood in business context, not only as a technical issue. Good protection usually combines clear processes, appropriate technical controls, staff awareness, and a calm response plan.

What to do

Proactive steps

  • Prepare containment steps in advance for common incidents.
  • Know how to disable accounts and isolate devices.
  • Keep network diagrams and admin contacts available.
  • Use logging to understand spread.
  • Define who can approve containment decisions.

Reactive steps

  • Isolate affected accounts, devices, or systems as appropriate.
  • Avoid wiping systems before evidence is preserved.
  • Document actions and times.
  • Check whether the incident has spread.
  • Plan recovery only after the situation is understood.

Related terms

  • Incident response
  • Evidence preservation
  • Lateral movement