What is the difference between short-term and long-term containment?

Short-term containment is the initial action to limit immediate damage (isolating a host, disabling an account). Long-term containment is the more comprehensive strategy applied while eradication proceeds, often involving temporary segmentation and additional controls over days or weeks.

What is the difference between containment and eradication?

Containment blocks the adversary's ability to act further. Eradication removes the adversary's presence and persistence from affected systems. Containment usually happens first and is faster; eradication requires full scoping and is harder to do well.

Can containment alert the adversary?

Yes, aggressive containment can signal to the adversary that the compromise is detected, leading to accelerated exfiltration or destruction. Mature programs scope first and contain second when possible, and use deception or staged containment to manage adversary awareness.

Does containment require evidence preservation?

Yes. NIST SP 800-61 explicitly calls for evidence preservation during containment. Forensic images, memory captures, and log preservation should happen before any destructive containment action, and the chain of custody should be maintained throughout.

Containment - NIST 800-61 Incident Response Phase

Q: What is the containment phase in incident response?

Containment is the NIST SP 800-61 phase in which the adversary's ability to expand the compromise, exfiltrate additional data, or cause further harm is blocked. It precedes eradication and recovery and is not the same as either.

Containment is the NIST SP 800-61 incident response phase in which the adversary's ability to expand the compromise, exfiltrate additional data, or cause further harm is blocked. Containment is the response action immediately after detection and analysis, and precedes eradication and recovery. The containment phase typically distinguishes between short-term containment (stopping the bleeding) and long-term containment (preventing re-entry while eradication proceeds).

Source: NIST SP 800-61 Rev. 3, ISO/IEC 27035-1:2023.

Short-Term vs Long-Term Containment

Short-term containment is the initial action to limit damage: isolating an infected host from the network, disabling a compromised account, blocking outbound traffic to a known C2 domain. It buys time but is not the final answer.

Long-term containment is the more comprehensive containment strategy applied while eradication proceeds: temporary segmentation, additional monitoring, application of patches and configuration changes, and additional preventive controls. Long-term containment can last days or weeks.

Containment Strategies

Network isolation: VLAN moves, firewall rules, EDR isolation actions
Account containment: password resets, MFA enforcement, session termination, conditional access policies
System containment: process termination, service restart, host quarantine, full power-off
Application containment: WAF rules, rate limiting, feature flag toggles
Data containment: blocking outbound exfiltration, DLP rules, S3 bucket policy changes

Common Containment Mistakes

The most common mistakes are jumping to eradication before scoping the compromise (which leaves backdoors), aggressive containment that alerts the adversary (who then accelerates exfiltration or destruction), and containment without parallel forensic preservation (which loses evidence). NIST 800-61 explicitly calls for evidence preservation during containment.

Run containment from a single platform

IR-OS supports containment workflows, evidence preservation, and the defensible record auditors and counsel expect from this phase.

Start free

Containment - NIST 800-61 Incident Response Phase

Short-Term vs Long-Term Containment

Containment Strategies

Common Containment Mistakes

Related Terms

Run containment from a single platform