Containment

Containment is the third NIST incident phase and aims to stop the bleeding before eradication. Short-term containment isolates the affected host or segment immediately; long-term containment applies temporary fixes that let business continue while preserving evidence for forensics. Common moves include network isolation, account disablement, and credential rotation — balanced against tipping off an attacker who may then destroy data.