Containment, Eradication, and Recovery
Not sure you’re ready?
Take the ~3-minute readiness diagnostic and see where you stand.
A triggered alert in a Security Information and Event Management (SIEM) console represents a single point in time, but a cyber incident is a fluid, expanding dynamic system.

When malicious code executes in memory or an adversary pivots across an environment, operational survival depends on methodical, heavily structured frameworks rather than improvised reactions. The National Institute of Standards and Technology Special Publication 800-61 Revision 2 defines a strict four-phase incident response lifecycle to govern this process. While preparation and initial detection are critical, the battle is truly fought and won in the third phase: Containment, Eradication, and Recovery.
Before you can effectively stop an adversary, you must understand the true dimensions of the battlefield. Reacting blindly to a single compromised server often alerts the attacker, causing them to burrow deeper into the network.
To map the event, incident responders use Indicators of Compromise (IoCs)—such as known malicious IP addresses, file hashes, or anomalous registry keys—to sweep the network and accurately determine the full scope of a cyber attack.

The incident scope defines the total number of systems, network segments, and data elements affected by a security breach. It draws the literal boundary around the infection.
Once the scope is measured, analysts must calculate the incident impact, which measures the degree of operational impairment, financial loss, and data exposure caused by a security breach. We classify this impact across three precise vectors:
- Functional Impact: This categorizes the negative effect of an incident on the ability of an organization to provide critical services. If a hospital's primary patient database is taken offline, the functional impact is critical, regardless of how many individual bytes of data were touched.
- Information Impact: This categorizes the degree of compromise to data confidentiality, data integrity, or data availability during an incident. Was the proprietary source code merely read, was it altered, or was it permanently encrypted?
- Recoverability Effort: This categorizes the amount of time and resources required to restore affected systems to normal operations following an incident. A destructive wiper malware attack will have an exponentially higher recoverability effort than a simple cryptominer.
If a forest is burning, you do not immediately run into the center of the inferno with a bucket of water; you dig a trench ahead of the flames to starve them of fuel. Containment limits the spread of an active security incident to prevent further damage to the organizational network.

CRITICAL RULE: Evidence preservation must occur before executing containment or eradication procedures that alter system memory or hard drive storage. If you hastily reboot a machine to stop a rogue process, you destroy volatile RAM containing cryptographic keys, active network connections, and the malware payload itself.

Once forensic data is secured, SOC analysts execute containment through several tiered strategies:
| Containment Strategy | Mechanism of Action | When to Use |
|---|---|---|
| Network Isolation | Disconnects a compromised host entirely from all internal and external network communications. | When a machine is heavily compromised and poses an immediate threat to the wider domain. |
| Network Segmentation | Moves a compromised host to a restricted virtual local area network (VLAN). | To prevent malicious lateral movement while maintaining some remote accessibility for the security team. |
| Quarantine Strategies | Blocks a compromised asset from communicating with production systems while allowing specific connections to forensic security tools. | When analysts need to actively query the machine, pull memory dumps, or deploy specialized monitoring agents. |
At the perimeter level, immediate containment often requires network-wide action. Analysts implement firewall rules to block traffic to known malicious command and control (C2) IP addresses as an immediate containment action, severing the attacker's remote keyboard access to the environment.

The Strategic Gambit: Delayed Containment
Counter-intuitively, immediate containment is not always the optimal move. A security team might intentionally delay containment to monitor attacker behavior and gather more actionable threat intelligence. By watching an adversary operate in a controlled sandbox or segmented honeypot, defenders can map the attacker's full toolset and identify secondary backdoors.

However, playing this game carries extreme risk. Delaying the containment of a cyber incident requires formal approval from executive management due to the increased risk of widespread system damage.
Once the environment is contained and the adversary is trapped, the focus shifts to Eradication. This phase involves neutralizing the root cause of an incident by permanently removing the threat actor and malicious artifacts from the environment.
Eradication is surgical. It requires analysts to meticulously unpick every change the attacker made. Standard eradication tasks include:
- Deleting malicious executables.
- Terminating unauthorized active processes.
- Removing suspicious scheduled tasks or cron jobs that the attacker planted for persistence.
But removing malware is only half the battle; you must also sever the attacker's digital identity. Revoking active authentication tokens forces an attacker to lose current session access during the eradication phase. If they are logged into an Office 365 environment or an active VPN session using stolen cookies, revoking those tokens immediately drops their connection.

Most importantly, you must lock the door they walked through. Eradication must include identifying and patching the specific software vulnerability exploited by an attacker to prevent immediate reinfection.
In severe cases, simply deleting files is insufficient. Rootkits and advanced persistent threats (APTs) can bury themselves deep within a file system or master boot record. In these instances, data sanitization securely destroys data on a storage device to ensure malicious code cannot survive a system rebuild.

With the adversary evicted and the environment sanitized, the final step is Recovery. This phase involves systematically restoring compromised systems to normal business operations after a threat is completely eradicated. Recovery is not merely turning the machines back on; it is rebuilding them to a higher standard of security than before the breach.
Re-imaging and Restoration
The only way to achieve absolute cryptographic certainty that a severely compromised host is clean is to destroy its current state entirely. Re-imaging overwrites a compromised machine's storage drive with a clean, pre-configured operating system baseline. To achieve this efficiently at scale, security teams utilize a golden image—a standardized, securely configured system template used to rapidly re-image compromised machines during the recovery phase.
If a system must be restored from historical data rather than rebuilt from scratch, strict protocols apply. Restoring a compromised system from a backup requires cryptographically verifying that the selected backup snapshot does not contain the original malware. Restoring a corrupted backup simply restarts the incident response lifecycle from zero.
Hardening the Restored Environment
Because human compromise often accompanies technical compromise, resetting all user credentials prevents threat actors from re-entering the network using stolen passwords during the system recovery phase.
Simultaneously, the recovered asset must be hardened. System remediation involves applying strict security patches, updating firewall configurations, and disabling unused services to secure a recovered asset.
What happens when a patch doesn't exist? During zero-day outbreaks, an official vendor patch may be days or weeks away. In this scenario, an incident responder deploys a compensating control to mitigate immediate risk while awaiting an official vendor patch for a critical vulnerability. A compensating control is a temporary, alternative security measure implemented when a primary security control cannot be immediately applied (e.g., deploying a strict Web Application Firewall rule to block malicious input when the underlying application code cannot yet be fixed).

Validation and The New Normal
Before any system is reconnected to the production network, trust must be proven, not assumed. Recovered systems must undergo rigorous security testing and vulnerability scanning to validate their integrity before rejoining the production network.
Finally, the incident response lifecycle acknowledges that no eradication is ever guaranteed to be 100% flawless on the first pass. Continuous security monitoring is required immediately after system recovery to ensure the eradicated threat actor does not return via a secondary backdoor. The SOC must maintain a heightened state of alert, watching the newly restored systems for any deviations from baseline behavior, ensuring that the fire is truly, permanently extinguished.