Containment Is a Decision, Not a Button
Every incident has a moment, usually early, when someone says the words just shut it down. The instinct is completely understandable. Something is wrong, the room is anxious, and pulling the plug feels like control. It is the one action that visibly does something, and under pressure, doing something beats the awful feeling of watching and thinking.
The problem is that containment is not a button. It is a decision, and like every decision in an incident it spends something to buy something. Responders who are good at this know exactly what they are spending. Responders who are not just hit the big red switch and find out later.
What You Actually Trade Away
Pull a compromised machine off the network and you stop whatever it was doing. You also, in that same instant, end your ability to watch what it was doing, destroy volatile evidence in memory, and potentially tip off an attacker who now knows they have been spotted and switches to their noisier, more destructive playbook. You may also have just taken down something the business needed, and you will own that outage in the post-incident review whether or not the machine was actually the problem.
Disable the suspicious account and you cut off the intruder. You may also have alerted them, frozen out a legitimate user mid-task, and lost the chance to see where else those credentials were being used. Block the command-and-control domain and you sever the channel, and you also remove your clearest signal of which hosts were still talking to it.
None of this means do not contain. Containment is frequently the right call and sometimes the only one. It means containment has a bill attached, and the bill comes due whether or not you read it before you acted.
The Two Ways to Get It Wrong
There are two failure modes here and they are mirror images.
The first is containing too slowly. You want to understand the full picture before you act, so you investigate, and you scope, and you build a beautiful timeline, and the entire time the attacker is still inside, still moving, still exfiltrating. This is the responder who treats an active intrusion like a forensics exercise and discovers, around the time the report is finished, that the thing they were carefully documenting has finished happening. Watching is not a neutral act when someone is actively working against you. It is a bet that they have not started, and you usually have no basis for that bet.
The second is containing too fast and too blunt. You hit the switch on the strength of an alert and an instinct, and you take down production, blind your own monitoring, destroy the evidence you would have needed to understand the scope, and learn nothing about how they got in, which means you cannot be sure they are actually out. Decisive feels good and looks strong. It is not the same as effective, and the difference is usually invisible until later.
The skill is not picking a side between these. It is knowing which mistake the current situation punishes more, and that changes by the hour.
How the Good Ones Decide
The responders who handle this well are not braver or faster. They are clearer about a few questions, and they answer them before they reach for the switch.
Is this active or dormant? A live, hands-on intruder and a piece of malware sitting quietly are completely different containment problems. The first rewards speed because every minute is damage. The second rewards a little patience because the damage is not accruing and the evidence is worth more than the hour.
What does this specific containment action cost? Not in the abstract, but right now: what breaks, what evidence dies, who gets locked out, and does the attacker find out. If you cannot answer that, you are not making a decision, you are making a wish.
Can I contain narrowly instead of broadly? There is a wide middle ground between do nothing and pull everything. Isolating a host at the switch while preserving memory. Restricting an account instead of disabling it. Blocking egress while leaving telemetry intact. The blunt options are the most visible, which is exactly why they are over-chosen under pressure.
And crucially: am I preserving the ability to answer the question that matters later? In most incidents the expensive question is not what happened, it is are they really gone. Containment that destroys your ability to ever answer that converts a bad day into an open-ended one.
Slow Is Smooth
The phrase that actually applies here is the old one about slow being smooth and smooth being fast. The goal in the first hour is not to act quickly. It is to act deliberately, which under enough practice happens to look quick. The responder who pauses for ninety seconds to ask what does pulling this cable cost me and decides yes, worth it is moving faster than the one who hit the switch in five seconds and spends the next three days reconstructing what they destroyed.
Containment is one of the most powerful tools you have. Treat it like the others: as something you choose on purpose, knowing the price, and not as the lever you grab because grabbing a lever feels better than thinking.
The button is always right there. That is exactly why the decision matters.