Describe the general approach to containment during an incident.

Containment is about stopping the attack from spreading while preserving evidence for later analysis. To do this, you act quickly to isolate affected systems, preventing further access or lateral movement, and you implement temporary blocks and revoke compromised credentials to cut off attacker access. Preserving evidence—like logs and volatile data—while you contain is also crucial for later investigation and eradication. After containment, you can move to eradication and recovery. The other options don’t fit containment: restoring from backups is a recovery step, not stopping ongoing activity; notifying customers is about communication, not containment; and delaying action to investigate first allows more damage and makes containment harder.