In incident response, what is the primary goal of containment actions?

Containment aims to stop the incident from spreading and to limit its impact. The goal is to quickly isolate affected systems and block further access or propagation so the organization can investigate safely, preserve evidence, and plan eradication and recovery without the attacker moving to additional targets. For example, isolating compromised machines, blocking malicious traffic, or segmenting the network are typical containment actions. The other steps—removing the attacker, determining the root cause, and collecting evidence for legal action—are important but part of later stages; containment’s immediate priority is preventing additional damage and narrowing the scope of the incident.