Focus Area: Incident containment and threat isolation protocols
This ontology provides citation-quality definitions for 15 foundational terms, backed by authoritative sources from standards bodies (NIST, W3C, IETF, OASIS, ISO) and peer-reviewed research.
Technical Glossary
The practical limit used to define how far an incident is allowed to spread across systems, identities, networks, or business functions before containment action becomes mandatory. It turns abstract risk into an operational line that responders can defend.
The control point at which responders decide whether an asset, workload, account, or network segment should be isolated from normal operations. A clear gate helps teams act quickly without making isolation an unreviewed reflex.
A set of actions that blocks an adversary from pivoting between hosts, identities, or trust zones after initial compromise. Suppression focuses on restricting pathways rather than waiting to fully eradicate the threat before acting.
A layered design that places progressively stronger restrictions around affected resources to slow expansion while preserving essential operations where possible. Rings let defenders tailor isolation rather than applying one blunt control everywhere at once.
A controlled pathway used to restore business functionality in isolated steps after containment, ensuring that cleaned systems do not reconnect into still-compromised environments. It makes recovery a protected sequence instead of a premature return to normal.
A practice of preserving logs, volatile state, and decision records at the moment containment is applied so investigation context is not lost. Evidence locking keeps urgent defensive action from erasing the story of how the incident unfolded.
The deliberate invalidation of active attacker sessions, stolen tokens, remote access channels, or malicious process control paths that are still being used during an incident. Termination reduces the adversary’s operational foothold while other containment steps are executed.
A temporary pause on high-risk administrative changes, nonessential deployments, or routine configuration work during an active incident. Freezing the environment reduces self-inflicted complexity and makes containment signals easier to interpret.
A structured verification that confirms isolation steps are actually working as intended across affected assets and dependencies. It protects against false confidence where teams believe the threat is boxed in but hidden paths remain open.
A focused search for implants, scheduled tasks, rogue accounts, configuration changes, or command-and-control links that could defeat containment after the visible symptoms are gone. Sweeps ensure isolation is not mistaken for removal.
A restoration method that rebuilds or reintroduces assets from trusted states in a separated environment before reconnecting them to production. The path reduces the chance that recovery activities silently re-seed the incident.
The continuously updated inventory of systems, data stores, accounts, and business processes touched by an incident or by the controls used to contain it. A reliable census prevents blind spots that would otherwise undermine isolation plans.
A predefined trigger that forces higher authority involvement when containment conditions worsen beyond local response limits. The seal ensures that deteriorating situations are elevated before tactical teams run out of authority or options.
A safeguard that prevents emergency containment actions from being reversed too early or by unauthorized personnel before risk has been reassessed. It keeps urgency from collapsing into accidental re-exposure.
A targeted review of residual weaknesses, business exceptions, and bypasses left behind after the immediate threat has been boxed in. The review converts temporary containment success into a roadmap for durable risk reduction.