In the NIS incident-response lifecycle, containment and eradication are the execution steps that limit damage and remove attacker persistence. Operationally, teams need pre-defined strategies, controlled tradeoffs, and evidence-driven verification to avoid service disruption or incomplete remediation.
Sources: ACN incident management guidance, ACN baseline obligations determination
Key takeaways
- Containment and eradication are not one-off actions; they are iterative response activities.
- Containment choices must balance evidence preservation, service continuity, and risk reduction.
- Eradication should remove root compromise conditions and verify residual risk before closure.
- Both phases require documented objectives, actions, rationale, and effectiveness checks.
Sources: ACN incident management guidance
Containment and eradication operating sequence
1. Define containment strategy
Select containment actions based on incident severity, business impact, evidence-preservation needs, and operational dependencies.
2. Execute and track containment actions
Apply technical and procedural controls (for example isolation, account controls, segmentation, temporary restrictions) and document decisions and impacts.
3. Verify containment effectiveness
Check whether compromise indicators persist; if they do, return to investigation and refine containment.
4. Plan eradication actions
Define actions to remove malicious artifacts, persistence mechanisms, and exposed weaknesses, with clear ownership and sequencing.
5. Validate eradication and transition
Confirm that eradication goals are met and that outputs are ready for downstream recovery and governance reporting.
Sources: ACN incident management guidance, ACN baseline obligations determination
Minimum evidence set for containment/eradication
| RS phase | Practical objective | Typical evidence |
|---|---|---|
| Containment strategy | Risk-informed and traceable action selection | Containment plan, decision rationale, impact notes |
| Containment execution | Controlled action rollout | Action log, change records, timeline updates |
| Effectiveness checks | Residual-compromise validation | Verification checklist, indicator review results |
| Eradication planning | Complete removal strategy | Eradication plan, owner assignments, dependencies |
| Eradication closure | Verified completion and handoff readiness | Closure criteria record, residual-risk note, handoff package |
Sources: ACN incident management guidance
90-day execution checklist
- Define containment decision criteria with legal, operations, and cyber stakeholders.
- Standardize containment action templates with mandatory rationale and impact fields.
- Establish objective effectiveness checks before moving to eradication closure.
- Create eradication play patterns for recurring attack scenarios.
- Require formal handoff package from eradication to recovery and post-incident review.
FAQ
Can containment and eradication be executed only once per incident?
Not always. Guidance indicates iterative loops may be required when new evidence or residual compromise emerges. Source: ACN incident management guidance
What should be documented for containment decisions?
At minimum: objectives, selected actions, rationale, expected impact, and criteria used to evaluate effectiveness. Source: ACN incident management guidance
How is eradication considered complete?
When planned eradication actions are verified, residual compromise is not detected, and records are ready for recovery and governance follow-up. Source: ACN incident management guidance