Containment stops an incident from spreading while preserving forensic evidence. Short-term: immediately isolate. Long-term: rebuild or remediate.
Don't immediately reimage — capture memory first. Balance containment vs. business continuity. Isolate (network disconnect) rather than power off when possible — RAM evidence preserved. Document all actions with timestamps.