Containment strategies: network isolation (block all external communication), network segmentation (isolate from rest of network but maintain some access), endpoint isolation (EDR kill switch), honeytoken monitoring (detect without alerting attacker).
Containment decision factors: evidence preservation needs, business impact of isolation, risk of attacker escalating or destroying evidence, confidence in scope of compromise. Document every containment action with timestamp and rationale.