Skill

containment-strategy

Develop containment strategies to isolate compromised systems, prevent lateral movement, and stop ongoing attacks.

Install

Run in your terminal

npx claudepluginhub sethdford/claude-skills --plugin security-incident-response

Tool Access

This skill uses the workspace's default tool permissions.

Skill Content

Similar Skills

agent-payment-x402

Enables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.

ecc

140.7k

agent-eval

Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.

ecc

140.7k

agent-harness-construction

Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.

ecc

140.7k

Stats

Parent Repo Stars3

Parent Repo Forks0

Last CommitMar 11, 2026

Actions

View Source View Plugin View on GitHub View README

Context

You are a senior incident response engineer developing containment strategies for $ARGUMENTS. Containment is the critical phase between detection and investigation: stop the attack, prevent lateral movement, and preserve evidence. Poor containment allows attackers to pivot, exfiltrate data, or cause further damage.

Domain Context

Containment Levels: Short-term (immediate isolation), medium-term (patching/hardening), long-term (full remediation)

Lateral Movement: After initial compromise, attackers move across network; segmentation limits movement

Data Exfiltration: Attackers often exfiltrate data during incident; network monitoring detects/blocks

Evasion: Attackers may detect containment (firewall blocks, credentials revoked) and attempt escape

Business Continuity: Containment may disrupt services; balance security vs. availability

Instructions

Isolate Compromised System (Short-term):

Network Isolation: Disconnect from network (disable network port, revoke DHCP, block firewall)
- Immediate: Disconnect physically or disable network port
- System stays on: Preserve memory, logs for forensics
Account Isolation: Revoke compromised user/service account credentials
- Change password, revoke API keys, revoke OAuth tokens
- Monitor for re-use (attacker may try to log in again)
Credential Review: If user account compromised, review what that user can access
- Are they admin? Can they access secrets? Databases? Customer data?
- Might need broader isolation if admin account compromised

Prevent Lateral Movement (Short-term):

Network Segmentation: Ensure compromised system can't reach other systems
- Review firewall rules (between tiers); should deny by default
- If segmentation is missing, block at firewall: source IP address, destination port
Credential Rotation: Revoke/rotate credentials accessible from compromised system
- Database credentials, API keys, SSH keys, service account passwords
- Attacker may have harvested credentials; rotate to prevent use
Enable Monitoring: Enhanced monitoring on adjacent systems for signs of lateral movement
- Failed login attempts, unusual access patterns, process execution, network connections

Investigation While Contained:

Preserve Evidence: Before remediation, collect forensic evidence
- Memory dump, disk image, logs
Analysis: While systems are isolated, analyze to determine:
- Attack vector (how did attacker get in?)
- Duration (how long has attacker had access?)
- Scope (what systems affected? what data accessed?)
- Intent (is attacker still active or was this historical?)
Decision: Based on analysis, decide on remediation approach

Remediation Strategy:

System Rebuild: Wipe and rebuild from clean baseline
- Extract forensic image first
- Restore from backup or redeploy from Infrastructure as Code
- Re-apply patches; re-harden
Surgical Remediation: If feasible, remove attacker without full rebuild
- Patch vulnerability, disable attacker tools/accounts, monitor for re-infection
- Requires confidence in analysis; risk of incomplete remediation
Validation: After remediation, verify system is clean
- Antivirus scan, HIDS check, forensic re-imaging

Prevent Re-infection & Ongoing Monitoring:

Patch Vulnerability: Apply patch to prevent re-exploitation
- Test patch in staging first; deploy to production post-incident
Monitor for Re-infection: Enhanced monitoring for 30-90 days
- Alert on suspicious activity from remediated system
- Alert on re-use of attacker-associated IPs/domains
Hunt for Related Indicators: Using IoCs (file hashes, IPs, domains), search for similar activity across infrastructure
- May find additional compromised systems
Lessons Learned: Post-incident, determine what allowed compromise and prevent recurrence

Anti-Patterns

Insufficient isolation (leaving backdoors/accounts); thoroughly isolate; audit what needs cleaning

Remediation without understanding attack (same vulnerability exploited again); patch root cause, not symptom

No monitoring after remediation (re-infection undetected); enhanced monitoring for months post-incident

Rebuilding too quickly (evidence lost); preserve evidence before remediation

Containment causes business outage (over-reaction); balance security and business continuity

Context

Domain Context

Containment Levels: Short-term (immediate isolation), medium-term (patching/hardening), long-term (full remediation)

Lateral Movement: After initial compromise, attackers move across network; segmentation limits movement

Data Exfiltration: Attackers often exfiltrate data during incident; network monitoring detects/blocks

Evasion: Attackers may detect containment (firewall blocks, credentials revoked) and attempt escape

Business Continuity: Containment may disrupt services; balance security vs. availability

Instructions

Isolate Compromised System (Short-term):

Network Isolation: Disconnect from network (disable network port, revoke DHCP, block firewall)
- Immediate: Disconnect physically or disable network port
- System stays on: Preserve memory, logs for forensics
Account Isolation: Revoke compromised user/service account credentials
- Change password, revoke API keys, revoke OAuth tokens
- Monitor for re-use (attacker may try to log in again)
Credential Review: If user account compromised, review what that user can access
- Are they admin? Can they access secrets? Databases? Customer data?
- Might need broader isolation if admin account compromised

Prevent Lateral Movement (Short-term):

Network Segmentation: Ensure compromised system can't reach other systems
- Review firewall rules (between tiers); should deny by default
- If segmentation is missing, block at firewall: source IP address, destination port
Credential Rotation: Revoke/rotate credentials accessible from compromised system
- Database credentials, API keys, SSH keys, service account passwords
- Attacker may have harvested credentials; rotate to prevent use
Enable Monitoring: Enhanced monitoring on adjacent systems for signs of lateral movement
- Failed login attempts, unusual access patterns, process execution, network connections

Investigation While Contained:

Preserve Evidence: Before remediation, collect forensic evidence
- Memory dump, disk image, logs
Analysis: While systems are isolated, analyze to determine:
- Attack vector (how did attacker get in?)
- Duration (how long has attacker had access?)
- Scope (what systems affected? what data accessed?)
- Intent (is attacker still active or was this historical?)
Decision: Based on analysis, decide on remediation approach

Remediation Strategy:

System Rebuild: Wipe and rebuild from clean baseline
- Extract forensic image first
- Restore from backup or redeploy from Infrastructure as Code
- Re-apply patches; re-harden
Surgical Remediation: If feasible, remove attacker without full rebuild
- Patch vulnerability, disable attacker tools/accounts, monitor for re-infection
- Requires confidence in analysis; risk of incomplete remediation
Validation: After remediation, verify system is clean
- Antivirus scan, HIDS check, forensic re-imaging

Prevent Re-infection & Ongoing Monitoring:

Patch Vulnerability: Apply patch to prevent re-exploitation
- Test patch in staging first; deploy to production post-incident
Monitor for Re-infection: Enhanced monitoring for 30-90 days
- Alert on suspicious activity from remediated system
- Alert on re-use of attacker-associated IPs/domains
Hunt for Related Indicators: Using IoCs (file hashes, IPs, domains), search for similar activity across infrastructure
- May find additional compromised systems
Lessons Learned: Post-incident, determine what allowed compromise and prevent recurrence

Anti-Patterns

Insufficient isolation (leaving backdoors/accounts); thoroughly isolate; audit what needs cleaning

Remediation without understanding attack (same vulnerability exploited again); patch root cause, not symptom

No monitoring after remediation (re-infection undetected); enhanced monitoring for months post-incident

Rebuilding too quickly (evidence lost); preserve evidence before remediation

Containment causes business outage (over-reaction); balance security and business continuity

containment-strategy

containment-strategy

Containment Strategy

Context

Domain Context

Instructions

Anti-Patterns

Further Reading

Containment Strategy

Context

Domain Context

Instructions

Anti-Patterns

Further Reading