What is incident containment and what are common containment strategies?

Incident containment aims to stop the incident from spreading and to limit further damage while preserving evidence for investigation. The best containment actions are to quickly isolate affected systems to prevent lateral movement, disable compromised accounts to cut off attacker access, apply temporary mitigations to close the immediate gaps, and carefully preserve evidence for forensic analysis and later recovery efforts. Replacing hardware is more about recovery and rebuilding than stopping the incident, public disclosure before investigation can hinder containment and reveal sensitive details, and ignoring the incident would allow ongoing damage. So the actions described for containment—isolation, disabling access, temporary mitigations, and evidence preservation—are the appropriate focus.