Certified: The Security+ Prepcast

In Part One of this series, we walked through the first three phases of the incident response process: preparation, detection, and analysis. These stages set the foundation for any successful response. But what comes next is where the rubber really meets the road. Today, in Part Two, we focus on the remaining phases: containment, eradication, and recovery. These steps move the response from understanding the incident to actually stopping it and restoring normal operations.
Let’s start with containment.
Containment is about limiting the damage. Once an incident has been detected and analyzed, the next step is to isolate the affected systems, accounts, or networks to prevent the threat from spreading. This needs to happen quickly—but carefully. The goal is to neutralize the threat’s ability to cause further harm while preserving evidence and minimizing business disruption.
Containment can be short-term or long-term. Short-term containment focuses on immediate actions to stop the attack—like disconnecting a compromised device from the network or disabling a suspicious user account. Long-term containment may involve segmenting networks, updating firewall rules, or deploying patches before reconnecting systems to normal operations.
Let’s walk through a real-world example. A large university detects that several faculty workstations are communicating with a known malicious Internet Protocol address. Rather than shutting down the entire department, the security team uses their endpoint management tool to quarantine only the affected devices. These systems are removed from the network but remain powered on so that memory and disk images can be preserved for later analysis. This approach stops the threat while supporting the investigation and keeping disruption to a minimum.
Effective containment requires speed and coordination. That means having the right tools in place—like network segmentation, virtual LANs, endpoint isolation capabilities, and predefined firewall rules. It also means having clear communication channels and authority to act. In many cases, containment decisions must be made quickly and under pressure.
Containment also includes controlling communications. For example, if attackers are using email to spread malware, blocking external email might be part of the containment plan. If the threat involves stolen credentials, resetting passwords or disabling multi-factor tokens may be necessary.
But containment doesn’t mean immediate cleanup. Before you wipe systems or delete logs, you need to fully understand the scope of the incident. That’s where the next phase comes in: eradication.
Eradication is about removing the threat completely. It’s not just about stopping the attack—it’s about making sure it doesn’t come back. That means identifying all malicious code, closing exploited vulnerabilities, purging unauthorized user accounts, and scrubbing compromised data or settings.
Eradication starts with the findings from the analysis phase. You know how the attacker got in, what they touched, and what tools they used. Now, you remove every trace.
Let’s consider a practical scenario. A retail company discovers malware installed on several point-of-sale systems. The malware is embedded in a third-party remote access tool that was never authorized for use. During eradication, the team uninstalls the unauthorized software, runs deep scans, applies registry fixes, and reinstalls clean versions of the operating system from trusted images. They also disable remote access across all point-of-sale devices and rotate administrative credentials.
One of the most important aspects of eradication is being thorough. If even one infected file or compromised account is missed, the attacker may regain access. This is why many organizations rebuild systems entirely, rather than trying to clean them. Known-good images, backups, and gold master templates play a key role in this process.
Eradication also involves patching. If the incident exploited a known vulnerability, that vulnerability must be closed on every relevant system. This might involve applying software updates, modifying configurations, or changing access permissions.
It’s important to document every step taken during eradication, including what was removed, what was changed, and why. This supports auditing and compliance—and prepares the team for the final phase: recovery.
Recovery is the process of returning systems and business operations to normal. This includes restoring services, validating that systems are clean, and monitoring for any signs of lingering or recurring threats.
Recovery is often phased. Critical systems are restored first, with lower-priority systems brought online afterward. Before a system is reintroduced to production, it must be tested to ensure it’s fully functional and free of compromise.
Let’s walk through a real-world recovery effort. A hospital network experiences a ransomware attack that encrypts a portion of its internal file shares. After containment and eradication, the team restores files from offline backups. Before allowing access, they verify the integrity of the restored data, re-image affected endpoints, and reset credentials across administrative accounts. They also bring in a third-party firm to validate that no command-and-control channels remain active. Only then do they reconnect systems to the main network and resume normal operations.
Recovery isn’t just about the technology—it also includes people and process. Passwords should be changed, users retrained, and policies reviewed. If an incident exposed gaps in procedures, those issues should be addressed before systems are fully returned to service.
Monitoring is critical during the recovery phase. Just because the threat appears to be gone doesn’t mean it is. Security teams should continue watching affected systems, reviewing logs, and analyzing behavior for at least several days—if not weeks—after recovery. This is especially important in cases involving advanced persistent threats, which may attempt to reestablish access or hide their activity.
Recovery also provides a final opportunity to evaluate the incident response process itself. What went well? What could have been faster or clearer? Were there gaps in tooling, communication, or authority? These questions help teams improve and mature their response plans over time.
To summarize, containment, eradication, and recovery form the final steps in effective incident response. Containment limits the impact and prevents the threat from spreading. Eradication ensures that the threat is removed completely and that vulnerabilities are closed. Recovery restores systems to normal, reinforces trust, and prepares the organization to emerge stronger and more resilient.
For the Security Plus exam, expect questions about how to isolate systems, when to wipe or rebuild machines, and how to monitor systems after recovery. You may be asked to identify which phase a particular task belongs to or evaluate the effectiveness of a given response strategy. Review terms like endpoint quarantine, known-good image, system revalidation, ransomware rollback, and post-recovery monitoring—they’re all relevant to this domain and commonly tested.
To explore more podcast episodes, download study tools, or subscribe to our free newsletter, visit us at Bare Metal Cyber dot com. And when you're ready to pass the exam with confidence, head over to Cyber Author dot me and get your copy of Achieve CompTIA Security Plus S Y Zero Dash Seven Zero One Exam Success. It’s the most complete and focused resource available to help you master every domain and earn your certification.