Breach Containment

Firewalls, antivirus and training lower the likelihood of a successful attack. They do not bring it down to zero. A single convincing phishing email or an unpatched vulnerability is enough, and an attacker is inside the network. The decisive question is then: how far do they get from there? In flat networks the answer is uncomfortable, because a single compromised machine opens the way to servers, databases and backups. Breach containment starts precisely at this point. The approach accepts that compromises occur and ensures that an infected system does not turn into a network-wide outage.

What is breach containment?

Breach containment describes the architecture and measures that spatially confine a successful intrusion. The term follows the assume-breach principle: those responsible for security plan as if an attacker were already in the network. From this perspective, the focus shifts from pure prevention at the outer boundary towards controlling movement on the inside.

The most important tool for this is segmentation. It divides the network into small, mutually isolated zones whose communication is governed by policies. With ringfencing, this idea is sharpened around individual critical applications: a tight protective ring is created around an ERP system, a production control system or the backup environment, permitting only the connections documented as necessary. Everything else is blocked, regardless of where the request originates.

How it works

Effective containment arises from several building blocks that build on one another:

  • Establish visibility: At the beginning stands a map of all communication relationships between systems. Only those who know which connections operations actually need can deliberately shut down the rest.
  • Define segments: Applications and systems are grouped by function and criticality. Restrictive rules apply between the segments following the least-privilege principle: what is demonstrably needed is permitted.
  • Ringfence critical systems: Crown jewels such as directory services, backups and central databases receive their own, particularly tight protective rings. Backups in particular determine recoverability after a ransomware attack.
  • Prepare emergency switches: For an emergency, blocking rules are ready that can be activated immediately, such as the isolation of a site or of an entire environment. Containment thereby moves from hours of manual work to a single decision.
  • Continuously refine: Networks change constantly. New applications, cloud workloads and interfaces are continually incorporated into the rule sets so that containment stays effective.

Why it matters

  • Prevention alone is not enough: credentials get stolen, zero-day gaps exist before any patch. Containment works even when the upstream defence fails.
  • The damage depends on the radius: whether ransomware encrypts a handful of systems or entire sites determines how long recovery takes. Containment limits this radius before the attack happens.
  • Lateral movement is the core problem: attackers rarely land directly on the target. They work their way from an inconspicuous entry point to the valuable systems. Segmentation severs precisely these paths.
  • Regulation demands limitation: NIS2 and DORA require operations to be maintained even during an incident. Demonstrable containment capability is a central building block for this.
  • Insurability improves: cyber insurers assess the risk of spread in the network. Those who can demonstrate containment negotiate from a better position.

Typical scenarios

The standard scenario is ransomware. An attacker compromises a workstation via phishing and then tries to reach servers and backups. In a segmented network, this path ends at the next zone boundary. In the worst case, the segment of the entry point is encrypted, and the rest of the company keeps working.

A second scenario is compromised service provider access. Remote maintenance access from suppliers is a popular gateway because it is often granted broader permissions than necessary. Ringfencing ensures that external access reaches only the systems for which it was set up.

Legacy systems benefit too. A production machine with an outdated operating system often can neither be patched nor replaced. In a tight segment, its vulnerability does remain, but it becomes practically unreachable for attackers.

Breach containment and incident response: the difference

Incident response is the overall process for dealing with an incident: from detection through analysis and containment to recovery and follow-up. Within it, breach containment is a building block with a special quality: it takes effect before people react. While the incident response team is being alerted and assessing the situation, a segmented architecture has already slowed the spread. Containment is the structural precaution, incident response is the organised action in the event. The two are strongest together: the architecture buys the team time, and the team uses the existing control points for the targeted isolation of affected areas.

Working with KAEMI

KAEMI implements breach containment as a managed service. At its core is microsegmentation based on Illumio: it first makes all communication relationships in the network visible and then enforces policies that prevent lateral movement, from ringfencing critical applications to prepared emergency isolation. In addition, SASE/SSE secures access by users and sites so that compromised endpoints or accounts do not gain broad network access in the first place. If you want to know how far an attacker would get in your network today, talk to us via our contact form .

Frequently asked questions about Breach Containment

What does assume breach mean in concrete terms?

Assume breach is a planning attitude: security measures are designed as if an attacker already had a foot in the network. Practical consequences follow from this, such as strict internal access rules, segmentation between systems and monitoring of internal traffic. The approach does not replace prevention; it supplements it with the question of limiting the damage.

What is ringfencing?

Ringfencing places a tight protective ring around a single critical application or environment, such as the ERP system or the backup infrastructure. Only the connections documented as necessary to defined endpoints are permitted. Even an attacker who is already moving through the network thereby finds no open path to the company's most important systems.

Does breach containment replace classic prevention?

No. Firewalls, patch management and awareness remain necessary because they reduce the number of incidents. Containment takes over where prevention ends: with the attack that gets through anyway. The two levels together form a layered defence in which a single error no longer triggers a total failure.

How quickly does breach containment work in an emergency?

Immediately, that is the central advantage. Segmentation rules apply permanently and slow an attacker down in the very first minutes, while people are still being alerted. Prepared emergency rules then tighten the isolation at the push of a button, for example by sealing off a site. The response time thereby drops from hours of manual work to a single decision.

Where is the best place for a company to start with breach containment?

With visibility: an analysis of the real communication relationships shows which systems talk to each other and which connections no one can explain any more. This is followed by ringfencing the most critical applications, typically backups and central directory services. This starting point delivers a quick gain in protection without endangering ongoing operations, and it can be expanded step by step.

From term to implementation: KAEMI supports you from the first assessment to day-to-day operations.