Which step of incident handling focuses on limiting the scope of an incident?

The step that focuses on limiting the scope of an incident is containment. During the containment phase, the primary goal is to prevent further damage and stop the incident from spreading. This may involve isolating systems, blocking malicious traffic, or applying temporary patches. By effectively containing the incident, incident handlers can minimize impact on the organization, protect sensitive data, and maintain essential services while further investigation and eradication efforts are planned.

Containment is crucial because it helps to stabilize the situation before moving on to later phases such as eradication, where the root cause of the incident is addressed, and recovery, where normal operations are restored. The containment step is often initiated quickly after identification to ensure that the incident is controlled and does not escalate, helping to safeguard the organization's assets.