Containment Incident Response
RCCE students will learn incident containment strategies including network isolation, account suspension, system quarantine, and threat neutralization during active security incidents. RCCE students will learn to make rapid containment decisions that balance security with business continuity, implement network-level containment using firewall rules and VLAN isolation, execute host-level containment through endpoint isolation and process termination, contain compromised accounts through credential reset and session revocation, document containment actions for forensic and legal purposes, and coordinate containment activities across distributed teams and environments. This incident response course prepares students to act decisively during security incidents with structured workflows and clear decision frameworks. Starting from foundational concepts, RCCE students will learn containment, evidence collection, eradication, and recovery procedures specific to this domain. Students practice incident scenarios that build the composure, coordination, and documentation skills essential for effective incident handling.
- Security Engineers building defensive controls
- Security Analysts and Blue Team members
- Systems Administrators with security responsibilities
- GRC and Risk Professionals supporting controls
- Professionals implementing Containment Incident Response
- Build detections and response workflows for privilege escalation
- Execute hands-on tasks for learning objectives
- Execute hands-on tasks for containment decisions — covering Make rapid containment decisions.
- Execute hands-on tasks for network containment — covering firewall rule containment.
- Execute hands-on tasks for host-level containment — covering Isolate compromised endpoints.
- Execute hands-on tasks for account & documentation — covering Reset credentials and revoke sessions.
- Execute hands-on tasks for where containment fits — covering Third phase of IR lifecycle, Bridge between detection and eradication, Time-critical decisions under pressure.
- Execute hands-on tasks for third phase of ir lifecycle — covering Bridge between detection and eradication, Time-critical decisions under pressure, Sets conditions for forensic analysis.
- Execute hands-on tasks for why containment matters — covering Limits blast radius of incidents.
- Execute hands-on tasks for containment strategy fundamentals
- Execute hands-on tasks for short-term containment
| Module 01 | Containment Incident Response |
| Module 02 | Learning Objectives |
| Module 03 | Containment Decisions |
| Module 04 | Network Containment |
| Module 05 | Host-Level Containment |
| Module 06 | Account & Documentation |
| Module 07 | Incident Response Lifecycle |
| Module 08 | Where Containment Fits |
| Module 09 | Third phase of IR lifecycle |
| Module 10 | Why Containment Matters |
| Module 11 | Containment Strategy Fundamentals |
| Module 12 | Short-Term Containment |
| Module 13 | Long-Term Containment |
| Module 14 | Reactive Containment |
All hands-on labs run on Rocheston Rose X OS. Students practice containment incident response by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Build detections and response workflows for privilege escalation
- Lab 2: Execute hands-on tasks for learning objectives
- Lab 3: Execute hands-on tasks for containment decisions
- Lab 4: Execute hands-on tasks for network containment
- Lab 5: Execute hands-on tasks for host-level containment
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for Containment Incident Response, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI