Containment stops an incident from spreading — isolating affected systems while preserving evidence for forensics. Short-term (immediate isolation) vs. long-term (rebuild).
Don't immediately reimage — preserve forensic evidence first (memory dump, logs). Balance containment vs. business continuity. Isolate, don't power off (unless necessary — RAM evidence lost).