Contain Active Breaches
When prevention fails, containment must be physical, immediate and provable.
When prevention fails, containment must be physical, immediate and provable.
Live incident containment and recovery
Financial services, Energy, Public sector, Defence
How CP-02 contains a live incident.
A FIRE-led pattern for live containment. Affected zones are severed at the conduit, recovery zones are reached only through an authorised Execute event.
Grounded in NIST CSF RS.MI-1, IEC 62443-3-3 FR 6 and the CISA Incident Response Playbook.
Affected zone
Where the
Where the live incident is unfolding
Severed on alert. Blast radius bounded.
Unaffected production
Operational zones
Operational zones still running
Reach into forensic and recovery only as an approved event.
Forensic and recovery zone
Where evidence
Where evidence is held and recovery is staged
Crown jewels · detail callout
Sealed evidence and recovery vault
Logs, snapshots and golden images sealed offline for the incident response and any later investigation.
Modules & symbols
Modules in this Blueprint
How the CP-02 pattern composes.
Firebreak disconnects the exposed path. Isolate contains the breach area. Execute allows immediate action during a live incident. Archive preserves logs, evidence and recovery points while Lock protects what remains as recovery begins.
Related Blueprints
Compose alongside.
Stop Kill-Chain Ransomware
Stop ransomware moving, spreading or reaching the crown jewels.
View BlueprintEnforce Physical Segmentation
Segmentation should not just be logical. It should be physically enforceable.
View BlueprintControl Third-Party Access
Give third parties access without giving them a permanent doorway.
View Blueprint
Build control around your environment
Talk to our team about composing this Blueprint for your estate.
Takes about 2 minutes. No account needed.