This chapter focuses on the coverage of CySA+ Domain 4.0: Incident Response with a detailed look at the final two phases of incident response: Containment, Eradication, and Recovery, and Postincident Activity. The Containment, Eradication, and Recovery phase of incident response moves the organization from the primarily passive incident response activities that take place during the Detection and Analysis phase to more active undertakings. Cybersecurity analysts often use network segmentation as a proactive strategy to prevent the spread of future security incidents. Cybersecurity analysts may instead decide that it is necessary to use stronger isolation practices to cut off an attack. Two primary isolation techniques may be used during a cybersecurity incident response effort: isolating affected systems and isolating the attacker. Removal of compromised systems from the network is the strongest containment technique in the cybersecurity analyst's incident response toolkit.