Glossary
Host Isolation (Network Containment, Host Containment, Machine Isolation)
Host isolation is the practice of cutting a compromised endpoint off from the network — typically by blocking all outbound and inbound traffic except a control channel to the EDR platform — so the threat cannot spread, exfiltrate data, or beacon out while the investigation continues. Modern EDR platforms expose host isolation as a one-click API action.
In depth
Host isolation is intentionally aggressive: it disconnects the user, breaks their applications, and signals clearly that the system is under investigation. It is the right call when you have credible evidence that an endpoint is actively compromised. It is the wrong call when you're not sure.
CrowdStrike calls this network containment; Microsoft Defender for Endpoint calls it machine isolation; functionally they are similar. Both platforms preserve EDR connectivity through the isolation so the responder can continue to investigate live.
Host Isolation and PocketSOC
PocketSOC supports host isolation on both CrowdStrike Falcon and Microsoft Defender for Endpoint. Every isolation action requires biometric authentication plus an explicit confirmation prompt — see the host containment use case for the full mobile workflow.
Related terms
EDR →
Endpoint Detection and Response (EDR) is a category of security software that continuously monitors endpoints — laptops, servers, and workstations — for malicious activity.
Incident Response →
Incident response (IR) is the structured process of preparing for, detecting, containing, eradicating, recovering from, and learning from security incidents.
SOC →
A Security Operations Center (SOC) is the team and facility responsible for continuously monitoring an organization's security posture.