Use Case
Isolate a compromised host from your phone — with biometric confirmation.
Host containment is the act of network-isolating a compromised endpoint so it cannot continue to spread, exfiltrate, or beacon out. PocketSOC enables host containment from a mobile device using vendor-native isolation APIs (CrowdStrike RTR network containment, Microsoft Defender for Endpoint machine isolation). Every containment action requires biometric authentication plus explicit confirmation — there is no swipe-to-isolate by accident.
The problem
A real intrusion is in progress on a developer laptop. The host is beaconing out, the EDR is screaming, and the responder is on a bus. Containment cannot wait for the responder to get to a desk — every minute the host stays online is more lateral movement, more credential theft, more exfiltration. But containment is a high-impact action that needs a confirmation step strong enough to survive a misplaced thumb.
The PocketSOC workflow
- Open the detection in PocketSOC and confirm the affected host is genuinely compromised
- Tap "Isolate Host"
- Authenticate with Face ID, Touch ID, or device passcode
- Read the explicit confirmation prompt (host name, vendor, action) and confirm
- PocketSOC issues the vendor isolation API call and confirms success
- Notify your team — the action is logged in the vendor audit trail and in PocketSOC
- Once the investigation closes, repeat the flow to lift isolation
Outcomes
- Time-to-containment in seconds instead of the minutes it takes to get to a console
- Biometric + confirmation prevents accidental isolation
- Full audit trail in CrowdStrike / Defender / PocketSOC — actions remain attributable
- Same flow whether you're on a laptop, a phone, or a tablet — no separate playbook needed
Supported vendors for this workflow
- CrowdStrike Falcon
- Microsoft Defender for Endpoint