When you need to contain a compromised production server while preserving forensic data, what should you do first?

Containment while preserving forensic data starts with isolating the affected host in a way that stops attacker activity without destroying evidence. Quarantining the compromised asset through the EDR integration does exactly that: it immediately separates the machine from the network, halts suspicious processes, and prevents data exfiltration, while keeping the current state, logs, and volatile data intact for later forensic analysis. This preserves memory and disk evidence and maintains the chain of custody, which is essential for understanding how the breach occurred and what actions the attacker took. Deploying patches and rebooting would modify the system and could erase volatile data or other artifacts needed for a solid investigation. Relying on firewall blocks or external intel enrichment doesn’t directly isolate the host or preserve its forensic data in a reliable, repeatable way. So, the best first step is to quarantine the compromised asset with the EDR tool.