How to Contain an Incident


This document and video will define breakout time and a challenge for companies to quickly detect, understand and eradicate incidents in their environment to avoid a breach.



  • Subscription: Falcon Insight
  • Hosts:
    • Powershell: 3.0 or later is recommended; at least 2.0 is required. PowerShell constrained language mode must not be enabled.
    • .NET Framework: 4.5 or later is recommended; at least 3.5 is required
    • Falcon sensor for Windows version 4.5.6806 or later
    • Network access: a host must be online for you to connect to it. You can connect to a host when it’s been network contained.
  • User Role: You must have the Real Time Responder role to connect to a host. The Falcon Host Administrator role does not include access to real time response. You must assign the role “Real Time Responder” to each user that you want to have access to real time response.

Breakout Time

The 2018 Global Threat Report included our latest findings around the timing of an outbreak. On average, the time between initial access and the first lateral movement is 1 hour and 58 minutes.  We call that Breakout Time.

network contain - breakout time


The 1-10-60 Challenge

The resulting challenge is to get ahead of the adversary and identify an any incidents before they become full scale breaches. That means detecting the threat, understanding it, and then eliminating it. By doing that in under 1 hour and 58 minutes, you can stop an attack before it spreads and causes real damage. Organizations need to hone tools and processes to be able to regularly achieve that goal.

By setting goals to detect incidents in under 1 minute, understand events within 10 minutes and eradicate threats within 60 minutes, we can prepare ourselves to beat the 1 hour and 58 minute mark with time to spare.

Falcon Insight Capabilities

CrowdStrike’s Falcon Insight offers a complete EDR solution providing the information, context and tools necessary for fast, effective incident response.


CrowdStrike’s single, lightweight endpoint agent communicates full event details to the cloud platform in real time. Fueled with that event data, the CrowdStrike UI provides a dashboard view with immediate visibility into the newest detections, malware incidents by host and malware incidents by user. Having awareness of the newest events within 1 minute is critical to meeting the breakout time challenge.

network contain - detections dashboard


Looking into a specific event, CrowdStrike provides unparalleled context including the full event details, the parent processes, full command file details, and prevalence – all in the context of the MITRE framework.  This level of insight helps you understand the event within 10 minutes so that you take quick, decisive remediation action.

network contain - detections


Falcon Insight offers all of the information and tools needed to protect your environment and remediate impacted systems.

Network Containment helps ensure that impacted systems are unable to communicate with outside systems or risk lateral movement.

network contain

Real Time Response makes it possible to remotely remediate systems using the command below while minimizing the costs of downtime and lost productivity.

  • Navigate the file system, upload or delete files, and perform many file system operations
  • List running processes and kill processes
  • Retrieve memory dumps, event logs, or any other files
  • Show network connections
  • Query, create, or modify registry keys

network contain - Connect to host

network contain - real time response


CrowdStrike’s Falcon Insight provides incident responders with a complete EDR solution that equips them with complete and timely data. By quickly detecting, understanding and remediating incidents, your organization can get ahead of breakout time and prevent an incident from becoming a breach.  

More resources

CrowdStrike Falcon Free Trial

Try CrowdStrike Free for 15 Days Get Started with A Free Trial