A quarantine control isolates a compromised workload or account so it cannot continue communicating normally while investigation proceeds. Effective quarantine reduces blast radius, but it must preserve enough controlled access for forensic review, remediation, and operational continuity.
Expanded Definition
Quarantine control is a containment measure used after an account, workload, endpoint, or service has shown signs of compromise, suspicious behavior, or policy violation. It is more specific than ordinary access restriction because the goal is not just to reduce permissions, but to isolate the subject so normal communications, trust relationships, and lateral movement paths are disrupted while investigation continues. In practice, quarantine can mean network segmentation, identity suspension, token revocation, workload isolation, or a combination of these actions depending on the asset type and the response model. In security operations, the term is often used alongside incident response, and its scope may overlap with NIST Cybersecurity Framework 2.0 containment and recovery outcomes, though no single standard dictates one universal quarantine workflow. Definitions vary across vendors and platforms because some tools quarantine at the endpoint layer while others act at the identity, network, or cloud control-plane layer.
The most common misapplication is treating quarantine as a full shutdown, which occurs when responders remove all access before preserving the evidence and controlled channels needed for analysis.
Examples and Use Cases
Implementing quarantine control rigorously often introduces operational friction, requiring organisations to weigh rapid containment against the need to keep just enough access for triage, evidence capture, and business continuity.
- An EDR platform isolates a laptop that is beaconing to a suspicious domain, while still allowing the responder to collect memory, disk, and process telemetry for analysis.
- A cloud security team quarantines a compromised VM by moving it into a restricted network segment, blocking east-west traffic while preserving console access for remediation.
- An identity team suspends an API key or service account after abnormal privilege use, then keeps the account in a controlled state long enough to review audit logs and confirm scope.
- A SOC temporarily quarantines a container workload that is attempting unauthorized outbound connections, using policy-based network controls to prevent spread across the cluster.
- Incident responders place a user session under constrained access rather than immediate deletion, allowing NIST Cybersecurity Framework 2.0 aligned recovery actions to proceed without losing context.
Why It Matters for Security Teams
Quarantine control matters because it gives defenders a middle ground between inaction and destructive response. Without it, teams either leave a suspected compromise free to spread or cut access so aggressively that they lose visibility, evidence, and the ability to restore operations safely. That tradeoff is especially important in environments where workloads, service identities, and automation credentials are tightly interconnected. A quarantined non-human identity can stop unauthorized tool use while still preserving the audit trail needed to determine whether the issue came from secret exposure, excessive privilege, or malicious automation. In identity-led incidents, the control can also support coordinated response across IAM, PAM, and cloud operations by limiting the subject’s reach without destroying the context needed for root-cause analysis. The containment decision should be reversible, logged, and tied to clear criteria for exit from quarantine, because overuse can create outages just as surely as underuse can create breaches. Security teams often realise quarantine was necessary only after the compromise has already spread, at which point controlled isolation becomes operationally unavoidable.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | RS.MA | Response and mitigation outcomes cover containment actions like quarantine. |
| NIST SP 800-53 Rev 5 | SI-4 | System monitoring supports detection that triggers quarantine decisions. |
| NIST SP 800-63 | Identity assurance helps determine when account quarantine is warranted. | |
| NIST Zero Trust (SP 800-207) | SC-7 | Zero Trust segmentation aligns with isolating compromised subjects. |
| OWASP Non-Human Identity Top 10 | NHI guidance highlights isolating compromised machine identities and secrets. |
Pair quarantine with monitoring so suspicious activity is isolated promptly and recorded.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org