Cisco Rapid Threat Containment

Hierarchical Navigation

Detect, Analyze, and Stop Threats

Quickly and automatically remove infected endpoints. (2:26 min)

The Threat Landscape Continues to Evolve – Your Environment Must as Well

Malware is increasing in sophistication, stealth, and speed. And the proliferation of lightly protected IoT (Internet of Things) endpoints is expanding the attack surface. These conditions are challenging security teams to mitigate risks before, during, and after attacks.

Many organizations can already detect anomalies. So adversaries are developing malware to evade detection and to move quickly to steal valuable data. Detecting and stopping threats has thus become a "beat the clock" operation for IT, security, and incident response teams.

Cisco Rapid Threat Containment Detects and Automatically Stops Flagrant Threats

The Cisco Rapid Threat Containment solution is an integration of Cisco ISE and its security technology partners from a broad variety of technology areas to take network mitigation and investigation actions in response to security events. All of these systems use Cisco pxGrid, which acts as a highly scalable IT clearinghouse for multiple security tools to communicate with each other in real time, automatically. Through pxGrid, Cisco ISE provides a wealth of user identity, endpoint device and network information that is useful to its technology partners and these partner platforms can alert Cisco ISE to execute actions on users and devices-such as quarantine, investigation, and blocking access.

One primary use-case utilizes the capabilities of the Cisco FireSIGHT Management Center (FMC) and Cisco Identity Services Engine (ISE). When a severe threat or indicator of compromise is detected, the Cisco FireSIGHT Management Center alerts the Identity Services Engine to contain the compromised endpoints. ISE then automatically pushes an enforcement instruction to a router, switch, firewall, and wireless controller. While contained, the suspicious endpoint can then be investigated and, if necessary, remediated. After which, FMC can alert ISE to restore the endpoint to its former access policy. This process ensures that your network security risk is minimized automatically the moment a threat is detected.

The power of this solution isn’t limited to one single integration. There is an entire ecosystem of Cisco and third-party products that can alert ISE to dynamically change policy. For example, StealthWatch by Lancope, now part of Cisco, can also alert ISE when it discovers compromised endpoints based on the Cisco IOS NetFlow data it monitors.

You Can Use The Network as an Enforcer

Policy enforcement is carried out in a number of ways.

Cisco TrustSec Technology

Software-defined segmentation is the most effective way to contain infected endpoints. Enforcement can take place at the network access switch or at the controller that the infected endpoint is connected to. Or enforcement can be done at a downstream device such as a Cisco Adaptive Security Appliance (ASA), Cisco Web Security Appliance, or data center switch.

Downloadable Access Control List (dACL)

ISE can push a dACL or named ACL to a switch or controller to block or contain a device at the switch or wireless controller.


ISE can force an infected device to a quarantine VLAN.

Solution Support

The Rapid Threat Containment solution is supported by Cisco customer service. And the pxGrid How-To Guides help you implement the correct design and operation of this solution.  View How-To Guide

Next Steps

For more details on Cisco Rapid Threat Containment, please contact your local Cisco sales representative or Cisco Partner.