Microsoft Defender can now automatically isolate hacked endpoints

Microsoft is piloting a new automated containment capability within Defender for Endpoint that immediately isolates compromised endpoints upon detection of suspicious activity. The feature aims to shut down lateral movement attempts before attackers can pivot from an initial foothold to other systems on the network. Automatic isolation reduces the window between detection and response, which is critical given that attackers can move laterally in minutes. This enhancement addresses a longstanding pain point for SOC teams that struggle with alert fatigue and delayed manual containment actions, especially in large enterprise environments where every second counts during an active intrusion.

June 4, 2026

View on Graph

Overview

Microsoft is piloting a new automated containment capability within Defender for Endpoint that immediately isolates compromised endpoints upon detection of suspicious activity.
The feature aims to shut down lateral movement attempts before attackers can pivot from an initial foothold to other systems on the network.
Automatic isolation reduces the window between detection and response, which is critical given that attackers can move laterally in minutes.
This enhancement addresses a longstanding pain point for SOC teams that struggle with alert fatigue and delayed manual containment actions, especially in large enterprise environments where every second counts during an active intrusion.

Sources

https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-now-automatically-isolate-hacked-endpoints/

Endpoint detection and automated response concepts — detection and response for T1059, T1003, T1055, T1204, T1562 techniques
Automated containment in incident response workflows — step-by-step incident response response procedures

Overview

Sources

Related