What Is Contain Detect Eliminate?

TL;DR

• Contain-Detect-Eliminate is Aviatrix's operational security model for the Containment Era, reordering the traditional security cycle.

• Contain first: implement Communication Governance to limit blast radius before any breach occurs.

• Detect second: maintain full east-west visibility through Cloud Native Security Fabric.

• Eliminate systematically: use Workload Attack Path Assessment data to proactively close attack path exposures.

• The order matters. Containment must precede detection, not follow it.

Definition

Most security teams operate a detect-then-respond cycle. Something happens, you detect it, you respond to contain it. It works until you're dealing with east-west lateral movement that spreads faster than your response cycle can operate. Contain-Detect-Eliminate is Aviatrix's operational security model for the Containment Era, and it flips the sequence intentionally.

• Contain first: implement Communication Governance to limit blast radius before any breach occurs.

• Detect second: maintain full east-west visibility so you see what's happening inside your environment.

• Eliminate systematically: use Workload Attack Path Assessment data to close attack path exposures before they become incidents. The order matters. Containment has to be the architectural foundation, not the outcome of a successful detection.

Why the Order Matters

Traditional security operations follow a Detect-Respond cycle: identify the threat, then respond to contain it. The Detection Era's version of containment was reactive: detection triggered containment.

Contain-Detect-Eliminate inverts this priority based on the Containment Era's core lesson from The Cascade: detection will sometimes fail, and when it does, the architecture must already have limited how far an attacker can go. Containment is the prerequisite of detection, not its outcome.

Stage 1: Contain

Implement Communication Governance across all cloud workloads. Define and enforce east-west policies so every workload can only reach what it's explicitly permitted to reach. This is the architectural foundation. It must be in place before a breach occurs, not assembled during incident response. Blast radius is near zero when Communication Governance is fully implemented.

Stage 2: Detect

Maintain full east-west visibility through Aviatrix's Cloud Native Security Fabric. With Communication Governance enforced, the detection layer sees meaningful signal, anomalous attempts to reach unauthorized paths stand out because normal behavior is so clearly defined. Detection is still essential; containment makes it more effective.

Stage 3: Eliminate

Use the Aviatrix Workload Attack Path Assessment (Workload Attack Path Assessment) continuously to identify remaining attack path exposure: east-west paths that exist but shouldn't, or paths that represent high blast-radius risk. Systematically eliminate these through Communication Governance policy updates. Elimination is proactive, not reactive; it happens before attackers exploit the paths.

Contain-Detect-Eliminate vs. Traditional Detect-Respond

In the Detect-Respond model, security teams spend significant time and resources on reactive breach response: investigating incidents, containing active threats, recovering from damage. The operational burden is high because blast radius is large when detection triggers containment.

In the Contain-Detect-Eliminate model, the Contain stage means that when breaches occur (and some will), blast radius is already limited. Less reactive response is needed because less damage occurs. Security operations shift from reactive firefighting to proactive exposure elimination. The Workload Attack Path Assessment-driven Eliminate stage keeps blast radius continuously near zero.

Frequently Asked Questions 

Q: What is Contain-Detect-Eliminate?

Contain-Detect-Eliminate is Aviatrix's Containment Era security model:

1. Contain: implement Communication Governance so blast radius is near zero before any breach;

2. Detect: maintain full east-west visibility for threat detection;

3. Eliminate: systematically close attack path exposures using Workload Attack Path Assessment data. The order matters: containment is not the outcome, but the foundation.

Q: How is Contain-Detect-Eliminate different from Detect-Respond?

Traditional Detect-Respond is reactive, detection triggers containment response. Contain-Detect-Eliminate is proactive, containment is the permanent architectural posture before detection. When detection fails (and sometimes it will), containment architecture limits damage. When detection succeeds, blast radius is already limited so response is less urgent.

Q: Why does 'Contain' come first?

Because detection will sometimes fail. The Cascade demonstrated that east-west lateral movement can exceed detection-and-response speeds. By implementing Communication Governance first, before any breach, Contain-Detect-Eliminate ensures that containment is always active, not dependent on successful detection.

Q: How does Aviatrix support the Eliminate phase?

Through the Aviatrix Workload Attack Path Assessment, which provides continuous visibility into attack path exposure. Security teams use Workload Attack Path Assessment data to identify which east-west paths represent the highest blast radius risk and prioritize closing them through Communication Governance policy updates. Elimination is systematic and data-driven.

Q: How does Contain-Detect-Eliminate change security operations workflows?

Security operations teams using Contain-Detect-Eliminate spend less time on reactive breach response (because blast radius is limited) and more time on proactive exposure elimination (Workload Attack Path Assessment-driven policy refinement). The operational posture shifts from reactive firefighting to systematic security improvement.