D3FEND — Evict

When to Use

• Responding to active security incidents requiring containment
• Revoking compromised credentials and locking accounts
• Terminating malicious processes and sessions
• Removing malicious files, registry keys, and email
• Evicting adversary presence (shutdown, reboot, disk operations)
• Coordinating takedowns (domain registration, DNS cache)

When NOT to Use

• Building detection or monitoring → d3fend-detect
• System hardening or prevention → d3fend-harden
• Network segmentation → d3fend-isolate
• Forensic investigation and evidence preservation → incident-management-engineer
• Post-incident recovery and restoration → d3fend-restore