Selective isolation is a containment mode used by endpoint security tools. Instead of cutting a device off from every network path, it blocks most traffic while leaving approved services or destinations reachable.
This matters because containment must stop attacker movement without breaking response workflows. In a ransomware incident, selective isolation can slow spread, preserve visibility, and let defenders keep collecting telemetry, issuing commands, or remediating the host. It is often used when full isolation would disrupt business-critical access or when analysts need limited communication with the endpoint. Defenders should predefine what is allowed, test the policy, and verify that permitted channels cannot be abused to reach other systems.



