David Reynolds, a SOC analyst at a healthcare organization, is investigating suspicious login attempts flagged...

Account lockout is an identity control that directly strengthens authentication by limiting repeated password guessing attempts. It sits within authentication and authorization measures because it governs how accounts can authenticate and how access is granted or denied based on login outcomes. In SOC terms, brute-force attacks target the authentication surface; lockout policies reduce attacker attempts and can prevent successful compromise by forcing a pause or administrative intervention after repeated failures. While the policy may be implemented on hosts or via directory services, its purpose is to control identity access behavior, not network segmentation or physical protections. Host security measures typically refer to endpoint hardening, patching, EDR controls, and local configuration baselines. Network security measures include firewall rules, segmentation, and traffic filtering. Physical security includes facility and device access controls. Because the action is specifically about controlling login attempts and access to accounts, it is best categorized as authentication and authorization. In practice, SOC teams complement lockout policies with MFA, conditional access, password spraying detection, and monitoring for “failures followed by success” patterns to reduce both brute-force success and user disruption.