What are the 6 phases of incident response?

The NIST incident response framework defines 4 phases (Preparation, Detection & Analysis, Containment/Eradication/Recovery, Post-Incident Activity), while the SANS framework expands this to 6: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. Both frameworks emphasize that incident response is cyclical, not linear, with lessons from each incident improving future preparation and detection capabilities.

What should an incident response plan include?

A comprehensive IR plan should include: roles and responsibilities (who does what during an incident), communication procedures (internal escalation, external notification, media handling), classification criteria for incident severity levels, containment strategies for different incident types, evidence preservation procedures, contact lists (legal counsel, law enforcement, IR retainer, insurance), recovery procedures, and post-incident review templates. The plan must be tested through regular tabletop exercises.

What is the difference between incident response and disaster recovery?

Incident response focuses on detecting, containing, and eradicating security threats (malware, breaches, attacks) while preserving evidence for investigation. Disaster recovery focuses on restoring IT systems and business operations after any disruption (natural disasters, hardware failures, or cyberattacks). IR is security-focused and investigative; DR is operations-focused and restorative. A ransomware attack requires both: IR to investigate and contain, DR to restore systems from backups.

How often should you test your incident response plan?

Organizations should conduct tabletop exercises quarterly, technical simulations (purple team exercises) biannually, and a full IR plan review and update annually. After any significant incident, conduct a lessons-learned review and update the plan accordingly. Regulatory frameworks like PCI DSS require annual testing. Studies show organizations that regularly test their IR plans reduce breach costs by an average of $2.66 million compared to those without tested plans.

What is Incident Response? Process, Phases & Best Practices

Why It Matters

Every organization will face security incidents. The difference between a minor disruption and a catastrophic breach often comes down to incident response capability. Organizations with mature IR processes detect breaches faster, contain damage more effectively, and recover more quickly.

The cost of poor incident response is substantial. Delayed detection means attackers have more time to steal data, establish persistence, and spread through networks. Bungled containment can destroy forensic evidence or alert attackers to flee before being fully removed. Inadequate communication damages customer trust and regulatory relationships.

Incident response has become a board-level concern. High-profile breaches demonstrate that response failures amplify damage far beyond the initial compromise. Investors, regulators, and customers scrutinize how organizations handle incidents, making response capability a business imperative.

For security professionals, incident response skills combine technical expertise with crisis management abilities. IR roles demand the ability to think clearly under pressure, make decisions with incomplete information, and coordinate across organizational boundaries during the worst moments.

The Incident Response Lifecycle

NIST Framework

Incident Response Lifecycle

Preparation

Detection & Analysis

Containment, Eradication, Recovery

Post-Incident Activity

Phase 1: Preparation

preparation-activities.txt

Text


Preparation Activities:

People:
- IR team formation and training
- Roles and responsibilities defined
- Contact lists maintained
- Regular drills and tabletops

Processes:
- IR plan documented
- Playbooks for common scenarios
- Escalation procedures
- Communication templates

Technology:
- Detection tools deployed
- Forensic tools available
- Communication channels established
- Backup systems tested

Relationships:
- Legal counsel engaged
- Law enforcement contacts
- PR/communications prepared
- Third-party IR retainer

Phase 2: Detection and Analysis

Detection Sources:

Security monitoring alerts (SIEM, EDR)
User reports
External notifications
Threat intelligence
Automated detection systems

Analysis Activities:

Validate the incident (not false positive)
Determine scope and impact
Identify compromised systems and data
Classify incident severity
Document initial findings

severity-classification.txt

Text


Incident Severity Levels:

Critical (P1):
- Active data breach in progress
- Ransomware spreading
- Critical system compromise
- Response: All hands, immediate

High (P2):
- Confirmed compromise, contained
- Significant system affected
- Potential data exposure
- Response: Dedicated team, urgent

Medium (P3):
- Malware isolated to single system
- Successful phishing (limited impact)
- Policy violation with security impact
- Response: Normal priority

Low (P4):
- Attempted attack (blocked)
- Minor policy violation
- Information request
- Response: Queue for review

Phase 3: Containment

Short-Term Containment:

Isolate affected systems
Block attacker IP addresses
Disable compromised accounts
Preserve evidence before changes

Long-Term Containment:

Apply temporary fixes
Enhance monitoring
Prepare for eradication
Maintain business operations

containment-decisions.txt

Text


Containment Decision Factors:

Consider Before Acting:
- Will containment alert the attacker?
- What evidence might be lost?
- What's the business impact?
- Can we maintain containment?

Containment Options:
- Network isolation (switch port, firewall)
- Account disable/password reset
- System shutdown (loses volatile data)
- Service disruption (blocks attacker + business)

Document:
- Actions taken and timing
- Authorizations obtained
- Evidence preserved
- Business impact accepted

Phase 4: Eradication

Remove attacker access completely
Eliminate malware and backdoors
Close exploited vulnerabilities
Verify complete removal

Phase 5: Recovery

Restore systems from clean backups
Rebuild compromised systems
Validate security before reconnection
Implement enhanced monitoring
Gradual return to operations

Phase 6: Post-Incident Activity

lessons-learned.txt

Text


Post-Incident Review:

Timeline Review:
- When did compromise occur?
- When was it detected?
- When was it contained?
- What caused delays?

Root Cause Analysis:
- How did attacker gain access?
- What vulnerabilities were exploited?
- What detection gaps existed?
- What process failures occurred?

Improvement Actions:
- Technical remediation
- Process improvements
- Training needs
- Tool gaps to address

Documentation:
- Final incident report
- Evidence archive
- Lessons learned document
- Metrics update

Building IR Capability

Incident Response Team

ir-team.txt

Text


IR Team Composition:

Core Team:
- IR Manager/Lead
- Security analysts
- Forensic specialists
- Malware analysts

Extended Team:
- IT operations
- Network engineering
- Legal counsel
- Human resources
- Public relations
- Executive sponsor

External Resources:
- IR retainer firm
- Forensic specialists
- Legal specialists
- Law enforcement liaison

Playbooks and Runbooks

Document procedures for common incident types:

Ransomware
Business email compromise
Phishing campaigns
Malware infections
Unauthorized access
Data breach
DDoS attack
Insider threat

Testing and Exercises

exercise-types.txt

Text


IR Exercise Types:

Tabletop Exercises:
- Discussion-based scenarios
- Leadership participation
- Test decision-making
- Low cost, high value

Functional Exercises:
- Team performs actual tasks
- Use real tools
- Test technical procedures
- Moderate complexity

Full-Scale Exercises:
- Simulated real incident
- All systems and teams
- Maximum realism
- Resource intensive

Purple Team Exercises:
- Red team simulates attack
- Blue team detects and responds
- Collaborative improvement
- Tests end-to-end capability

Communication During Incidents

Internal Communication

Regular status updates
Clear escalation paths
Defined stakeholders
Secure communication channels

External Communication

Legal and regulatory requirements
Customer notification obligations
Media and PR coordination
Law enforcement engagement

Career Relevance

Incident response combines technical expertise with crisis management skills. IR professionals are in high demand, and the experience provides foundation for security leadership roles.

Incident Response Roles (US Market)

Role	Entry Level	Mid Level	Senior
Incident Response Analyst	$70,000	$95,000	$125,000
Senior IR / Forensic Analyst	$100,000	$130,000	$165,000
IR Manager	$120,000	$150,000	$185,000
IR Consultant	$100,000	$140,000	$200,000

Source: CyberSeek

In the Bootcamp

How We Teach Incident Response

In our Cybersecurity Bootcamp, you won't just learn about Incident Response in theory. You'll practice with real tools in hands-on labs, guided by industry professionals who use these concepts daily.

Covered in:

Module 8: Advanced Security Operations

Related topics you'll master:Incident ResponseDFIRThreat HuntingVolatility

See How We Teach This

360+ hours of expert-led training • 94% employment rate

Blog

Career Guides

Glossary

Certifications

Comparisons

Tools

Authors

Corporate Training

Hire Our Talent

Incident Response

Why It Matters

The Incident Response Lifecycle

NIST Framework

Phase 1: Preparation

Phase 2: Detection and Analysis

Phase 3: Containment

Phase 4: Eradication

Phase 5: Recovery

Phase 6: Post-Incident Activity

Building IR Capability

Incident Response Team

Playbooks and Runbooks

Testing and Exercises

Communication During Incidents

Internal Communication

External Communication

Career Relevance

Incident Response Roles (US Market)

How We Teach Incident Response