Skip to content

What are the phases of the incident response lifecycle, and why does the order matter?

Short answer

The classic model is PICERL: Preparation, Identification (detection), Containment, Eradication, Recovery, and Lessons Learned. NIST groups it as Preparation; Detection and Analysis; Containment, Eradication and Recovery; and Post-Incident Activity. The order matters because you must scope and contain before you eradicate, and you only recover once the threat is removed — otherwise you reinfect. It is a loop, not a line: lessons learned feed back into preparation.

Interviewers ask this to check whether you have a structured mental model for chaos. During a real incident, adrenaline pushes people to skip steps — wiping a box before they understand scope, or restoring backups before the attacker is evicted. A named framework keeps the team disciplined.

The two common models

The SANS PICERL model spells out six phases: Preparation, Identification, Containment, Eradication, Recovery, Lessons learned. NIST SP 800-61 collapses these into four: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Incident Activity. They describe the same work.

Why the order is load-bearing

  • Preparation is everything you do before the alarm: logging, playbooks, tooling, IR retainers, and tabletop exercises. Most incidents are won or lost here.
  • Identification/Detection confirms an incident is real and scopes it. You cannot fight what you have not mapped.
  • Containment stops the bleeding — often split into short-term (isolate a host) and long-term (apply temporary controls while you plan). Contain before you eradicate so the attacker does not spread while you clean up.
  • Eradication removes the root cause: malware, backdoors, compromised accounts.
  • Recovery restores systems to production and monitors for reinfection.
  • Lessons learned captures what happened and feeds improvements back into preparation.

Why this matters

The cycle is a loop, not a checklist. The strongest answer names the phases, explains why containment precedes eradication and recovery, and stresses that the post-incident review is where an organisation actually gets better. Interviewers look for someone who treats IR as a repeatable process under pressure.

Likely follow-ups

  • Why is containment split into short-term and long-term steps?
  • What goes into the 'preparation' phase before any incident happens?
  • How do lessons learned feed back into the rest of the cycle?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.