What are the phases of the incident response lifecycle, and why does the order matter?
Short answer
The classic model is PICERL: Preparation, Identification (detection), Containment, Eradication, Recovery, and Lessons Learned. NIST groups it as Preparation; Detection and Analysis; Containment, Eradication and Recovery; and Post-Incident Activity. The order matters because you must scope and contain before you eradicate, and you only recover once the threat is removed — otherwise you reinfect. It is a loop, not a line: lessons learned feed back into preparation.
Interviewers ask this to check whether you have a structured mental model for chaos. During a real incident, adrenaline pushes people to skip steps — wiping a box before they understand scope, or restoring backups before the attacker is evicted. A named framework keeps the team disciplined.
The two common models
The SANS PICERL model spells out six phases: Preparation, Identification, Containment, Eradication, Recovery, Lessons learned. NIST SP 800-61 collapses these into four: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Incident Activity. They describe the same work.
Why the order is load-bearing
- Preparation is everything you do before the alarm: logging, playbooks, tooling, IR retainers, and tabletop exercises. Most incidents are won or lost here.
- Identification/Detection confirms an incident is real and scopes it. You cannot fight what you have not mapped.
- Containment stops the bleeding — often split into short-term (isolate a host) and long-term (apply temporary controls while you plan). Contain before you eradicate so the attacker does not spread while you clean up.
- Eradication removes the root cause: malware, backdoors, compromised accounts.
- Recovery restores systems to production and monitors for reinfection.
- Lessons learned captures what happened and feeds improvements back into preparation.
Why this matters
The cycle is a loop, not a checklist. The strongest answer names the phases, explains why containment precedes eradication and recovery, and stresses that the post-incident review is where an organisation actually gets better. Interviewers look for someone who treats IR as a repeatable process under pressure.
Likely follow-ups
- Why is containment split into short-term and long-term steps?
- What goes into the 'preparation' phase before any incident happens?
- How do lessons learned feed back into the rest of the cycle?