What are the 6 Phases in a Cyber Incident Response Plan?


Cybersecurity is a growing concern for businesses. In a recent survey, 74% of organizations reported experiencing a cybersecurity incident in the last year alone. With so many cyber incidents occurring today, it’s essential to have an incident response plan in place before an attack occurs. It’s important to understand what these phrases mean and how they work together:


Identify the risks and vulnerabilities of your organization, including an assessment of how your plans and procedures to address them. This is also the phase where you create a plan for how to respond to incidents, as well as train personnel in their roles during an incident response so everyone knows what they’re doing should something happen.


The first step in any incident response plan is identification. The goal of the identification phase is to determine what the problem is, its cause, and its scope. Once you have a clear understanding of these three things, you can then address how best to solve it. To identify a cyber security incident:

  • Identify if this is an actual attack or not
  • Determine if there’s been any loss (such as damages or data loss)
  • Identify all affected systems and devices


Containment is the second phase in a cyber incident response plan. This phase focuses on protecting your business by containing and eradicating the root cause of the problem. The goal here is to stop further damage from happening until you can figure out what went wrong, and get back up and running as soon as possible.

A good containment strategy should take into account multiple factors:

  • What types of threats are there?
  • How far has the malware spread?
  • Are there any other systems that could be compromised if we don’t isolate this one?

You’ll also want to think about how long it will take before you’re able to reboot these systems or restore backups that contain unaltered versions of important files (like customer information). Once you’ve answered these questions, you should have enough information at hand so that when it comes time for damage control meetings with executives who need answers fast, they won’t be left wondering why their inboxes aren’t working anymore because all their emails got deleted by ransomware!


Eradication is the process of removing malware and other malicious content from a system. It’s important to eradicate cyber threats because they can steal data, cause damage to your systems and networks, and make your network vulnerable to future attacks.

You can use the following steps for eradication:

  • Scan for infections using antivirus software or other tools that check for zero-day threats.
  • Remove infected files and remove any malware from disk drives, such as flash drives or diskettes.
  • Reboot your device in “safe mode” with networking disabled (so you don’t accidentally infect yourself again). If possible, run an updated version of antivirus software on each computer in the organization—but this step may not be possible if some computers are offline because of the incident response plan’s containment phase.


Recovery is the process of restoring systems to their normal state after a cyber incident has occurred. Like the other phases of incident response, it may be performed manually or automatically. Manual recovery can include restoring data from backups or restoring software from a system image. Automated recovery may use scripts and tools designed for this purpose, such as Microsoft’s System Recovery Options (SRO).

Once you have successfully recovered your system(s), you will need to verify that it’s functioning properly before moving on to the next phase.

Lessons Learned

Once the incident has been resolved and lessons learned, it’s time to improve your response plan. This is where you can ask yourself:

  • What worked well?
  • What didn’t work well?
  • How can we improve our response plan?

Having a plan for handling cyber incidents is crucial.

Having a plan for handling cyber incidents is crucial. Without one, you’re unlikely to be able to properly assess the situation, make informed decisions on how to proceed, and communicate with all stakeholders effectively. This can lead to significant consequences like data loss or brand damage that could otherwise be avoided.

When determining which phase your organization should go into first during an incident response plan (IRP), you should consider the type of threat being faced and how much time you have available before deciding what steps need to be taken next—what order they should happen in depends on where your priorities lie. For example: If data loss is not an issue but brand reputation management is critical for your organization then containment may take priority over eradication; however if there are financial implications associated with an incident then eradication might take precedence over containment or recovery because it stops further damage occurring sooner rather than later.

When you have an incident response plan, you have a better chance of reducing the impacts of the incident.

When you have an incident response plan, you have a better chance of reducing the impacts of the incident. This is due to the fact that there are 6 phases in an incident response plan as well as lessons learned from previous incidents. The 6 phases include preparation, identification, containment and eradication, recovery, and post-incident activity. Once you know what these phases are, it will be easier for you to implement them when faced with a cyber-attack.

The first two phases are preparation and identification. They allow companies to prepare themselves for any types of attacks that may occur while also making sure they have the right staff on board who can identify threats quickly before they become real problems or damage too much information stored within their systems. The next two phases are containment and eradication which means isolating infected computers so they cannot spread further while removing any malicious programs found within this time frame plus cleaning up after them once everything has been removed successfully. After these actions have been completed successfully then comes recovery where all damaged files need replacing with backups taken beforehand plus anything else needed after reviewing how many changes occurred during each phase above mentioned! Finally comes post-incident activity which includes documenting what happened during this time period including what went wrong – so future attacks can be avoided by learning from past mistakes made at some point in time (e..g., not patching enough security holes).


Incident response plans help ensure that an organization can recover quickly from a cyber incident. A solid plan will help you mitigate the impact of a breach, reduce the damage done by malware or ransomware, and provide insight into how future incidents should be handled.