The Incident Response Process Explained (NIST)
When a security incident hits, teams follow a structured incident response (IR) process so nothing is missed under pressure. The industry standard is the NIST four-phase model — a playbook every SOC analyst must know.
The four NIST phases
- Preparation — tools, playbooks, training and logging in place before anything happens.
- Detection & Analysis — spot the incident, confirm it's real, scope the damage.
- Containment, Eradication & Recovery — stop the spread, remove the threat, restore clean systems.
- Post-Incident Activity — the lessons-learned review that improves the next response.
Why the order matters
Rushing to "fix it" before containment can destroy evidence or let malware spread. The discipline of the phases prevents panic-driven mistakes. This process underpins the SOC analyst role — see the CyberOps course and the related SOC overview.
Frequently asked questions
What are the phases of incident response?
NIST defines four: Preparation; Detection & Analysis; Containment, Eradication & Recovery; and Post-Incident Activity.
Why is containment before eradication?
Containment stops the threat spreading and preserves evidence; eradicating too early can destroy forensic data and miss the root cause.
What happens in the post-incident phase?
A lessons-learned review — what worked, what didn't, and how detection and response improve for next time.
Related articles
Want hands-on training?
Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.