SecuritySecurity+CISSP

Incident Response Lifecycle Explained for Security+ and CISSP

When a breach happens, the organizations that limit damage are the ones that have a plan before the attacker arrives. Incident response is that plan: a structured process for detecting attacks, containing them before they spread, removing the attacker's foothold, restoring systems, and learning from the experience. Security+ SY0-701 tests the NIST incident response phases by name and in order, so you need more than a vague sense of the lifecycle. You need to know which actions belong in each phase and what mistakes get made when teams skip steps.

7 min

3 sections · 6 exam key points

5 practice questions

The four NIST incident response phases

NIST SP 800-61 defines incident response in four phases that cycle continuously. Preparation comes first and is arguably the most important. During preparation, organizations build their incident response plan, train the incident response team, establish communication channels, deploy monitoring tools, and practice through tabletop exercises. Preparation is what determines how fast and how effectively everything else happens when an incident occurs.

Detection and Analysis is where you discover that something is wrong and confirm it is an actual incident rather than a false positive. Detection comes from SIEM alerts, IDS signatures, user reports, or threat intelligence. Analysis determines the scope, the attack vector, the affected systems, and the severity. Poor analysis leads to incomplete containment and recurring incidents.

Containment, Eradication, and Recovery happen in sequence. Containment stops the bleeding: isolate affected systems, block malicious IPs, disable compromised accounts. Short-term containment is fast but may lose evidence. Long-term containment preserves systems for forensic analysis while keeping the business running. Eradication removes the attacker's artifacts: malware, backdoors, unauthorized accounts. Recovery restores systems to normal operation, monitored closely to confirm the attacker has not returned.

Post-Incident Activity, also called lessons learned, is the phase most organizations skip when they are eager to return to normal. This is a structured review of what happened, what worked, what failed, and what needs to change. The output is an updated incident response plan and often new monitoring rules, patched systems, or changed procedures.

Key incident response concepts

Chain of custody is critical if the incident results in legal action. Evidence must be collected, documented, and stored in a way that proves it has not been tampered with. Every person who handles evidence must be logged, and the documentation trail must be unbroken from collection through presentation.

Containment strategy selection depends on the type of incident. For ransomware that has only hit one workstation, immediate isolation may be right. For an advanced persistent threat that has been in the network for months, premature containment can tip the attacker off and cause them to destroy evidence or deploy additional malware before you have fully scoped the compromise.

Communication during incidents is structured. Internally, the IR team communicates with executive leadership and legal. Externally, depending on the incident type and jurisdiction, the organization may be legally required to notify regulators, affected customers, or law enforcement within specific time windows.

How to choose the correct answer

Phase sequence: Preparation, Detection and Analysis, Containment/Eradication/Recovery, Post-Incident Activity. Questions often test what belongs in each phase.

Preparation activities: IR plan creation, team training, tabletop exercises, tool deployment. These all happen before any incident.

First step after detecting an incident: analysis to confirm it is a real incident and determine scope. Not containment. Not eradication. Understand before acting.

Lessons learned timing: after recovery, before the next incident. Skipping this phase means repeating the same mistakes.

Evidence collection order: most volatile to least volatile (live memory before disk images).

NIST incident response phases

Phase	Key activities	Common mistakes
Preparation	IR plan, team training, tabletop exercises, tool deployment	Skipping until an incident occurs
Detection and Analysis	Alert triage, scope determination, severity classification	Acting without understanding scope
Containment/Eradication/Recovery	Isolate systems, remove malware, restore operations	Skipping eradication (attacker returns)
Post-Incident Activity	Lessons learned, plan update, new controls	Skipping to return to normal quickly

Key exam facts — Security+ / CISSP

NIST phases: Preparation, Detection and Analysis, Containment/Eradication/Recovery, Post-Incident Activity.
Preparation is ongoing, not a one-time task. Includes tabletop exercises and IR plan updates.
Detection before containment: confirm the incident and scope it before taking action.
Containment: stop spread. Eradication: remove artifacts. Recovery: restore operations.
Post-incident activity: lessons learned. Update the plan based on what actually happened.
Chain of custody: document who handles evidence and when, unbroken from collection to courtroom.

Common exam traps

Containment should happen immediately upon detecting any incident.

Detection and Analysis comes first. Rushing to containment before understanding scope can tip off sophisticated attackers, cause them to destroy evidence, or miss affected systems. Analyze first to contain effectively.

Recovery means the incident is completely over.

Recovery restores systems to operation, but the incident is not over until post-incident activity is complete. Lessons learned and plan updates are as important as restoration. Many organizations that skip this phase repeat the same incident.

Incident response is the security team's responsibility alone.

Incident response requires coordination across IT, security, legal, HR, communications, and executive leadership. Depending on the incident, law enforcement and external forensic firms may be involved. The IR plan must define roles for all of these parties before an incident occurs.

Practice questions — Incident Response

These questions are representative of what you will see on Security+, CISSP exams. The correct answer and explanation are shown immediately below each question.

Q1.According to the NIST SP 800-61 incident response lifecycle, which phase should occur FIRST after an incident is suspected?

A.Containment

B.Eradication

C.Detection and Analysis

D.Post-Incident Activity

Explanation: Detection and Analysis is the second phase (after Preparation) and must occur before Containment. The team must confirm the event is a real incident, determine its scope, identify affected systems, and understand the attack vector before containment actions are taken. Jumping to containment without analysis can result in incomplete remediation or tipping off sophisticated attackers.

Q2.During a ransomware incident, the IR team isolates all affected systems from the network immediately upon discovering the infection. Which IR phase does this action belong to?

A.Preparation

B.Detection and Analysis

C.Containment, Eradication, and Recovery

D.Post-Incident Activity

Explanation: Isolating affected systems to prevent the ransomware from spreading is a containment action, part of the Containment, Eradication, and Recovery phase. Preparation happens before incidents. Detection and Analysis identifies the incident. Post-Incident Activity happens after recovery.

Q3.An incident response team completes recovery and restores all affected systems. The IR manager wants to document what happened, why controls failed, and how to prevent recurrence. Which IR phase covers this?

A.Detection and Analysis

B.Preparation

C.Post-Incident Activity (Lessons Learned)

D.Containment

Explanation: Post-Incident Activity (sometimes called Lessons Learned) is the final NIST IR phase. It involves a structured review of the incident timeline, what worked, what failed, and what changes are needed in the IR plan, monitoring, or controls. This phase is often skipped by organizations eager to return to normal — which leads to repeated incidents.

Q4.A forensic analyst is collecting evidence from a compromised system. In what order should evidence be collected according to best practices for digital forensics?

A.Hard disk image first, then live memory, then logs

B.Most volatile to least volatile: live memory, then running processes, then disk

C.Logs first, then disk image, then live memory

D.All evidence simultaneously to preserve its state

Explanation: Digital forensics evidence is collected in order from most volatile (lost when power is removed) to least volatile. Live memory (RAM) contains running processes, network connections, and encryption keys that disappear immediately at shutdown. Running processes and network state come next. Hard disk images and logs are least volatile and can be captured after.

Q5.An organization suspects an advanced persistent threat (APT) actor has been in their network for months. The IR team is debating whether to immediately isolate all affected systems. What is the risk of premature containment in this scenario?

A.Containment is always the right first step regardless of threat type

B.Premature containment may alert the attacker, causing them to destroy evidence or deploy additional malware before the full scope is mapped

C.Containment will prevent recovery of encrypted data

D.There is no risk; immediate containment always limits damage

Explanation: For sophisticated, long-dwell-time actors like APTs, aggressive premature containment can tip off the attacker before the full scope is understood. The attacker may respond by destroying evidence, activating additional persistence mechanisms, or accelerating data exfiltration. IR teams handling APTs often monitor the attacker covertly while mapping the full extent of compromise before containment.

Frequently asked questions — Incident Response

What are the four phases of the NIST incident response lifecycle?

The four NIST SP 800-61 phases are: (1) Preparation — building the IR plan, training the team, deploying tools before an incident; (2) Detection and Analysis — identifying and confirming the incident, determining scope and severity; (3) Containment, Eradication, and Recovery — stopping spread, removing attacker artifacts, restoring systems; (4) Post-Incident Activity — lessons learned, plan updates, and reporting.

What is the difference between containment and eradication in incident response?

Containment stops the incident from spreading further — isolating infected systems, blocking malicious IPs, disabling compromised accounts. Eradication removes all evidence of the attacker from the environment — deleting malware, closing backdoors, removing unauthorized accounts, and patching the vulnerabilities exploited. Eradication must be thorough; incomplete eradication leads to re-infection from remaining footholds.

What is chain of custody and why does it matter in incident response?

Chain of custody is the documented record of who collected, handled, transferred, or analyzed evidence and when. It proves that evidence has not been tampered with from collection through any legal proceedings. If chain of custody is broken — gaps in documentation, unaccounted access to evidence — the evidence may be inadmissible in court. This matters most when criminal prosecution or civil litigation is expected.

How is incident response tested on Security+?

Security+ SY0-701 tests incident response in the context of the NIST lifecycle phases (by name and in order), what activities belong in each phase, the order of evidence collection (most volatile first), tabletop exercises as a preparation activity, and the difference between short-term and long-term containment strategies. Expect scenario questions that ask which IR phase a described action belongs to.

What is a tabletop exercise and when does it occur?

A tabletop exercise is a simulation of an incident scenario conducted as a discussion — no systems are actually changed. Participants walk through how they would respond to a hypothetical incident (ransomware attack, insider threat, data breach) to identify gaps in the IR plan, communication, and decision-making. Tabletop exercises occur during the Preparation phase, before any real incident. Purple team exercises are more active simulations with red team attack and blue team defense.

Practice this topic

Security+practice questions

Test yourself on Incident Response

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice test Start 7-Day Free Trial

No credit card · Cancel anytime