The Incident Response Lifecycle: 6 Steps
Most security incidents follow the same arc, and so does a good response. The incident response lifecycle breaks that response into six phases, from the work you do before anything happens to the review you do after it is over. The first letters spell PICERL, and the order matters: skip ahead and you tend to either miss evidence or reinfect the systems you just cleaned.
Most security incidents follow the same arc, and so does a good response. The incident response lifecycle breaks that response into six phases, from the work you do before anything happens to the review you do after it is over. The first letters spell PICERL, and the order matters: skip ahead and you tend to either miss evidence or reinfect the systems you just cleaned.
The phases are not a rigid checklist so much as a way to keep a clear head while everything is on fire.
The six phases
Each phase has a job. The earlier phases decide how well the later ones go, which is why preparation, the quietest phase, is also the most important.
Two models, one shape
| Speed target | Goal | Source |
|---|---|---|
| 1 minute | Detect a malicious intrusion | CrowdStrike 1-10-60 rule |
| 10 minutes | Understand the context and scope | CrowdStrike 1-10-60 rule |
| 60 minutes | Begin remediation | CrowdStrike 1-10-60 rule |
You will see this lifecycle drawn two ways. The six-phase version above is sometimes condensed into four, where identification becomes detection and analysis, and containment, eradication, and recovery are grouped together. The steps are the same work under different headings.
What does not change is speed. The faster you move through detection and containment, the smaller the damage. One widely cited benchmark sets the pace.
How to put it into practice
Knowing the phases is not the same as being ready for them. The practice happens in preparation: a plan, a trained team, and tools configured before you need them.
[[INSIGHT: The phase teams skip is the last one. Once systems are back, the pressure is off and the post-incident review gets postponed forever. That review is where you turn one expensive incident into prevention for the next ten.]]
- The lifecycle has six phases: preparation, identification, containment, eradication, recovery, and lessons learned.
- Preparation decides how well every later phase goes.
- Isolate systems rather than shutting them down, to preserve volatile evidence.
- Speed matters: detect fast, contain faster, before attackers move laterally.
- The lessons learned phase turns one incident into prevention for the next.
Frequently asked questions
What are the incident response steps?
Six phases: preparation, identification, containment, eradication, recovery, and lessons learned. The first letters spell PICERL.
Why isolate a system instead of shutting it down?
Powering off a machine erases volatile memory, which can hold forensic evidence and sometimes the encryption keys themselves. Isolating it from the network stops the spread while preserving that evidence.
What is the 1-10-60 rule?
A speed benchmark: detect an intrusion in one minute, understand its scope in ten, and begin remediation within sixty. The goal is to stop attackers before they move laterally.
What happens in the lessons learned phase?
A blameless review of the attack vector, timeline, and response effectiveness, with metrics like mean time to detect and recover, feeding updates back into the plan and controls.
