Cyber incidents today are no longer isolated IT issues. They are full-scale business disruptions. From ransomware attacks halting operations to supply chain compromises impacting multiple organisations simultaneously, the speed and complexity of cyber threats is unprecedented. One look at our monthly compilations of the Biggest Cyber Attacks and you'll know the urgency of building a solid incident response lifecycle in your organisation.
Yet, many organisations still rely on outdated Incident Response plans, untested playbooks, and unclear roles, leaving them exposed during critical moments. This guide breaks down the 7 phases of cyber incident response, explains how they align with the NIST framework, and shows what organisations must do to execute them effectively in 2026.
Before we delve into what the 7 incident response phases are, let's discuss Incident Response Planning.
A Cyber Incident Response Plan, put simply, is a plan of action that your business will implement when a security event occurs. It should ideally be a crisp, brief, to-the-point document. It should detail the steps to be taken by the incident response team (IR team) and the information security team when a ransomware attack or a cyber attack occurs.
The plan should also enlist the roles and responsibilities of everyone in the executive team and management involved in the incident handling process.
What has to be done with the affected user accounts and the affected systems after security breaches? What chain of communication has to be followed? Who has to be informed when, how and by whom? Do the law enforcement agencies have to be contacted and if yes, when?
All these questions pertaining to immediate incident management should be covered in the response plan.
You can take a look at our FREE Incident Response Plan Template to start building out your own incident response plan.
The 7 phases of incident response provide a structured approach to managing cyber incidents from preparation through continuous improvement:
| Framework | Phases |
|---|---|
| NIST Incident Response Lifecycle | Preparation → Detection → Containment → Recovery → Post-Incident |
| 7-Phase Model | Preparation → Identification → Containment → Eradication → Recovery → Lessons Learned → Testing |
The 7-phase model expands on NIST by emphasising:
As per the National Institute of Standards and Technology, an incident response plan has 4 main phases. However, many cybersecurity experts break this down into a more comprehensive 7 phases of incident response. So let’s take a look at what these 7 steps are:
1. Preparation: This phase of the incident response plan comes before the incident or data breach even takes place. It is the ultimate step that can make or break your response to cybersecurity events.
The preparation stage of Incident Response Planning takes into account that the business is highly likely to be attacked sooner or later. It is meant to ready the organisation for future incidents.
The primary components of this phase are:
Where organisations fail:
- Plans exist but are not actionable
- Roles are unclear during crises
- No alignment between technical and leadership teams
What good preparation looks like:
- Scenario-specific playbooks (ransomware, supply chain, insider threat)
- Regular cyber tabletop exercises
- Clear ownership across teams
2. Identification: This phase is all about identifying the incident. Cybersecurity incidents include data breach, ransomware attack, DDoS attack or any suspected malicious activity. Identifying the breach in the 'Golden Hour' is critical to ensuring the cybersecurity emergency doesn't spiral out of control.
This phase starts with assessing if the event is really a cyber-attack. If yes, how intense is it? Filtering out false positives makes up a big part of this phase.
Next, it's important to ask questions about which parts of the business have been affected. Understanding the specific harm the incident is causing is crucial.
This phase also involves categorising the cybersecurity incident based on the type of attack. Here are some key points to consider:
3. Containing the situation: Managing the impact of a cyber attack is a crucial step in responding to incidents. It's important to have a plan ready to prevent the situation from getting worse. Many organisations rely on the Security Orchestration, Automation and Response (SOAR) approach to automatically execute containment playbooks the moment a threat is confirmed, reducing response time while preserving critical forensic evidence. Simply deleting everything isn't a good idea because it might erase important evidence.
4. Eradication: This step in incident response focuses on getting rid of the cause of the security breach. After you have managed to control the situation and identified the main source of the problem, it's important to find a way to completely remove it.
5. Recovery: Once the vulnerabilities have been patched and malware has been eliminated, the recovery or restoration phase becomes the focal point.
This crucial step is dedicated to:
This phase should include a comprehensive assessment of the recovery process itself. It must focus on identifying any areas for improvement to enhance future response efforts. By ensuring that systems are robustly patched and continuously monitored, you can significantly reduce the risk of recurrence and maintain the integrity of operations.
6. Lessons Learned: Reflecting on an incident is one of the most important parts of planning how to respond to future incidents. This is often called 'Post Incident' actions. During this phase, you should:
If you need to make any changes to your incident response plan, this is the right time to do it. You can use our Cyber Incident Response Plan Template to ensure your plan includes all the essential elements of a strong response.
Additionally, many organisations choose to involve external experts or cybersecurity advisors at this stage. They can help review and improve your incident response strategies for the future.
7. Test to Build Muscle Memory: Congrats, you managed to survive a grave security incident. But don’t waste too much time celebrating. Your hackers are not going to back down. In fact at this very moment, they’re probably planning how to strike back again and strike harder.
This is why you need to continually test and rehearse your incident response plans and try and find any loopholes or gaps in them that criminals may try to exploit next.
There is no time to rest in the cybersecurity cat-and-mouse race so unfortunately you can’t really take a break. You need to start testing whatever changes you may have recently made to your incident response plans in this phase.
You can check out our Cyber Crisis Tabletop Exercises or the specific Ransomware Tabletop Exercises to truly shred apart your plans and see if they’ll really hold water next time or not.
To know more about how you can prepare your employees better for a cyber-attack, check out our NCSC-Certified Cyber Incident Planning & Response Course.
If you would like to test your cyber incident response plans for effectiveness, check out our scenario-based cyber tabletop exercises.
The 7 phases are Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned, and Continuous Testing. They provide a structured lifecycle for managing cyber incidents.
The NIST lifecycle includes Preparation, Detection & Analysis, Containment, Eradication & Recovery, and Post-Incident Activity.
Because poorly defined roles, untested plans, and unclear communication structures lead to failure during real incidents.
At least 2–4 times per year through tabletop exercises and simulations.
The critical early period where fast identification and containment can significantly reduce impact.