Incident response is a critical component of every comprehensive security program. Knowing how to respond appropriately to security incidents is essential for any organization. This article will discuss the six phases of incident response and how they can help organizations better protect their networks and data from security threats. 

Each phase of the incident response process will be outlined, discussing the purpose of each step and the best practices for implementation. We’ll also explore the tools and techniques available for managing incident response more efficiently and effectively. 

Related article: IT Operations Management (ITOM) Best Practices

What is Incident Response?

Incident response is responding to a security incident, such as a breach or cyber attack. It involves identifying, analyzing, containing, eradicating, and recovering from an incident. It also includes post-incident activity such as reporting, monitoring, and reviewing the incident.

Incident response aims to quickly address and mitigate the risks posed by a security incident, such as data loss, disruption of services, and reputational damage. It also aims to reduce the impact of the incident on the organization and its customers. The key steps to handling an incident response include:

  • Identify the incident: This is typically done by monitoring systems and networks for unusual activity or suspicious behavior. 
  • Analyze the incident: Once the incident is identified, the responder will analyze the incident to determine the scope and impact of the incident. 
  • Contain the incident: The next step to stop the incident from spreading further. It may include disabling user accounts, blocking access to specific resources, or disconnecting systems from the network. 
  • Eradicate the incident by removing the malicious code or software from the system. It involves deleting files, restoring from backups, or reinstalling the operating system.
  • Recover from the incident, which may include restoring data, reconfiguring systems, and repairing damaged hardware.

What is SANS?

SANS (SysAdmin, Audit, Network, Security) is a global information security training, certification, and research cooperative. SANS provides comprehensive and rigorous training courses, certifications, and research services to organizations and individuals worldwide. The organization has been instrumental in developing cutting-edge technologies and best practices for information security and risk management.

SANS also provides a comprehensive library of information security resources and publishes a wide range of white papers, articles, and reports on the latest topics in information security. SANS is a leader in cyber security training and certifications for professionals in the security field. These courses cover information security, threat intelligence, digital forensics, incident response, secure coding, and architecture. The organization also offers various certification programs, such as the Global Information Assurance Certification (GIAC) and the Certified Information Systems Security Professional (CISSP).

Furthermore, SANS offers courses and certifications for professionals in other disciplines, such as IT auditing, enterprise architecture, and IT management, and provides consulting services and conducts workshops and seminars on the latest topics and best practices in the information security field. The SANS framework has six phases: preparation, identification, containment, eradication, recovery, and lessons learned, which we will discuss below.

6 Best Phases of SANS Incident Response


The first phase of preparation is to establish a comprehensive incident response plan. This plan should include the roles and responsibilities of personnel involved in the incident response process, the procedures for identifying, responding to, and remediating incidents, the policies and standards for incident response, and the tools and procedures for collecting and analyzing evidence.

It should also include an incident response training program for personnel involved in the response process. Additionally, the plan should define the incident response team’s authority and the types of incidents the team is responsible for responding to. Finally, it should include a communication and notification strategy to ensure that the appropriate personnel is informed promptly.


During this phase, the goal is to identify the incident and determine the scope of potential damage. It includes gathering information about the incident and confirming if it is an actual security incident or a false alarm. The identification phase also includes:

  • Collecting logs.
  • Analyzing system and network activity.
  • Searching for indicators of compromise.

This information helps define the incident’s scope and determine what other systems and networks may have been affected.


The Containment phase involves isolating a compromised system or network from other systems to prevent further damage or compromise. During the containment phase, the incident responders will attempt to identify and contain the outbreak, identify and document the extent of the damage, and prevent the incident from spreading.

Some key activities that may be performed during this phase include disconnecting the compromised system from the network, disabling or changing user accounts, and disabling any malicious services that may be running. Other activities may include restricting access to specific systems, network segments, and internet resources. The goal of the containment phase is to limit the scope of the incident and prevent it from spreading.

incident response plan


The eradication phase is self-explanatory; it is a process of eliminating the cause of the incident. It typically involves identifying the vulnerability or vulnerability vector that allowed the incident to occur and then taking steps to remove or mitigate it. It may involve patching, reconfiguring, or removing affected systems, as well as updating security policies and procedures to prevent similar incidents in the future. It is essential to document the steps taken during this phase, as this information may be used to identify additional vulnerabilities in the future.


The recovery phase is focused on restoring affected systems and services to a normal working state. It involves rebuilding any affected systems, restoring data from backups, and reconfiguring systems to ensure that the affected systems are secure. This phase also includes measures to prevent similar incidents from occurring in the future, such as implementing additional security controls and conducting security awareness training for users.

Lessons learned

Lessons learned are a critical step in the incident response process. It is the stage in which the incident response team evaluates the incident and its response to it to identify areas for improvement and prevent similar incidents from recurring. This phase is typically conducted after the incident has been contained, eradicated, and the affected systems have been restored to a secure state.

During this phase, the incident response team reviews the incident and response activities, assesses the effectiveness of the response, and identifies any gaps in processes and procedures that could have prevented or mitigated the incident. The team then develops recommendations to address and improve any identified gaps. These lessons are documented and shared with the organization so that similar incidents can be prevented in the future.

Techniques to Manage Incident Response Efficiently 

There are techniques available for managing incident response more efficiently and effectively 

  • Automation: Automating incident response processes can help streamline and improve the efficiency of the process. Automating tasks such as logging, alerting, and reporting can save time and resources. 
  • Communication: Having clear and effective communication channels set up in advance can help mitigate incidents more quickly and efficiently. Tools such as chatbots, email, and text messaging can facilitate communication between team members and stakeholders. 
  • Documentation: Keeping detailed, up-to-date documentation of all incident response activities can help to ensure that the process is managed effectively and efficiently. It includes documenting all steps taken, findings, and resolutions. 
  •  Training: Regular training for incident response teams is essential to ensure that they are well-prepared to handle any incident. Training should cover identifying suspicious activity and responding to and recovering from incidents. 
  • Incident Response Plan: Having a well-defined incident response plan in place can help teams respond to incidents quickly and effectively. The plan should include all necessary steps, from initial identification to post-incident review. 
  • Monitoring and Detection Tools: Utilizing monitoring and detection tools can help identify suspicious activity quickly and accurately, reducing the time needed to respond to incidents and increasing the effectiveness of the response.

Companies will benefit even more by following best practices to implement SANS incident response.

Best practices for implementation of SANS Incident Response

  • Establish a formal incident response plan: Define the roles and responsibilities of each team member and the actions they should take when responding to an incident. 
  • Establish an incident response team (IRT): The IRT should include personnel from various disciplines, such as security, legal, IT, and executive leadership. 
  • Develop policies and procedures: Establish policies and procedures to be followed during an incident response. 
  • Train personnel: Train personnel on the incident response plan and procedures to ensure they are prepared to respond to an incident. 
  • Monitor networks and systems: Monitor networks and systems for suspicious activity and implement tools to quickly detect and respond to incidents. 
  • Collect evidence: Collect and preserve evidence in the event of an incident. 
  • Communicate with stakeholders: Communicate with stakeholders, such as customers, partners, and law enforcement, to ensure they are informed and that their needs are met during the incident response process. 
  • Assess the impact of the incident: Determine the impact of the incident and develop a plan to remediate any damage. 
  • Document the incident: Document the incident and the actions taken to respond to it. 
  • Review and improve the incident response process: Conduct periodic reviews of the incident response process to identify areas for improvement.

Related article: What is Problem Management? All you Need to Know

Final Note

Overall, the SANS incident response provides a comprehensive framework to help organizations plan, detect, respond, and recover from security incidents. Taking the time to implement each phase can help organizations reduce their risk of a data breach and help them adopt a proactive approach to security rather than relying on reactive measures. By leveraging the SANS 6 phases for better incident response, organizations can build a culture of security and ensure that their data is protected.

Table of Contents