What Are the Incident Response Phases?

In our line of work, we find that IT and security professionals often forget that incident response (IR) is a process, and not a singular action. Not building and coordinating the steps of incident response correctly within your IR plan will render it useless, making serious incidents like ransomware and data breaches more crippling and costly. Fortunately, there are publicly available standards that provide a proven framework for IR plans, including the NIST 800-61 Computer Security Incident Handling Guide.

Through our 20 years of IR experience at D3, we’ve developed a turnkey library of flexible playbooks, many of which are based on the NIST standard. That is because we’ve found NIST to be a great starting point for most organizations’ IR planning.

NIST breaks incident response down into four broad phases: (1) Preparation; (2) Detection and Analysis; (3) Containment, Eradication, and Recovery; and (4) Post-Event Activity. The phases laid out by NIST are worth studying for anyone involved in incident response, and should be required reading for those new to IR, such as IT professionals who are increasingly taking on security roles and responsibilities. In this piece, we’ll look at each of the four phases of incident response, and also describe the features we’ve built into D3’s NextGen SOAR platform to support CSIRT teams during that phase.

1. Preparation

Incidents move fast, so a comprehensive preparation phase is critical. Preparation, as defined by NIST, involves implementing the right tools and setting up the right processes ahead of an incident occurring. Important steps in this phase include identifying your “crown jewels”—the assets that must be protected at all costs—and analyzing data from previous incidents to guide your planning.

NextGen SOAR comes equipped with incident-specific playbooks, so you can be sure that your procedures are set up for a strong response. Our codeless playbook editor enables you to use experience from previous incidents to tailor the playbooks to your exact needs. Setting up communications plans is another important part of preparation, which D3 supports with automated notifications, scheduled reporting, and an internal communications platform.

2. Detection & Analysis

In order to stop an incident from causing damage, you first need to spot the irregular activity and figure out exactly what is happening. This phase begins with taking in data from sources such as SIEM, IDPS, network device logs, people in your organization, and more, in order to identify incidents based on indicators. Once incidents have been detected, you need to determine false positives, classify the attack vector, understand the scope of the event, and identify the vulnerabilities being exploited. Following the analysis, you should document the incident and prioritize response actions.

D3 integrates with all major SIEMs to support detection. SIEM events can be automatically ingested into NextGen SOAR, bringing all of the associated data with them. D3’s automation features gather additional important contextual data like IP and file reputation from external sources.  Our threat intelligence integrations also provide information for analysis and assessment of genuine threats. With all this information at your fingertips, it becomes quick and easy to conduct analysis.

3. Containment, Eradication & Recovery

In this phase, having gathered the information and gained an understanding of the incident, your IR team will begin to combat the threat. This includes taking actions to prevent further damage, such as closing ports or blocking IPs. Depending on the incident, you might gather and preserve evidence for future legal or regulatory cases. Once the threat is resolved, recovery will involve restoring systems to normal functionality, through actions like tightening network security, rebuilding systems, and replacing compromised files.

D3 can automate containment and eradication tasks to accelerate your processes and minimize damage. NextGen SOAR acts as a centralized hub for coordinating incident response across the entire organization, with orchestration tools for automated task assignments, notifications, approval requests, and other communications—even going beyond the incident response team to bring in other departments like Legal or HR.  D3’s case management features also shine in this phase, giving you the ability to group together related incidents for deeper investigations, as well as a forensics system for managing evidence.

4. Post-Event Activity

Incident response can be chaotic, and it’s hard to take the time to do a post-mortem on major incidents, but NIST emphasizes the importance of this type of review. This phase includes having a “lessons learned” meeting to answer major questions about what happened, what went well, and what is needed for future incidents. Collected incident data should be used to drive these meetings and inform the resulting procedural changes. Post-event activity also involves determining what should be done with collected evidence. Is prosecution an option? How long should the data be retained?

D3 gives you the actionable metrics and reports that you need to understand past incidents, evaluate performance, and make positive changes. NextGen SOAR can report on almost any data within the system, and present it in a variety of graphical forms.

Depending on your industry, and the nature of the incident, compliance reports might need to be filed. D3 makes this arduous process as easy as possible with comprehensive data management and built-in templates. The entire post-event phase can be guided by D3, based on best practices and your own custom processes, which helps you continually improve your IR function over time by identifying the root causes of issues.


By using the NIST framework to examine the necessary steps for an IR plan, it should be clear that every phase is necessary for strong response. Unfortunately, most incident response vendors concentrate on Phase 3—Containment, Eradication & Recovery—with little or no support through other phases. This is especially true for platforms that narrowly focus on automation and orchestration, with playbooks that offer little more than triggering simple remediation actions.

D3’s SOAR platform is uniquely built to be a full-lifecycle solution. Our platform combines powerful automation with comprehensive incident response and case management. D3 guides and facilitates your response efforts from the moment of detection, all the way through to post-incident root cause analysis. To learn more about how NextGen SOAR can help you standardize your processes, check out our whitepapers on the top SOAR playbooks for 2022 and 2023 or schedule a demo with one of our experts to see the platform in action.

Social Icon
Walker Banerd

Walker is D3 Security's Director of Content Marketing. He leads the writing of D3's blog, as well as white papers, industry briefings, and other thought leadership. Walker's expertise is translating technical concepts into easily understandable content, with a focus on software, cybersecurity, and compliance solutions.