Which sequence correctly describes the incident response lifecycle?

• A. Detection and analysis, followed by preparation, containment, eradication, recovery, and post-incident lessons learned.
• B. Preparation, detection/analysis, containment, eradication, recovery, and post-incident lessons learned.
• C. Preparation, containment, detection, recovery, eradication, post-incident lessons learned.
• D. Preparation, detection/analysis, containment, recovery, and post-incident lessons learned, eradication.

Answer: (B)

Understanding the incident response lifecycle means lining up the phases in the order they should occur to effectively handle and learn from a security incident. The sequence starts with preparation, establishing policies, roles, tools, and training so the team is ready before anything happens. After preparation comes detection and analysis, where signals are identified and investigated to determine whether an incident is real and what it affects. Once an incident is confirmed, containment follows to limit its spread and prevent further damage. After containment, eradication removes the threat and its artifacts from the environment, addressing the root cause. Then recovery focuses on restoring systems and services to normal operation and validating that they’re clean and functioning correctly. Finally, post-incident activities, like lessons learned, review what happened, update plans and controls, and improve detection and response for the future. The other sequences place steps out of logical order—starting with detection before preparation delays readiness, containment before detection is impractical, or recovery before eradication risks reintroducing the threat.