The 6 Phases of an Incident Response Plan

September 1, 2022

An incident response plan is imperative so organizations can react swiftly enough to minimize damages from cyber attacks or data breaches. 

In a previous article, we discuss cyber attacks and what you need to know. Here, we’ll list and demonstrate the importance of each phase in an incident response plan and outline what occurs in each step. 

The six phases of an incident response plan are as follows: 

  1. Preparation
  2. Identification
  3. Containment
  4. Eradication
  5. Recovery
  6. Lessons Learned


This is the most critical phase of any incident response plan. At DFI Forensics, we take preparation for incident response very seriously. 

Areas of this phase include: 

  • Proper employee training in incident response. Ensuring their roles and responsibilities are clear in the event of a security breach. 
  •  Developing training drills and conducting “mockup breaches” to keep employees’ abilities current and ready for a real incident. 
  • Keeping logistical aspects in line concerning the incident response plan (ensuring the following funding, staff, resources, and hardware/software needs are met). 


In the identification phase, we determine whether or not an organization has been breached. In this research-based phase of the incident response plan, our main concern is answering the following questions: 

  • When did the breach occur?
  • How was it found and by whom?
  • Are other areas impacted?
  • What’s the scope of the attack?
  • How much does it affect company operations?
  • Has the point of entry (source) of the event been discovered yet?


Containing a data breach is like containing a fire. Before rushing in and putting it out, it’s best to find ways the security breach won’t spread. Containment would be like sealing off other areas of a fiery building and ensuring the nearby public is safe. 

Simply deleting files in a security breach will cause more harm than good, since they will likely contain irreplaceable evidence that’ll be used later. 

Sealing off your systems by patching, updating and reviewing remote access protocols will help you contain the threat. Requiring multi-factor authentication and changing access credentials are often good containment practices. 

Other aspects to consider in this phase are: 

  • The types of data backups that are in place.
  • What has been done so far to contain the breach.
  • If malware has been found yet and properly quarantined. 


Eliminating the source of the breach is eradication. This area of the incident response plan is vital because no trace of any malware or security threats should remain after eradication’s been executed. 

If it has not been done properly by yourself or a reliable third party, you may still be losing valuable data and have a lingering security threat. Below are a few expert practices of eradication.

  • Reimaging by performing a complete wipe and re-image of an affected system.
  • Patching system vulnerabilites while understanding the root cause of the breach.
  • Applying best practices such as updating software versions and disabling unused services.
  • Scanning to ensure no malware or viruses remain on the previously affected systems.


After eradication has been completed, the recovery step returns affected systems and computers to normal function. Operations must continue here smoothly without the worry of another breach. 

In the recovery phase, several aspects are clarified for the affected business, such as:

  • A date when operations are to be restored.
  • Proper Testing and Verification.
  • Security Monitoring of Operations.
  • Incident Prevention Methodoligies.

Lessons Learned

“The only real mistake is the one from which we learn nothing” - Henry Ford

Learning lessons from data breaches make us more experienced to tackle them again. At DFI Forensics, we discuss with our incident response plan members what we’ve all learned from any data breach experienced by a client. 

Reflecting upon a given data breach, it can be determined what went smoothly in the incident response plan, and what aspects need improvement. Pieces of an incident response plan can be extracted and improved for next time. 

Reach out to the Experts with a Robust Incident Response Plan

We understand that no company wants to experience a data breach. Does your company have any strange indicators of a suspected security breach or cyber attack?

With our strong incident response plan and a team ready for any attack, don’t hesitate to reach out to us at DFI Forensics so we can mitigate system damages.