The [[SANS Institute|SANS]] Incident Response Process consists of six steps: 1. Preparation 2. Identification 3. Containment 4. Eradication 5. Recovery 6. Lessons Learned It goes in a circle: ```mermaid flowchart TD p[Preparation] --> i[Identification] i --> c[Containment] c --> e[Eradication] e --> r[Recovery] r --> l[Lessons Learned] l --> p ``` [[Incident Response & Computer Forensics, Third Edition]] is worth a read to learn more. [The ATC RE&CT framework](https://atc-project.github.io) is an interesting implementation of the lifecycle.