What are the main components of a cybersecurity incident response plan?

Think of incident response as a lifecycle that starts before an incident and ends with improvements after it. A complete plan includes six key phases: preparation, detection and analysis, containment, eradication, recovery, and post-incident lessons. Preparation builds the foundation—roles, runbooks, training, and communication plans so the team can act quickly and coherently. Detection and analysis identify that an incident is happening and determine its scope and impact, guiding the next steps. Containment focuses on limiting the damage and preventing the threat from spreading. Eradication removes the attacker’s presence and the root cause from affected systems. Recovery restores normal operations and validates that systems are secure and functioning correctly. Post-incident lessons capture what worked, what didn’t, and how defenses and responses should be improved for the future. The other options miss essential phases or use terms that don’t align with the standard incident response lifecycle, leaving gaps in how effectively an incident is prepared for, detected, contained, cleaned up, and learned from.