Which phase comes after Detection and Analysis and before Eradication and Recovery?

In incident response, after you detect and analyze that an incident is occurring, the next step is containment. The goal of containment is to limit damage and stop the attacker from moving to other systems or data. By isolating affected computers, blocking attacker access, and segmenting networks as needed, you prevent the threat from spreading and create a safer window to investigate further. Once containment has reduced the immediate risk, you proceed to eradicate the threat—removing malware and closing the vulnerabilities that allowed the breach—before recovering and restoring normal operations. Understanding the flow helps: preparation happens before detection, and post-incident activity comes after eradication and recovery to learn from the incident and strengthen defenses.