Continue your mission
The SANS Incident Response Process defines six phases (PICERL): Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned, providing granular structure for handling cybersecurity incidents.
The SANS Incident Response Process is a six-phase methodology developed by the SANS Institute for handling cybersecurity incidents. The phases are Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned (often remembered by the acronym PICERL). While conceptually similar to the NIST framework, the SANS model provides more granular phase separation and is widely used in SANS training courses, GIAC certifications, and practitioner communities worldwide.
Preparation encompasses all activities that build incident response readiness: policy development, team training, tool deployment, and communication planning. Identification focuses on detecting incidents through monitoring, alerting, and user reporting, then validating and documenting the event. Containment isolates the threat to prevent further damage, with SANS emphasizing the distinction between short-term containment (immediate response), system backup (forensic preservation), and long-term containment (temporary fixes while rebuilding). Eradication removes all traces of the threat from the environment, including malware, backdoors, and compromised accounts. Recovery restores systems to production, validates their integrity, and monitors for re-infection. Lessons Learned conducts a formal review to document findings and improve future response.
The SANS model's six explicit phases provide clearer handoff points between response activities compared to NIST's four-phase consolidation. The separate Identification phase emphasizes the critical skill of distinguishing real incidents from false positives. The explicit Eradication phase prevents the common mistake of restoring systems before fully removing the threat. SANS certifications like GCIH (GIAC Certified Incident Handler) are built around this methodology, making it the de facto standard for incident response practitioners and a common interview framework.
CDA operators are trained in both NIST and SANS methodologies, enabling them to work within whichever framework a client organization has adopted. Our theater missions reference both frameworks in their documentation, and our C-DRILL campaigns use the SANS PICERL model for tabletop exercise design. CDA's certification paths in the Institute include SANS-aligned training for the TID domain.
CDA Theater missions that address topics covered in this article.
Evidence collection and chain of custody ensure digital evidence maintains integrity and legal admissibility through forensically sound gathering techniques, cryptographic verification, and documented handling records.
Incident response plan development creates a structured, documented approach for handling cybersecurity incidents, defining roles, procedures, and communication protocols to enable rapid, coordinated response.
Written by CDA Editorial
Found an issue? Help improve this article.