Read as
Last updated: April 29, 2026
Why this module exists. Every CISO knows the NIST IR lifecycle (Prepare, Identify, Contain, Eradicate, Recover, Lessons Learned). Few have actually executed it under pressure. The translation from textbook diagram to “the breach is happening, what do we do at 02:30 IST” is what separates exercises from outcomes.
Why this module exists. Every CISO knows the NIST IR lifecycle (Prepare, Identify, Contain, Eradicate, Recover, Lessons Learned). Few have actually executed it under pressure. The translation from textbook diagram to “the breach is happening, what do we do at 02:30 IST” is what separates exercises from outcomes.
The lifecycle in operational terms
| Phase | What happens | Output |
|---|---|---|
| Prepare | Build the runbook before the breach | Tested IR plan, on-call rotation, comms templates |
| Identify | Confirm: is this real? | Severity classification, scope estimate |
| Contain | Stop the bleed | Isolated systems, blocked C2, disabled accounts |
| Eradicate | Remove the threat | Cleaned systems, rotated credentials, removed persistence |
| Recover | Return to normal operations | Restored services, verified clean, monitoring |
| Lessons Learned | Improve | Post-incident report, control updates, training |
Want this for your team?
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.
Book team training call
Replies in 4 working hrs · India-only · Senior consultants