1. prepare: establish a formal incident response plan
2. identify: monitor network and system events, correlate alerts, and detect anaomalous behavior to confirm if a security incident has occurred
3. contain: isolate compromised systems to stop the attack from spreading
4. eradicate: remove the threat and eradicate the attacker's foothold, patch vulns that allowed the breach to happen
5. recovery: restore clean sytems to production, verify they are operating normally, resume standard business practices
6. lessons learned: analyze the incident to understand how the attacker got in