Six steps

1. 1. prepare: establish a formal incident response plan
2. 2. identify: monitor network and system events, correlate alerts, and detect anaomalous behavior to confirm if a security incident has occurred
3. 3. contain: isolate compromised systems to stop the attack from spreading
4. 4. eradicate: remove the threat and eradicate the attacker's foothold, patch vulns that allowed the breach to happen
5. 5. recovery: restore clean sytems to production, verify they are operating normally, resume standard business practices
6. 6. lessons learned: analyze the incident to understand how the attacker got in