What are the three main phases of the incident response lifecycle according to SANS FOR508?

In SANS FOR508, the incident response lifecycle is built around three distinct phases: preparation, response, and post-incident activities. Preparation involves getting ready before anything happens—policies, playbooks, training, roles, contact lists, and tools so you’re ready to act when an incident occurs. The response phase is the action period during an incident and includes identifying that an incident is happening, containing the spread to limit damage, eradicating the root cause, and recovering normal operations. After the incident, post-incident activities focus on learning from what happened: documenting findings, reporting to stakeholders, and making improvements to processes, controls, and readiness to prevent a recurrence. This framing directly matches FOR508’s three-phase model, which is why it is the best answer. Other options mix phases in ways that align more with generic project-like steps or omit the explicit post-incident learning phase, so they don’t reflect the FOR508 structure.