Where is the bulk of the incident response time spent?

The most time is spent during containment paired with building the attacker profile (intelligence development). Once an incident is detected, the priority is to stop the attacker from moving laterally or exfiltrating data, which requires rapid, coordinated actions across networks and systems—isolating affected hosts, cutting off C2 channels, revoking compromised credentials, and tightening segmentation. This work is often large in scope and highly collaboration-intensive, meaning it can span many systems and teams, driving a substantial portion of the response timeline. At the same time, intelligence development—collecting artifacts, logs, IOCs, and attacker techniques to understand scope and methods—must proceed to guide containment and to prevent re-entry, and this analysis is iterative and time-consuming as you validate findings across the environment. After containment and a solid understanding of the attack, eradication and recovery steps follow, but they typically hinge on the groundwork already laid during the containment/intelligence phase. Discovery starts the process but, in complex incidents, the heavy lifting occurs in containment and intelligence work.