Which phase describes capturing lessons learned to improve future responses in Malware Incident Response?

Capturing lessons learned to improve future responses is the post-incident learning phase in Malware Incident Response. After containment and eradication, this phase focuses on reviewing what happened, what actions were effective, what gaps were found, and how procedures, tools, and communication can be improved. The goal is to document findings and translate them into updated playbooks, detection rules, runbooks, and training so future responses are faster and more effective. Collecting evidence for law enforcement belongs to the investigation and evidence handling activities, which prioritize preservation and chain-of-custody concerns for legal action. Patching systems is a remediation activity aimed at removing the threat and fixing vulnerabilities. Training new staff is important for capability building, and while the lessons learned can inform training, the phase itself is specifically about documenting and applying insights to strengthen future responses.