Which sequence correctly lists the steps for handling an incident?

Incident handling follows a structured response lifecycle: preparation, then detection and analysis, then containment, eradication, and recovery, and finally post-incident activity. This order matters because you must be ready with people, playbooks, and tools before anything occurs; you need to detect and understand what happened before you can limit damage; containment must come first to stop the incident from spreading, followed by eradicating the root cause and restoring services; and post-incident activity captures what was learned to improve defenses and responses. Sequences that skip or reorder these steps disrupt the flow. For example, trying to contain without first detecting and analyzing what happened can lead to incomplete or misdirected responses. Post-incident activity before any detection or containment doesn’t make sense because there’s nothing to learn from yet. A flow that folds containment, eradication, and recovery into one single step without clear progression also loses the logical progression from stopping the incident to removing it and then restoring operations.