PICERL Incident Response Lifecycle
Six phases in a closed loop — Lessons Learned feeds back into Preparation. Time labels show typical effort per phase.
flowchart LR
P["Preparation
Plans, runbooks, training, tooling
ongoing — before any incident"]:::blue I["Identification
Detect, triage, declare
hours"]:::slate C["Containment
Short-term and long-term
minutes to hours"]:::amber E["Eradication
Remove attacker access and artifacts
days"]:::slate R["Recovery
Restore services, monitor closely
weeks"]:::slate L["Lessons Learned
Post-incident review, durable improvements
weeks after"]:::blue P --> I --> C --> E --> R --> L L -. "feedback: improve preparation" .-> P classDef blue fill:#1565c0,stroke:#0d3a73,stroke-width:1.5px,color:#ffffff classDef slate fill:#455a64,stroke:#2b383d,stroke-width:1.5px,color:#ffffff classDef amber fill:#ffa000,stroke:#c77700,stroke-width:1.5px,color:#3a2a00 linkStyle 5 stroke:#1565c0,stroke-width:2px,color:#1565c0
Plans, runbooks, training, tooling
ongoing — before any incident"]:::blue I["Identification
Detect, triage, declare
hours"]:::slate C["Containment
Short-term and long-term
minutes to hours"]:::amber E["Eradication
Remove attacker access and artifacts
days"]:::slate R["Recovery
Restore services, monitor closely
weeks"]:::slate L["Lessons Learned
Post-incident review, durable improvements
weeks after"]:::blue P --> I --> C --> E --> R --> L L -. "feedback: improve preparation" .-> P classDef blue fill:#1565c0,stroke:#0d3a73,stroke-width:1.5px,color:#ffffff classDef slate fill:#455a64,stroke:#2b383d,stroke-width:1.5px,color:#ffffff classDef amber fill:#ffa000,stroke:#c77700,stroke-width:1.5px,color:#3a2a00 linkStyle 5 stroke:#1565c0,stroke-width:2px,color:#1565c0
Preparation & Lessons Learned (the durable, between-incident phases)
Containment (most time-critical)
Active-incident phases
The dashed blue arrow is the loop that makes PICERL a lifecycle: what you learn from one incident hardens your preparation for the next.