NIST IR phases: 1. Preparation → 2. Detection & Analysis → 3. Containment, Eradication & Recovery → 4. Post-Incident Activity. SANS: PICERL (Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned).
Preparation is most important — an IR plan you've never tested fails under pressure. Practice via tabletop exercises and fire drills. NIST SP 800-61 is the authoritative incident handling guide. Detection is often the hardest phase — average dwell time 200+ days for sophisticated attacks.