Which sequence correctly outlines the general steps of incident response?

The sequence tested emphasizes a practical flow that balances getting systems back online with cleaning up the incident. After you identify what happened and its scope, you work to contain the incident to stop further damage. Then you restore essential services so the business can continue operating, even if the full cleanup is still underway. Once things are back up, you eradicate the root cause and any remaining traces of the threat to prevent recurrence. Finally, you review what happened to capture lessons learned and improve future response.

Why this order fits well: recovery is prioritized to minimize downtime and maintain critical operations, while eradication follows to ensure the environment is cleaned up before returning to normal fully. The review comes last, after actions have been taken, so it can inform improvements.

Other sequences misplace steps in ways that can delay restoration or prevent thorough cleanup. For example, eradicating before recovery can prolong downtime, while reviewing before actions are complete doesn’t provide a solid basis for lessons learned.