What Is IR Phase Sequencing?
Incident Response phase sequencing is the process of executing IR lifecycle steps in the correct order during a security incident. The CySA+ CS0-003 exam heavily tests your ability to identify which phase comes next given a specific scenario — and the most common trap is confusing when to escalate versus when to continue triaging. Getting this wrong on the exam means losing points on scenario-based questions that make up a significant portion of Domain 3.
The NIST IR Lifecycle — Four Phases You Must Know
The NIST SP 800-61 Incident Response lifecycle has four phases every CySA+ candidate must memorize in order. Phase 1 is Preparation — building IR plans, playbooks, and team readiness before an incident occurs. Phase 2 is Detection and Analysis — identifying that an incident has occurred and determining its scope and severity. Phase 3 is Containment, Eradication, and Recovery — stopping the spread, removing the threat, and restoring systems. Phase 4 is Post-Incident Activity — lessons learned, documentation, and process improvement. The exam will give you scenarios and ask which phase applies or what the next action should be.
Triage vs Escalation — The CySA+ Exam Trap
Triage means analyzing and prioritizing an incident to understand its scope, severity, and impact before taking action. Escalation means passing the incident to a higher authority — senior analyst, IR team lead, legal, management, or law enforcement — when it exceeds your authority or capability to handle. The exam trap is this: candidates escalate too early. If you have enough information to contain the threat and it falls within your authority, you contain first and document. You only escalate when the incident scope exceeds your role, when legal or regulatory notification is required, when evidence of a nation-state or APT actor is found, or when the incident affects critical infrastructure or executive systems.
When to Triage vs When to Escalate — Scenario Decision Tree
Triage first when you detect unusual network traffic from a single endpoint, when a user reports a phishing email they clicked, when malware is found on an isolated workstation, or when an IDS alert fires on a known signature. Escalate immediately when ransomware has encrypted multiple systems across the network, when PII or PHI data exfiltration is confirmed, when a C-suite executive account is compromised, when the attack appears coordinated and persistent, or when your organization’s IR policy mandates notification to legal or compliance teams within a specific timeframe.
Containment Strategy — Short-Term vs Long-Term
Short-term containment stops the bleeding without destroying evidence. This includes isolating affected systems from the network, blocking malicious IP addresses at the firewall, disabling compromised user accounts, and capturing memory dumps and volatile data before powering down. Long-term containment prepares the environment for eradication while keeping business operations running. This includes rebuilding systems from known-good images, patching the exploited vulnerability, and implementing temporary workarounds. The CySA+ exam distinguishes between these two — know which actions belong to each.
Key CySA+ CS0-003 Exam Takeaways
The NIST IR lifecycle phases are Preparation, Detection and Analysis, Containment Eradication and Recovery, and Post-Incident Activity — in that exact order. Triage comes before escalation in most scenarios — analyze the scope before passing it up. Escalate when the incident exceeds your authority, involves regulatory reporting requirements, or shows signs of APT activity. Short-term containment preserves evidence while long-term containment prepares for eradication. Documentation happens throughout every phase — not just at the end. The lessons learned phase is not optional — it feeds back into the Preparation phase to strengthen future response.