Skip to content

NIST Incident Lifecycle Visualizer

Explore the four phases of the NIST SP 800-61 incident response lifecycle. Click each phase to see key activities, tools, and outputs. Use the timeline slider to simulate progression through an incident.

How to Use

  • Click a phase on the chart to view detailed information
  • Use the timeline slider to simulate incident progression
  • Each phase shows key activities, recommended tools, and expected outputs

About NIST SP 800-61

The NIST Special Publication 800-61 Rev. 2 provides guidelines for incident handling, particularly for analyzing incident-related data and determining the appropriate response. The four-phase lifecycle provides a structured approach to managing security incidents:

  1. Preparation - Building capability before incidents occur
  2. Detection & Analysis - Identifying and understanding incidents
  3. Containment, Eradication & Recovery - Responding to and resolving incidents
  4. Post-Incident Activity - Learning and improving from incidents

This interactive visualizer helps security teams understand how these phases relate to each other and what activities, tools, and outputs are associated with each phase.

Learning Objectives

After using this visualizer, you should be able to:

  • Identify the four phases of the NIST incident response lifecycle
  • Understand the key activities performed in each phase
  • Recognize appropriate tools for each phase
  • Describe the expected outputs from each phase
  • Visualize how an incident progresses through the lifecycle