Which of the following is the first phase in the NIST incident response lifecycle?

Understanding the order of the NIST incident response lifecycle phases. Preparation comes first because it builds the foundation for everything that follows. In this phase you establish policies and roles, form and train the incident response team, create and test runbooks, set up monitoring, logging, and detection tools, inventory critical assets, and plan communications. All of this readiness is what makes detection, analysis, containment, and recovery possible and effective when an real incident occurs. Without solid preparation, once an incident happens there’s no coordinated plan, making detection unreliable and response slower and more chaotic. The other options reflect stages that come after preparation: detecting and analyzing the incident, containing its spread, recovering and restoring operations, and reviewing what happened to improve defenses.