| RS0001 | Preparation | Get prepared for a security incident. |
| RS0002 | Identification | Gather information about a threat that has triggered a security incident, its TTPs, and affected assets. |
| RS0003 | Containment | Prevent a threat from achieving its objectives and/or spreading around an environment. |
| RS0004 | Eradication | Remove a threat from an environment. |
| RS0005 | Recovery | Recover from the incident and return all the assets back to normal operation. |
| RS0006 | Lessons Learned | Discover how to improve the Incident Response process and implement the improvements. |