Which phase of an incident response plan focuses on reviewing and documenting what happened to improve future responses?

The phase focused on reviewing and documenting what happened to improve future responses is the Lessons Learned phase. This stage centers on looking back after the incident is contained and resolved to understand what occurred, why it happened, and how the response could be improved. It involves gathering evidence, validating timelines, conducting a root-cause analysis, and producing a post-incident report that distills findings into actionable changes. Those changes become updates to the incident response plan, new or revised playbooks, enhanced controls, better monitoring, and targeted training, all aimed at preventing recurrence and speeding future responses. Other phases serve different purposes: preparation is about building readiness before incidents, containment aims to stop the incident from spreading, and eradication focuses on removing the attacker and artifacts. None of these center on learning from the incident and systematically applying those lessons to improve future responses the way the Lessons Learned phase does.