Skip to content
Log in

PICERL

Definition

Acronym for the six SANS IR stages: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. The model is cyclical: the final stage feeds back into the first.

Related terms

After-Action Report (AAR)
The formal document produced during Lessons Learned that records the incident timeline, decisions made, outcomes, and recommended improvements. The AAR drives updates...
Containment strategy
A deliberate decision about how to limit an incident's spread, balancing the need to stop harm immediately against the risk of alerting...
Eradication
The phase in which the root cause of an incident is removed from the environment: deleting malware, patching exploited vulnerabilities, revoking compromised...
Incident declaration
The formal decision, made during the Identification stage, that a detected event meets the organisation's criteria for a security incident. Declaration triggers...
NIST SP 800-61
The US National Institute of Standards and Technology's Computer Security Incident Handling Guide. It defines a four-phase IR lifecycle: Preparation; Detection and...

Explained in

  • The SANS PICERL ModelAcronym for the six SANS IR stages: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. The model is cyclical: the final stag...

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account