Skip to content
Log in

SANS PICERL

Definition

A six-step incident response model developed through SANS Institute training: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned. PICERL breaks NIST's combined response phase into discrete named steps, giving teams more granular progress tracking during active incidents.

Related terms

CREST
A UK-based not-for-profit professional body that publishes practitioner-focused incident response guidelines and operates accreditation schemes for IR service providers. CREST guidance emphasises...
Framework blending
The practice of combining elements of multiple IR frameworks: for example, using NIST as the strategic backbone, SANS phase names in operational...
ISO/IEC 27035
An international standard for information security incident management. Part 1 covers principles and concepts; Part 2 covers planning and preparation. It defines...
NIST SP 800-61
The US National Institute of Standards and Technology's Computer Security Incident Handling Guide. It defines a four-phase IR lifecycle: Preparation; Detection and...
Phase granularity
The number and specificity of discrete steps a framework defines within the IR lifecycle. Higher granularity, as in SANS PICERL's six steps...

Explained in

  • Comparing Incident Response FrameworksA six-step incident response model developed through SANS Institute training: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned....

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account