During which phase are incident response teams activated?

The activation of incident response teams typically occurs during the Containment, Eradication, and Recovery phase. This phase is crucial as it focuses on managing the incident once it has been confirmed and analyzed. Teams are called upon to implement strategies to contain the threat, eliminate the root cause, and restore affected systems to normal operations. The activation is essential to ensure that the organization can promptly address and minimize damage from the security incident.

In contrast, other phases don’t involve the direct activation of incident response teams in the same way. During the Preparation phase, teams are trained, and plans are formulated, but they are not deployed yet. The Detection and Analysis phase involves identifying and assessing the incident but does not necessarily mean that teams are actively engaged in operational response. The Post-Incident Activity phase focuses on reviewing the incident and improving procedures based on lessons learned rather than immediate response actions. Thus, the role of the incident response team is most prominent and critical during the Containment, Eradication, and Recovery phase, making that option the correct choice.