After the incident has been resolved or, at least, controlled, the organization should perform an after action review (AAR) to discuss the events that took place, the actions of all the stakeholders, and what could be learned from it. This process should include all four stages, from lessons not learned/solutions not implemented from past incidents, through to changes required in the planning phase, through to ways of speeding up detection, reaction, and remediation.

The post-incident analysis is less about how did this happen; this should be well understood in order to contain, eradicate, and recover, and should be more about how we prevent/react/recover better/stronger/faster.

During this phase, data should be collected to determine the cost of the incident, the effectiveness of the CSIRT, and highlight any possible weaknesses. A policy should also be generated about how, and for how long, evidence should be retained. There may be other industry-specific requirements for reporting or investigations required for regulatory purposes. This should also be prepared for at this stage.