In incident response planning, which activity ensures policies stay current with evolving threats?

The main concept being tested is the feedback loop that updates incident response policies based on what actually happens during incidents. After an incident, post-incident activity collects what worked well and what didn’t, documents lessons learned, and revises runbooks, escalation paths, and control requirements. This reflection is what ensures policies stay current as threat landscapes shift, enabling the organization to update detection rules, procedures, and defenses accordingly. Preparation focuses on readiness before incidents, containment on stopping the incident, and eradication on removing the threat; while important, those steps don’t by themselves drive policy updates to reflect evolving threats—that comes from the post-incident review and resulting policy changes.