Which activity is part of the Preparation phase in the NIST lifecycle?

Preparation is the phase where organizations build readiness before incidents occur—people, process, and technology. Conducting response drill scenarios (D), such as tabletop exercises or simulation drills, is a core preparation activity because it validates playbooks, escalation paths, tooling access, and decision-making under time pressure. In Proofpoint-focused IR, drills commonly simulate credential phishing leading to account takeover, or BEC invoice fraud, requiring coordinated actions across TAP triage, Smart Search message tracing, TRAP post-delivery pulls, IAM containment (password reset/token revocation/MFA enforcement), and business verification procedures. The goal is to ensure responders can execute quickly and consistently, and to discover gaps such as missing log retention, unclear ownership for blocklists, or untested comms templates. Restoring from backups (A) is recovery, documenting postmortems (B) is post-incident activity, and identifying compromised accounts (C) is detection/analysis. In practice, preparation drills measurably reduce mean-time-to-contain by ensuring analysts already know where to find Proofpoint evidence (headers, verdicts, click telemetry) and how to trigger remediation workflows without delay.