As much as it's important to end the service disruption and enable the business to operate, it's also important to perform a post-mortem after resolving the cybersecurity incident. Cybersecurity is a continuous learning space and, only by learning from the past, can organizations can truly mature in their cybersecurity practice. In the post-incident activity phase, the team reviews the cybersecurity incident to deeply understand how the attack happened in the first place and what could have been done to prevent the attack happening, as well as how to improve the approach to incident response. The findings of the post-incident activity phase directly impact how phase 1 (preparation) is performed moving forward.