Which of the following is NOT typically considered part of incident response?

Incident response focuses on detecting and quickly addressing security incidents, preserving evidence, and restoring normal operations. It covers how an organization identifies an incident, investigates its scope, contains the threat, eradicates it, and recovers systems, along with post-incident analysis and communication to stakeholders. Disaster recovery at the primary site falls outside the typical scope of incident response. DR is about restoring IT services and business operations after a disruption, often after a broader disaster, and involves recovery plans, alternate sites, backup restoration, and continuity timelines (RTO/RPO). Those activities are part of business continuity and disaster recovery planning rather than the immediate incident-handling actions of detection, containment, investigation, remediation, and post-incident learning. While IR may trigger DR actions, the primary focus of incident response is the incident-specific response, not the broader recovery of operations at the primary site. That’s why the option describing disaster recovery at the primary site is the one not typically considered part of incident response.