Each of the following is a valid step in handling incidents except:

Prosecuting an incident is not typically considered a valid step in the standard incident handling process. The common incident handling steps usually include containment, recovery, and review, which focus on effectively managing and mitigating the impact of the security incident rather than the legal repercussions.

Containment involves stopping the incident from causing further damage, which is a critical immediate response. Recovery focuses on restoring affected systems and services to normal operations after an incident has occurred. The review step involves assessing the incident and the response to it, which is essential for improving future incident response efforts and identifying any weaknesses in security practices.

While prosecution may be a consequence of an incident involving criminal activity, it is not part of the day-to-day incident management process. Incident handlers typically work on technical and procedural aspects rather than legal actions, which are handled by law enforcement or legal departments later in the process.