Over 10 years we help companies reach their financial and branding goals. Engitech is a values-driven technology agency dedicated.

Gallery

Contacts

411 University St, Seattle, USA

engitech@oceanthemes.net

+1 -800-456-478-23

Twitter Facebook-f Pinterest-p Instagram
Cybersecurity Hub Incident Response
Pillar · Incident Response

Incident Response: Prepare Before the Alarm

NIST-aligned playbooks, templates, and training for every phase of incident response. From preparation through lessons learned, build the capability to detect, contain, and recover from security incidents.

6 IR Phases
5 Incident Types
6 Templates
800-61r3 NIST Aligned
NIST 800-61r3

The Incident Response Lifecycle

Based on NIST SP 800-61r3 (2024). NIST groups Containment, Eradication, and Recovery into a single phase. We break them out because they have distinct objectives, different decision points, and often involve different teams. This aligns with the SANS 6-step model used in most operational IR training. Click any phase to see detailed guidance.
1
Preparation
Policies, tools, team, training
2
Detection & Analysis
Indicators, triage, classification
3
Containment
Short-term, long-term, evidence
4
Eradication
Root cause removal, hardening
5
Recovery
Restore, monitor, validate
6
Post-Incident Activity
Lessons learned, process improvement
1
Preparation
Preparation is the foundation of effective incident response. Without documented plans, trained personnel, and tested tools, every other phase falls apart under the pressure of a real incident.
  • Develop and maintain an IR plan that defines roles, escalation paths, and communication procedures. Review and update at least annually or after any significant incident.
  • Build your IR toolkit: forensic imaging software, network packet capture tools, chain-of-custody forms, evidence bags, and a jump bag for on-site response.
  • Establish relationships with law enforcement (FBI IC3, local field office), your legal counsel, cyber insurance carrier, and any third-party forensic firms before you need them.
  • Run tabletop exercises quarterly to validate your plan and build muscle memory. Include executives, legal, HR, and communications, not just the technical team.
2
Detection & Analysis
Detection is where most organizations struggle. The median dwell time for attackers in 2024 was 10 days (Mandiant M-Trends 2024). Faster detection means smaller blast radius.
  • Monitor multiple indicator sources: SIEM alerts, EDR detections, network flow anomalies, user reports, and threat intelligence feeds. No single source catches everything.
  • Triage and validate before escalating. Determine whether the event is a true positive, false positive, or benign activity. Document your reasoning.
  • Classify severity and scope using a predefined scale (SEV-1 through SEV-4). Severity drives the response speed, team composition, and communication requirements.
  • Begin documentation immediately. Create an incident ticket with timeline, affected systems, indicators of compromise (IOCs), and analyst notes. This becomes your legal record.
3
Containment
Containment balances two competing priorities: stopping the attacker's lateral movement and preserving forensic evidence. Move too fast and you lose evidence. Move too slow and the attacker expands their foothold.
  • Short-term containment: Isolate affected systems from the network immediately. Disable compromised accounts. Block known malicious IPs and domains at the firewall and DNS level.
  • Preserve evidence first: Before reimaging or wiping any system, capture a forensic disk image and volatile memory dump. Document the chain of custody.
  • Long-term containment: Apply temporary fixes (patch the vulnerability, reset all potentially affected credentials) while preparing for eradication. Set up enhanced monitoring on adjacent systems. Notify legal if the incident may trigger regulatory reporting, and inform business owners of any service disruptions caused by containment actions.
4
Eradication
Eradication eliminates the root cause of the incident. This is where you remove the attacker's access, clean compromised systems, and close the vulnerability that allowed the initial compromise.
  • Identify and eliminate root cause: Determine the initial attack vector (phishing email, unpatched vulnerability, misconfigured service) and remediate it across all affected systems.
  • Remove attacker persistence: Check for backdoors, rogue accounts, scheduled tasks, modified startup scripts, and web shells. Attackers typically establish multiple persistence mechanisms.
  • Rebuild compromised systems from known-good media when possible. Patching a compromised system is less reliable than a clean rebuild with current baselines and hardened configurations.
  • Validate eradication through scanning, threat hunting, and enhanced monitoring. Confirm that the attacker's IOCs are no longer present and that the vulnerability has been remediated.
5
Recovery
Recovery brings systems back to normal operations with confidence that the threat has been eliminated. Rushing recovery leads to reinfection. Staged, monitored restoration is the standard.
  • Restore systems in priority order based on business impact analysis. Critical business functions first, then supporting systems, then non-essential services.
  • Monitor restored systems closely for 30 to 90 days post-recovery. Watch for repeat indicators, unusual network traffic, or unexpected process execution that might signal the attacker's return.
  • Validate data integrity by comparing restored data against known-good backups. Confirm that backup integrity was not compromised during the incident timeline. Communicate recovery status to stakeholders, business units, and (if applicable) affected customers with a clear timeline for when full operations will resume.
6
Post-Incident Activity
Post-incident activity is the most underutilized phase. Organizations that skip lessons learned repeat the same mistakes. This phase turns incidents into improvements.
  • Conduct a lessons-learned meeting within 1 to 2 weeks of incident closure. Include all responders, management, and affected business units. Document what worked, what failed, and what needs to change.
  • Produce a formal incident report that covers the complete timeline, root cause analysis, containment and eradication actions, business impact, and recommended improvements.
  • Update IR plans, playbooks, and detection rules based on findings. If the SIEM missed the initial detection, build a new correlation rule. If the playbook had gaps, fill them.
  • Track remediation items to completion. Assign owners and deadlines for every improvement action. Review progress in the next quarterly tabletop exercise.
Plan Builder

Build Your Incident Response Plan

Every IR plan needs these eight components. Organizations without a documented plan take an average of 292 days to identify and contain a breach, compared to 233 days for those with a plan and regular testing (IBM Cost of a Data Breach Report, 2024).
Purpose & Scope
Define what the plan covers, which systems and business units are in scope, and the plan's authority within the organization.
Included in Template
Roles & Responsibilities
Define the IR team structure: incident commander, technical lead, communications lead, legal liaison, and executive sponsor.
Included in Template
Classification & Severity Levels
Establish a severity scale (SEV-1 through SEV-4) with clear criteria for classification, response timelines, and team composition for each level.
Included in Template
Communication Plan
Document internal notification chains and external communication procedures for regulators, law enforcement, customers, and media.
Included in Template
Escalation Procedures
Define when to escalate to executive leadership, when to engage legal counsel, and when to activate third-party forensic support or cyber insurance.
Included in Template
Evidence Handling Procedures
Specify how to collect, preserve, and document digital evidence. Include chain-of-custody forms and forensic imaging procedures.
Included in Template
Recovery Procedures
Document restoration priorities based on BIA, backup validation procedures, and criteria for declaring systems restored to normal operations.
Included in Template
Post-Incident Review Process
Define the lessons-learned meeting timeline, report format, and process for tracking improvement actions to completion.
Included in Template
Playbooks

Response by Incident Type

Different incident types demand different response procedures. Each playbook below provides a step-by-step response sequence based on established frameworks and practitioner experience.
🔒
Ransomware
Critical
  1. Isolate affected systems immediately. Disconnect from the network but do not power off. Volatile memory contains forensic artifacts.
  2. FBI and CISA recommend against paying. Payment funds criminal operations and does not guarantee data recovery. However, the decision is ultimately the organization's. Verify your cyber insurance policy's coverage and restrictions. If you do pay, report the transaction to FinCEN and relevant authorities.
  3. Restore from verified backups. Confirm backup integrity and verify that backups were not encrypted or tampered with during the attack timeline.
  4. Report to CISA (cisa.gov/report) and relevant law enforcement. If critical infrastructure is affected, reporting may be mandatory under CIRCIA.
  5. Conduct root cause analysis. Determine the initial access vector (commonly phishing, exposed RDP, or unpatched vulnerabilities) and remediate across the environment.
Full Ransomware Playbook →
🗃
Data Breach
Critical
  1. Assess the scope: What data was exposed? How many records? What categories (PII, PHI, financial, credentials)? This determines your regulatory obligations.
  2. Preserve all evidence. Capture logs, access records, and forensic images before any remediation. Evidence integrity is critical for regulatory investigations.
  3. Notify affected parties per applicable regulations: HIPAA requires notification within 60 days, GDPR within 72 hours, and PCI DSS within 72 hours of discovery.
  4. Engage legal counsel and regulatory reporting. State breach notification laws vary, and some require notification within 30 days. Your legal team determines which laws apply.
Full Data Breach Playbook →
🎣
Phishing
High
  1. Quarantine the email from all mailboxes using your email security platform. Search for the sender address, subject line, and any URLs or attachment hashes across the organization.
  2. Reset credentials immediately for any user who clicked the link or submitted credentials. Force MFA re-enrollment if the attacker captured session tokens.
  3. Check for lateral movement. Review authentication logs for the compromised account. Look for unusual logins, mailbox rule changes, or access to file shares and cloud services.
  4. Conduct targeted awareness follow-up. Brief affected users on what happened and how to identify similar attacks. Use the incident as a training opportunity, not punishment.
Full Phishing Playbook →
👤
Insider Threat
High
  1. Document observed behavior with specific dates, times, and systems involved. Do not confront the individual directly. Insider investigations require coordination with HR and Legal.
  2. Involve HR and Legal early. Insider threat investigations have employment law, privacy, and union agreement implications. Legal counsel guides what monitoring and evidence collection is permissible.
  3. Preserve evidence through DLP and UAM logs. User activity monitoring, data loss prevention alerts, email archives, and access logs form the evidentiary basis.
  4. Revoke access according to the coordinated plan. Timing of access revocation is a legal and HR decision. Premature action can compromise the investigation.
Full Insider Threat Playbook →
DDoS
Medium-High
  1. Activate DDoS mitigation through your CDN provider (Cloudflare, Akamai, AWS Shield) or ISP scrubbing service. Most providers have automated detection, but manual escalation may be needed for volumetric attacks.
  2. Contact your ISP for upstream filtering if the attack saturates your internet link. Provide attack traffic characteristics (source IPs, protocols, ports) to assist with filtering.
  3. Document attack vectors: type (volumetric, protocol, application-layer), peak bandwidth, duration, and source geography. This data informs future mitigation planning.
  4. Post-attack analysis: Review whether the DDoS was a smokescreen for another attack (data exfiltration, malware deployment). Check all systems for indicators of compromise during the attack window.
Full DDoS Playbook →
Exercises

Tabletop Exercise Hub

A tabletop exercise is a discussion-based simulation where team members walk through an incident scenario without touching production systems. The goal is to identify gaps in plans, communication breakdowns, and unclear decision authority before a real incident forces the issue. NIST 800-61r3 recommends tabletop exercises as a core preparation activity.

Scenario 01
Ransomware at 2 AM on a Friday
Your SOC receives an alert at 2:15 AM Friday. File server encryption is detected across three departments. The attacker demands 15 BTC and claims to have exfiltrated customer data. Your IR team lead is on vacation.
60-90 min SOC + IR + Exec SEV-1
  • Who makes the decision on whether to pay the ransom, and what information do they need?
  • How do you communicate with employees whose systems are down on Monday morning?
  • At what point do you engage your cyber insurance carrier and external forensics?
Scenario 02
Credential Harvest: 3 Weeks Undetected
An employee reports a suspicious email. Investigation reveals the same phishing campaign hit 40 users three weeks ago. Twelve clicked. Six entered credentials. The attacker has been reading executive email and accessing the CRM for 19 days.
45-60 min IR + Legal + HR SEV-2
  • How do you determine the full scope of data the attacker accessed over 19 days?
  • Do you notify customers whose CRM records may have been viewed?
  • What changes do you make to prevent this dwell time in the future?
Scenario 03
Third-Party Vendor Breach
Your SaaS payroll vendor notifies you that their systems were breached. Employee SSNs, bank account numbers, and salary data for your entire workforce may have been exposed. The vendor is still assessing the scope.
45-60 min Legal + HR + Comms SEV-1
  • What contractual obligations does your vendor agreement include for breach notification and support?
  • How do you communicate with employees whose personal data was exposed through no fault of their own?
  • What is your obligation to report to regulators when the breach occurred at a third party?
Toolkit

IR Template Toolkit

Practitioner-ready templates aligned to NIST 800-61r3. Each template is designed to be customized for your organization's size, industry, and regulatory environment.
📋
IR Plan Template
Complete incident response plan with all eight components. Customizable for any organization size.
Download
IR Checklist (by Phase)
Phase-by-phase checklist for active incident response. Print-ready for your war room wall.
Download
🎧
Tabletop Exercise Guide
Facilitator guide with 5 scenarios, discussion questions, scoring rubric, and after-action report template.
Download
🔒
Ransomware Playbook
Step-by-step ransomware response procedure. Includes decision tree for payment, recovery, and reporting.
Download
🔎
Post-Incident Review Template
Structured lessons-learned document with timeline, root cause, impact assessment, and improvement actions.
Download
📣
IR Communications Template
Pre-drafted internal and external communication templates for breach notification, media statements, and employee updates.
Download
Deep Dives

Incident Response Articles

In-depth guides that go beyond the overview. Each article provides practical guidance with real-world context.
How to Build an Incident Response Plan (with Template)
A step-by-step guide to creating an IR plan that actually gets used. Covers team structure, severity classification, communication procedures, and the testing cadence that separates plans that work from plans that collect dust.
Beginner 18 min read Coming Soon
NIST 800-61r3 Walkthrough: What It Actually Means
NIST SP 800-61r3 (2024) restructured the IR guidance from revision 2. This walkthrough breaks down what changed, what the new recommendations mean for practitioners, and how to align your program to the current standard.
Intermediate 22 min read Coming Soon
Tabletop Exercise Guide: Run Your First Scenario
How to plan, facilitate, and debrief a tabletop exercise, even if you've never run one before. Includes scenario templates, facilitator scripts, and a participant feedback form.
Beginner 15 min read Coming Soon
Ransomware Response Playbook
The complete ransomware response procedure from detection through recovery. Covers the payment decision framework, CISA reporting requirements under CIRCIA, backup validation, and negotiation considerations.
Advanced 25 min read Coming Soon
Certifications

Certification Alignment

Incident response is tested across multiple industry certifications. The content on this page maps directly to the following exam domains.
CISSP
Domain 7: Security Operations
ISC2
Covers IR planning, detection, response, recovery, and forensic investigation. 13% of the CISSP exam.
GCIH
Incident Handler
SANS / GIAC
The gold standard for IR practitioners. Covers the full incident handling lifecycle, attack techniques, and hands-on response skills.
Security+
IR Fundamentals
CompTIA
Domain 4: Security Operations covers incident response procedures, digital forensics basics, and data source analysis.
CEH
Ethical Hacking
EC-Council
Detection perspective. Understanding how attackers operate helps defenders build better detection and response capabilities.
CySA+
Security Analyst
CompTIA
Focused on detection and analysis: threat detection, SIEM operations, vulnerability management, and incident response procedures.
Live Intelligence

Stay Current: Security Intelligence Feed

Incident response doesn't happen in a vacuum. The Security News Hub delivers real-time threat intelligence so your IR team stays informed about active threats, new vulnerabilities, and emerging attack techniques.
Security Command Center
Live threat intelligence, CVE analysis, and CISA KEV tracking. The intelligence feed that keeps your IR team informed and your playbooks current.
Visit Security News Hub →
Latest Alert
Critical RCE in Enterprise VPN Appliance: Active Exploitation Confirmed
CVE Analysis · CISA KEV
Threat Brief
Ransomware Group Shifts to Data Extortion: No Encryption, Just Theft
Threat Intelligence
Incident Report
Healthcare Provider Breach Affects 2.3M Patients: HIPAA Notification Filed
Breach Analysis
Related Pillars

Continue Your Security Journey

Incident response connects to every other security domain. These pillars build the foundation that makes IR effective.
Governance
GRC
Governance, risk, and compliance frameworks provide the policy foundation that IR plans are built on. No IR plan exists without a governance structure.
Explore GRC →
Regulatory
Security Compliance
Breach notification timelines, evidence handling requirements, and regulatory reporting obligations are driven by compliance frameworks.
Explore Compliance →
Foundation
Understanding Risk
Risk quantification drives incident severity classification, response prioritization, and post-incident investment decisions.
Read Foundation →
Security Glossary → What Is InfoSec? → Frameworks Explained → Hub Home →
More from TJS

Related Hubs

Intelligence
Security News Center
Real-time threat intelligence, CVE tracking, and security briefs. Stay current on the threats your IR plan needs to handle.
Visit News Center →
AI + Security
Agentic AI Hub
AI agent security, governance, and deployment. Understand emerging threats from autonomous AI systems.
Explore Agentic AI →
Certifications
Learning Hub
CISSP, Security+, and certification study resources. Build credentials alongside your IR expertise.
Start Learning →
Sources
NIST SP 800-61r3 (2024) NIST CSF 2.0: Respond + Recover ISO 27001:2022 CISA Incident Response SANS Incident Handler's Handbook IBM Cost of a Data Breach 2024 Mandiant M-Trends 2024