Security incidents are often high-pressure situations. Pre-planning incident response steps can save many business costs and reputational damage—every second counts when there is a security breach. Ransomware can quickly spread and cause severe damage. Compromised accounts can also be used to privilege escalation, leading to attackers accessing more sensitive assets.

No matter how large your company is, it is essential to have an incident response team that can take immediate action in the event of an emergency.

What is an Incident Response plan?

An organizational process for responding to cyberattacks is called incident response. The incident response breach includes identifying the source of an attack, prioritizing its severity, investigating it, and mitigating it. Finally, operations are restored, and action is taken to prevent it from happening again.

An incident response plan is a document that outlines the steps to be followed in each phase. It should contain guidelines regarding roles and responsibilities, communication plans, as well as standard response protocols.

Why Should You Report a Cybersecurity Incident Response Immediately?

It is crucial to notify all parties immediately after security experts have confirmed a cybersecurity incident. Privacy laws like the GDPR and California’s CCPA mandate public notification and, in some instances, personal notification to data subjects in the event that there is a data breach.

Based on the severity of the breach and the executive management involved, legal, press, and executive management should all be involved. Many times, customers service, finance, and IT departments will need to act immediately in many cases. Depending on the nature and severity of the breach, the incident response plan should clearly identify who should be notified. The plan should contain contact information and instructions for communicating with all parties to save time after an attack.

Six Phases of Incident Response: The Incident Response Lifecycle


You will review your existing security policies and procedures during the first preparation phase. This includes a risk assessment that identifies vulnerabilities and prioritizes your assets. This information is used to prioritize responses to incident types. It can also be used to reconfigure systems to address vulnerabilities and to focus protection on high-priority assets.

This is the phase where you review and revise existing policies and procedures or create new ones if they are not. These procedures include a communication plan, assigning roles and responsibilities throughout an incident.

Identification of Potential Threats

Teams use the procedures and tools in the preparation stage to identify suspicious activity. Team members must work together to determine the source and nature of an attack, as well as the attacker’s goals, once an incident has been detected.

Any evidence collected during identification should be kept safe and preserved for further analysis. Responders should document all steps taken and all evidence collected. If an attacker is identified, this will help you prosecute more effectively.

Communication plans are usually initiated during this phase after an incident has been confirmed. These plans inform stakeholders, legal counsel, security personnel, and ultimately users about the incident and what actions are required.


Once an incident has been identified, containment measures are established and implemented. This stage is essential to minimize damage and to get to the next one as soon as possible. Often, containment is accomplished in sub-phases.

  • Short-term containment–immediate threats are isolated in place. You may segment off the network where an attacker is located. A server infected might be taken offline, and traffic may be redirected to a failover.
  • Long-term containment–additional access controls are applied to unaffected systems. In the meantime, systems and resources are prepared for recovery. 

Eliminating Threats

The full extent of an attack can be seen during and after containment. Once they have identified all the affected resources and systems, teams can remove attackers from systems and eliminate any malware. This process continues until the attackers are gone. This may mean that systems must be taken offline in order to recover assets.

Recovery and Restoration

Teams bring online updated replacement systems during this phase. Although ideally, systems can be restored without losing data, this is not always possible.

In this case, teams will need to determine the date of the last clean copy of data and then restore it. This recovery phase is usually extended because it includes monitoring systems used to monitor for attackers after an incident.

Feedback and Improvement

Your team will review the steps taken in response to a question. This is called the lessons learned phase. The lessons learned phase is where members discuss what went well and what didn’t. They can also make suggestions for improvements. This phase should also include the completion of any incomplete documentation.

Final Words

Organizations can use an incident response method to plan their response strategies in advance. There are many approaches to IR. Security professionals generally agree with NIST’s six steps for responding to an incident. These include preparation, detection, analysis, containment and recovery, eradication and recovery, as well as post-incident audits. Many organizations use combination assessment checklists, detailed incidents response plans, summaries, actionable incident playbooks, and policies that automate some processes. Although well-planned, an incident management system should be flexible enough to allow for continual improvement.