What is incident response?

What is incident response?

Incident response (IR) is the organised approach an organisation takes to prepare for, detect, contain, and recover from cybersecurity incidents. An "incident" encompasses anything from a confirmed ransomware infection and active data exfiltration to a suspected insider threat or a phishing campaign that has successfully harvested credentials.

Without an IR plan, organisations respond reactively and chaotically — different teams make conflicting decisions, evidence is inadvertently destroyed, regulators are notified late, and attackers have additional time to entrench themselves and exfiltrate more data. With a tested, drilled IR plan, response becomes coordinated, evidence-preserving, and time-efficient.

Regulatory frameworks make IR mandatory in many sectors. GDPR requires notification of a personal data breach to supervisory authorities within 72 hours of becoming aware of it. The EU's NIS2 Directive and US SEC cyber disclosure rules impose similar obligations. An IR plan isn't a best practice — it's a legal requirement for any organisation handling personal data.

The NIST incident response lifecycle

NIST SP 800-61 defines four phases that form a continuous cycle — each incident feeds lessons back into preparation for the next. In practice, most mature IR teams implement this as six distinct activities:

1. 1
   Preparation

   Establish IR policies and procedures, form and train the IR team, deploy detection tools (SIEM, EDR), prepare communication templates, and conduct tabletop exercises. The quality of preparation determines the quality of every subsequent phase. Organisations that skip preparation pay for it repeatedly.

2. 2
   Detection & Analysis

   Identify indicators of compromise (IoCs), determine the scope and nature of the incident, establish a timeline, and assess severity. SIEM correlation, EDR telemetry, and log analysis converge in this phase. Reducing detection time from weeks to hours is the primary goal.

3. 3
   Containment

   Stop the spread. Isolate affected systems from the network, revoke compromised credentials, and block attacker infrastructure at the firewall and DNS level. Short-term containment preserves evidence; long-term containment prepares for a clean, stable operating state.

4. 4
   Eradication

   Remove the root cause — delete malware, close exploited vulnerabilities, remove unauthorised accounts, patch affected systems. Eradication without thorough containment risks re-infection from attacker persistence mechanisms planted before containment began.

5. 5
   Recovery

   Restore systems from verified clean backups, monitor closely for signs of reinfection, and return to normal operations in a controlled, staged manner. Recovery is not complete until monitoring confirms the threat actor has been fully evicted from the environment.

6. 6
   Post-Incident Activity

   Conduct a lessons-learned review, update IR procedures and playbooks, document the full timeline for regulatory reporting, and identify security improvements. This phase converts each incident into a permanent improvement in the organisation's detection and response capability.

Who makes up an IR team?

A mature IR capability brings together professionals from multiple disciplines. In large organisations this is a dedicated team; in smaller ones, it may be a handful of people wearing multiple hats:

• IR Lead / Incident Commander: Coordinates the response, makes containment decisions, manages communication with legal, executive leadership, and regulators.
• SOC Analysts (L2/L3): Lead the technical investigation — log analysis, SIEM correlation, threat hunting to scope the incident and identify the attack chain.
• DFIR Specialists: Collect and preserve forensic evidence — memory dumps, disk images, network captures — maintaining chain of custody for potential legal proceedings.
• Threat Intelligence: Provides attacker context — known TTPs, infrastructure, attribution — enabling more targeted and efficient containment actions.
• Legal / Compliance: Manages regulatory notification obligations, breach disclosure requirements, law enforcement liaison, and litigation hold instructions.
• External IR Retainer: Many organisations retain specialist firms (Mandiant, CrowdStrike, WithSecure) for major incidents that exceed internal team capacity or expertise.

Key IR tools

Effective incident response depends on having the right tooling deployed before an incident occurs. Deploying tools during an active incident wastes critical hours:

• EDR/XDR: CrowdStrike Falcon, SentinelOne, Microsoft Defender XDR — real-time endpoint telemetry, behavioural detection, and remote isolation capability.
• SIEM: Splunk, Microsoft Sentinel, IBM QRadar — centralise and correlate logs across the entire environment for rapid investigation and timeline reconstruction.
• Digital Forensics: Autopsy (disk analysis), Volatility (memory forensics), FTK Imager — for preserving and examining evidence with maintained chain of custody.
• Network Capture: Wireshark, Zeek (formerly Bro) — reconstruct network-level attack activity from packet captures taken during or after the incident.
• Case Management: TheHive, JIRA — track investigation tasks, evidence, and timelines across the IR team and maintain audit trails for regulatory reporting.

DFIR as a career path

Digital Forensics and Incident Response is one of the most specialised and best-compensated specialisations in cybersecurity. DFIR professionals are called in during the worst moments organisations face — their technical depth and composure under pressure command a significant premium.

The typical entry point is a SOC analyst role (L2+), where investigation skills are built through real-world casework. Specialist DFIR certifications include GCFE and GCIH from GIAC, and CHFI (Computer Hacking Forensic Investigator) from EC-Council. CompTIA Security+ SY0-701 covers IR fundamentals and is the standard baseline for any security operations role — the logical starting point before specialising into DFIR.