Security incidents are not a matter of if but when. The difference between a minor disruption and a catastrophic breach often comes down to preparation. Organizations with tested incident response plans detect breaches 54 days faster and reduce costs by an average of $1.5 million compared to those without. This guide walks through building an incident response capability from scratch.
The Six Phases of Incident Response
The NIST incident response lifecycle provides a proven framework. Each phase builds on the previous one.
1. Preparation
Build the foundation before an incident occurs. This is the most important and most often neglected phase.
- Establish the incident response team and define roles
- Create and distribute the incident response plan
- Deploy detection and monitoring tools
- Establish communication channels (out-of-band)
- Build relationships with external partners (legal, forensics, PR)
- Conduct regular tabletop exercises and simulations
2. Detection and Analysis
Identify that an incident has occurred, determine its scope, and classify its severity.
- Monitor alerts from SIEM, EDR, and security tools
- Establish incident classification criteria (P1-P4)
- Document initial indicators of compromise (IOCs)
- Determine affected systems, data, and users
- Preserve evidence following forensic best practices
- Activate the response team based on severity classification
3. Containment
Stop the incident from spreading while preserving evidence for investigation.
- Short-term containment: Isolate affected systems immediately
- Evidence preservation: Capture forensic images before changes
- Long-term containment: Apply temporary fixes to allow continued operations
- Evaluate scope expansion: Are other systems affected?
- Communicate containment status to stakeholders
4. Eradication
Remove the threat actor, malware, or vulnerability that caused the incident.
- Remove malware and unauthorized access
- Patch exploited vulnerabilities
- Reset compromised credentials
- Verify eradication across all affected systems
- Conduct root-cause analysis
5. Recovery
Restore systems to normal operations with confidence that the threat has been eliminated.
- Restore systems from clean backups or rebuild
- Validate system integrity before reconnecting to network
- Monitor recovered systems closely for reinfection
- Gradually restore normal operations
- Confirm recovery with system owners and stakeholders
6. Lessons Learned
Conduct a post-incident review to improve future response capability.
- Hold a blameless post-mortem within 5 business days
- Document timeline, actions taken, and outcomes
- Identify what worked well and what needs improvement
- Update the incident response plan based on findings
- Track remediation actions to completion
The Incident Response Team
Define roles before an incident occurs. During a crisis, people need to know exactly what is expected of them.
Incident Commander
Overall incident management, decision-making authority, stakeholder communication coordination
Technical Lead
Technical investigation, containment, eradication, and recovery activities
Communications Lead
Internal and external communications, media relations, customer notification
Legal Counsel
Regulatory notification requirements, privilege protection, liability assessment
Executive Sponsor
Authority for major decisions (e.g., paying ransom, shutting down systems)
Documentation Lead
Maintaining incident timeline, evidence log, and decision records
Tabletop Exercises
A plan that has never been tested is a plan that will fail. Tabletop exercises are discussion-based simulations where the team walks through a hypothetical incident scenario. They are low-cost, high-value, and should be conducted at least twice per year.
Recommended Scenarios
- Ransomware attack encrypting critical systems
- Business email compromise with fraudulent wire transfer
- Insider threat exfiltrating customer data
- Third-party vendor breach exposing shared data
- Phishing campaign compromising executive credentials
- Cloud infrastructure misconfiguration exposing data publicly
How a vCISO Helps
A virtual CISO develops the complete incident response plan, establishes the team structure, facilitates tabletop exercises, and serves as the incident commander or advisor during real incidents. Their experience across multiple organizations means they have managed real incidents and know what works under pressure, not just in theory.