What is incident response?
Incident response is the structured process organizations use to identify, contain, and recover from cybersecurity incidents. A structured incident response program limits the damage, downtime, and cost of an attack by replacing improvised reactions with a repeatable, role-based sequence of actions.
The goal isn't just to stop an attack in progress, it's to build a system where every incident makes the next response faster, cheaper, and more precise. That loop of respond, review, and improve is what turns a reactive team into a mature security operation.
The process encompasses several key elements:
Preparation measures: Documented plans, playbooks, and testing procedures
Detection capabilities: Tools and technologies for threat identification
Response protocols: Organized procedures for containment and recovery
Continuous improvement: Reviews and refinements based on lessons learned
This discipline is part of the broader practice of incident management, which involves senior management, legal teams, HR, communications, and the wider IT department. This guide focuses on the response process itself, but touches on other aspects of incident management where a holistic approach matters.
An Actionable Incident Response Plan Template
A quickstart guide to creating a powerful incident response plan - designed specifically for organizations with cloud-based deployments.
What is a security incident?
Incident response teams need to act quickly when called into action. They cannot afford time-consuming misunderstandings that arise from incorrect terminology. That is why they need to understand exactly what constitutes a security incident and how it differs from similar terms.
A security event is the presence of unusual network behavior, such as a sudden spike in traffic or privilege escalation, that could indicate a breach. However, it does not necessarily mean you have a security issue. On further investigation, it may turn out to be perfectly legitimate activity.
A security incident is one or more correlated security events with confirmed potential negative impact, such as the loss of or unauthorized access to data, whether deliberate or accidental.
An attack is a premeditated breach of security with malicious intent.
An incident response team, also known as a computer security incident response team (CSIRT), cyber incident response team (CIRT), or computer emergency response team (CERT), is the cross-functional group responsible for managing these events from detection through resolution.
Types of security incidents
Security incidents fall into several categories based on attack methods and targets. Understanding these types helps teams prepare appropriate response strategies.
Denial-of-service (DoS): An attempt to flood a service with bogus requests, making it unavailable to legitimate users.
Application compromise: An application that has been hacked using techniques such as SQL injection, cross-site scripting (XSS), or cache poisoning, with the goal of corrupting, deleting, or exfiltrating data.
Ransomware: A type of malware that uses encryption to block access to your data. The attacker demands a ransom in exchange for the encryption keys.
Man-in-the-middle (MitM): An adversary covertly intercepts the data exchange between two parties and manipulates the communication between them.
Phishing and social engineering: Attackers use fraudulent emails, messages, or websites to trick users into providing sensitive information, downloading malware, or bypassing security protocols. Phishing remains one of the most common attack vectors because it targets human psychology rather than technical vulnerabilities. Spear phishing, pretexting, and business email compromise are more targeted variations.
Unauthorized access and stolen credentials: An attacker gains entry to systems using stolen, guessed, or brute-forced credentials, then escalates privileges to reach more sensitive data. According to industry reports, the abuse of valid accounts is one of the most common ways attackers breach systems today.
Insider threats: Current or former employees, contractors, or partners misuse their legitimate access, whether intentionally or through negligence, to compromise systems or exfiltrate data.
Supply chain attacks: The malicious code comes from a trusted vendor or dependency, making initial detection especially difficult.
Developing a deep understanding of these attack types helps you formulate response procedures and identify appropriate tooling requirements. Each of these maps to its own playbook, which is why a team's playbook library, not its plan alone, determines how fast and consistently it can respond.
Why is incident response a critical security function?
Organizations with mature incident response programs and security automation consistently contain breaches faster and at lower cost than those without. IBM's 2024 Cost of a Data Breach report found that organizations with high levels of IR planning and testing saved an average of $1.49 million per breach compared to those with neither. That gap isn't theoretical; it shows up in every major breach cost study, year after year.
But the dollar figure only tells part of the story. Speed is the variable that changes everything. The longer an attacker stays in your environment, the more data they access, the more systems they compromise, and the harder eradication becomes. A well-rehearsed incident response plan compresses the window between detection and containment, which directly reduces the blast radius of any attack.
Then there's the compliance reality. Regulations like GDPR, HIPAA, and PCI DSS don't just recommend incident response planning; they require it. Failing to report a breach within mandated timelines carries its own set of penalties, separate from the breach itself.
Who's responsible for incident response?
An incident response team (sometimes called a CSIRT or CERT) is rarely just security engineers. A typical team pulls in SOC analysts for triage, forensic investigators for evidence collection, IT operations for containment and recovery, and an incident commander who owns the overall response. In larger organizations, legal counsel, communications, and executive leadership also have defined roles, because a significant breach isn't just a technical problem.
That cross-functional makeup exists for a reason. Decisions during a live incident span technical, legal, and business domains. Isolating a production database might stop an attacker, but it also takes a revenue-generating application offline. The incident responder role has evolved to require both deep technical skills and the judgment to make those tradeoffs under pressure.
The incident response team owns the plan. It writes the playbooks every responder relies on during a live incident, when there's no time to improvise.
The incident response lifecycle: How does incident response work?
A well-structured incident response lifecycle is core to effective incident management, providing a step-by-step process for dealing with an attack. You'll see the lifecycle described as 4 stages, 5 steps, 6 steps, or even 7. These are variations on two established models. NIST SP 800-61 organizes incident response into four phases; SANS describes six steps. They cover the same ground at different granularity.
The lifecycle shifts in tempo as it moves. Containment is the urgent, time-pressured middle where every minute of delay puts more systems at risk, while the post-incident review is the slow, deliberate end where the team asks not just what happened, but how to make sure it never happens the same way twice.
Preparation
The worst time to start working on an incident response strategy is when an incident strikes. Preparation ensures you have everything in place ahead of time so you can respond without delay.
This phase includes forming the response team, maintaining an up-to-date asset inventory, capturing log data for timeline analysis, procuring tooling for rapid detection and containment, implementing an issue-tracking system for escalation, establishing contingency measures for business continuity, and running training and tabletop exercises to test your plan under realistic conditions. Tabletop exercises are particularly valuable because they expose gaps in communication, tooling, and decision-making before a real incident forces you to find them.
Detection
Detection starts with monitoring: SIEM alerts, EDR signals, cloud audit logs, and user reports all feed into the triage pipeline. The harder part comes next. A responder has to decide whether an alert is a real incident, how severe it is, and what systems are in the blast radius.
Good detection is about signal quality, not alert volume. A team drowning in false positives will miss the real incident buried in the noise.
Investigation and analysis
The investigation phase comprises a systematic series of steps to determine the root cause, the likely impact on your deployments, and appropriate corrective action. As with detection, it involves piecing together event data from different log sources to build a complete picture.
Preserving forensic evidence during this phase is essential. Document all steps taken and evidence found in detail. This supports both internal post-incident review and any legal or regulatory proceedings that may follow.
Containment
Containment stops active attacks from spreading while preserving evidence for investigation. This phase prevents further damage while teams prepare comprehensive remediation strategies.
Primary containment objectives are minimizing blast radius to prevent attackers from accessing additional systems, preserving business operations by maintaining critical services while isolating compromised resources, and securing evidence for forensic analysis.
Containment strategies vary by attack type. DoS attacks may require network filtering and IP blocking. Lateral movement calls for resource isolation using network segmentation. Endpoint compromise can be addressed through EDR tools for immediate workstation isolation. Cloud incidents may involve security group modifications or IAM policy changes through control plane APIs.
Eradication
Eradication is the phase where you completely remove the threat from your environment. The widespread exposure of secrets, affecting 61% of organizations, makes credential rotation and secret management critical during this phase.
Ways to rid your systems of a threat include removing malicious code, reinstalling applications, rotating secrets such as login credentials and API tokens, blocking points of entry, patching vulnerabilities, updating infrastructure-as-code templates, and restoring files to their pre-infection state.
It is also vital to scan both affected and unaffected systems following remediation to ensure no traces of the intrusion remain.
Post-incident review
Post-incident review transforms experience into improved security posture. This phase identifies weaknesses in processes, tools, and team performance to prevent future incidents.
Review focus areas include response effectiveness (how well teams executed containment and recovery), business impact (actual cost in downtime, data loss, and reputation damage), and process gaps (where documentation, communication, or coordination failed).
The review should also identify what security measures could have prevented the incident, whether there were tool gaps or configuration weaknesses, and whether the incident revealed regulatory violations. Effective reviews produce actionable improvements rather than blame assignment.
Watch 5-minute Wiz Defend demo
See how Wiz Defend operationalizes every phase of incident response with full cloud context and automated workflows
Incident response documentation: plans and playbooks
An incident response plan defines the strategy (scope, roles, and escalation paths), but the playbooks inside it are what tell an analyst exactly what to do when a phishing email turns into a credential compromise. Think of the documentation as a hierarchy: the plan sets the framework, playbooks provide step-by-step procedures for specific incident types, and the communication plan maps out who gets notified, when, and through which channels.
Incident response plan
The plan is the strategic document. It defines who is on the team, what authority they have, when to escalate, and how incidents are classified by severity. It doesn't tell you how to handle a ransomware attack specifically; that's the playbook's job.
A good plan is short enough to actually read during a crisis and reviewed at least annually. The ones that collect dust in a SharePoint folder don't count. For templates and structure, see the incident response plan guide.
Playbooks
Playbooks are where the plan meets reality. Each one covers a specific incident type: ransomware, credential compromise, data exfiltration, insider threat. They map directly to the lifecycle phases, telling the analyst what to check, what to isolate, who to notify, and what evidence to preserve at each step.
The teams that get this right build playbooks from real incidents, not hypothetical ones. The incident response playbooks guide covers how to build and maintain them.
Communication plan
The communication plan defines stakeholder notification flows: who inside the organization gets updated at each severity level, when customers or regulators must be told, and who speaks to the press. During a breach, unclear communication causes as much damage as the attack itself. This plan typically lives as a section within the broader incident response plan.
Incident response frameworks
Whichever framework you adopt becomes the backbone of your incident response plan. It sets the phase structure the plan and its playbooks are built around.
Three frameworks dominate the field. NIST SP 800-61 organizes incident response into four broad phases and is the most widely adopted in North America. The SANS Institute's Incident Handler's Handbook breaks the lifecycle into six more granular steps, which many practitioners find easier to map to playbook procedures. ISO 27035 takes a broader view, covering incident management governance and continuous improvement, and is more common in organizations that already follow ISO 27001.
The choice usually comes down to your existing compliance landscape and how granular you want your playbooks to be. All three cover the same ground. For a side-by-side comparison, see the incident response frameworks guide.
Incident response tools and technologies
In practice these tools form a chain rather than a list. The SIEM surfaces a suspicious pattern in log data, EDR confirms malicious activity on a specific endpoint and supplies the forensic detail, and SOAR kicks off the response playbook, often within minutes of the first alert.
SOAR is the engine that runs those playbooks programmatically. When a high-severity alert fires, it can execute the playbook automatically, enriching the alert, isolating the affected endpoint through EDR, and paging the on-call analyst before a human has even opened the ticket.
Here are the core incident response technologies that support effective detection and remediation.
| Technology | Description | Role in response lifecycle |
|---|---|---|
| Threat detection and response (TDR) | Tools that monitor environments for suspicious activity and provide remediation capabilities, including endpoint detection and response (EDR) and cloud detection and response (CDR). | Detection, investigation, containment, and eradication |
| Extended detection and response (XDR) | Platforms that unify detection across endpoints, network, cloud, and email into a single view, correlating data to reveal full attack chains and accelerate investigation. | Detection, investigation, containment, and eradication |
| Security information and event management (SIEM) | Aggregation platforms that enrich logs, alerts, and event data from disparate sources with contextual information, enhancing visibility for better detection and analysis. | Detection and investigation |
| Security orchestration, automation, and response (SOAR) | Orchestration platforms that integrate different security tools and allow you to create playbooks for predefined automated responses. | Detection, investigation, containment, and eradication |
| User and entity behavior analytics (UEBA) | Technologies that use machine learning to baseline normal user and entity behavior, then flag anomalies that could signal insider threats, account compromise, or lateral movement. | Detection and investigation |
| Intrusion detection and prevention system (IDPS) | Traditional defense systems that detect and block network-level threats before they reach endpoints. | Detection and investigation |
| Threat intelligence platform (TIP) | Platforms that collect and rationalize external information about known threats, helping teams quickly identify indicators and prioritize efforts. | Detection, investigation, containment, and eradication |
| Risk-based vulnerability management (RBVM) | Solutions that scan your environment for known vulnerabilities and help you prioritize remediation based on the risk each vulnerability poses. | Containment and eradication |
Measuring incident response: key metrics
Every post-incident review should produce at least one concrete change, whether a new detection rule, a revised escalation path, or an updated playbook, so the program gets measurably better after each incident instead of repeating the same mistakes.
Those reviews feed the program's metrics. Tracking mean time to detect (MTTD) and mean time to respond (MTTR) across incidents is how a team knows whether its preparation and tooling investments are actually working. MTTD measures the gap between when an attack starts and when your team spots it. MTTR measures the gap between detection and containment. Together, they give you the most direct measure of IR program health.
Here's what separates teams that improve from teams that plateau: they treat metrics as diagnostic tools, not scorecards. If your MTTD and MTTR are trending down quarter over quarter, your program is improving. If they're flat or creeping up, something in the preparation or tooling layer isn't delivering. The incident response metrics guide covers the full KPI framework.
Compliance and incident response
This documentation isn't just good practice. It's a legal requirement: regulations like GDPR give you 72 hours to report a personal-data breach, which is impossible without a maintained incident response plan and the records to back it up.
HIPAA, PCI DSS, and SEC disclosure rules all have their own incident reporting timelines and documentation requirements. The common thread is that regulators expect you to have a plan before the breach, not after. During an audit or investigation, they'll ask to see your plan, your playbooks, your post-incident reports, and your evidence of regular testing.
Teams that treat compliance as a byproduct of a mature IR program, rather than a separate checkbox exercise, spend far less time scrambling when regulators come knocking.
AI in incident response
AI now sits on both sides of incident response. It accelerates defender workflows through faster triage and summarization, while also enabling more sophisticated, faster-moving attacks.
On the defender side, AI-powered investigation tools correlate alerts across data sources, summarize attack timelines, and suggest containment actions in seconds. This matters most during detection and analysis, where an analyst might otherwise spend hours manually stitching together log entries from different systems. AI doesn't replace the analyst's judgment. It compresses the time to reach that judgment.
The attacker side is less encouraging. LLM-generated phishing campaigns are harder to detect, AI-assisted reconnaissance is faster and more thorough, and adversarial models can adapt evasion techniques in real time. The practical consequence: the response window is shrinking. When attacks move faster, detection and containment need to move faster too.
Book a Demo of Wiz Defend
Walk through how Wiz Defend helps your team detect threats faster, investigate with full cloud context, contain incidents with automated playbooks, and trace root cause back to code.
