Forensics & IR
Incident Response
Also known as: IR, Cyber incident response
Definition
The organised process of preparing for, detecting, analysing, containing, eradicating, and recovering from cyber security incidents, then capturing lessons learned.
Examples
- Containing a confirmed business email compromise by revoking tokens, resetting credentials, and notifying impacted parties.
- Coordinating eradication and recovery of a ransomware-infected ERP system across IT, legal, and executive teams.
Related terms
Incident Response Plan
A documented, approved playbook that defines how an organisation prepares for, detects, contains, eradicates, recovers from, and learns from cyber incidents.
DFIR (Digital Forensics and Incident Response)
A combined discipline that fuses digital forensic investigation with incident response to detect, contain, eradicate, and learn from cyber incidents.
Tabletop Exercise
A discussion-based simulation in which stakeholders walk through a hypothetical cyber incident to test plans, roles, decisions, and communication.
SOAR
A platform that automates and orchestrates SOC workflows by chaining detections, enrichments and response actions into playbooks executed across security tools.
SIEM
A platform that aggregates, normalizes and correlates security telemetry from across the enterprise to enable detection, investigation, compliance and reporting.
Security Operations Center (SOC)
A centralized team and facility that continuously monitors, detects, investigates and responds to cybersecurity incidents across an organization's IT estate.