Incident Response
What is Incident Response?
Incident ResponseThe organised process of preparing for, detecting, analysing, containing, eradicating, and recovering from cyber security incidents, then capturing lessons learned.
Incident response (IR) is the structured response to events that compromise — or threaten to compromise — the confidentiality, integrity or availability of information assets. NIST SP 800-61 defines a six-phase lifecycle (preparation, detection and analysis, containment, eradication, recovery, post-incident activity) while SANS uses a similar PICERL model. Effective IR depends on tested playbooks, on-call rotations, communication trees, legal and PR engagement, and tools such as SIEM, SOAR, EDR, and forensic triage suites. The goal is to minimise damage and recovery time and to feed improvements back into prevention and detection.
● Examples
- 01
Containing a confirmed business email compromise by revoking tokens, resetting credentials, and notifying impacted parties.
- 02
Coordinating eradication and recovery of a ransomware-infected ERP system across IT, legal, and executive teams.
● Frequently asked questions
What is Incident Response?
The organised process of preparing for, detecting, analysing, containing, eradicating, and recovering from cyber security incidents, then capturing lessons learned. It belongs to the Forensics & IR category of cybersecurity.
What does Incident Response mean?
The organised process of preparing for, detecting, analysing, containing, eradicating, and recovering from cyber security incidents, then capturing lessons learned.
How do you defend against Incident Response?
Defences for Incident Response typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Incident Response?
Common alternative names include: IR, Cyber incident response.