Post-Mortem
What is Post-Mortem?
Post-MortemA blameless review held after an incident to capture the timeline, contributing factors, and concrete actions that will prevent or detect the issue next time.
A security post-mortem is a structured retrospective that turns an incident into organizational learning. The team rebuilds the timeline from logs, tickets, and chat transcripts, identifies what went well and what failed, and traces contributing factors using techniques such as five-whys or causal mapping. The output is a written document with concrete, owned action items: missing detections, broken playbooks, tooling gaps, training needs, and process changes. To stay productive, post-mortems are blameless, focused on systems rather than individuals, time-boxed, and tracked to closure so improvements actually ship and the same failure does not recur.
● Examples
- 01
Reviewing a ransomware near-miss to find that MFA was missing on a legacy VPN account.
- 02
Documenting how a noisy alert was muted three weeks before a real attack used the same technique.
● Frequently asked questions
What is Post-Mortem?
A blameless review held after an incident to capture the timeline, contributing factors, and concrete actions that will prevent or detect the issue next time. It belongs to the Defense & Operations category of cybersecurity.
What does Post-Mortem mean?
A blameless review held after an incident to capture the timeline, contributing factors, and concrete actions that will prevent or detect the issue next time.
How does Post-Mortem work?
A security post-mortem is a structured retrospective that turns an incident into organizational learning. The team rebuilds the timeline from logs, tickets, and chat transcripts, identifies what went well and what failed, and traces contributing factors using techniques such as five-whys or causal mapping. The output is a written document with concrete, owned action items: missing detections, broken playbooks, tooling gaps, training needs, and process changes. To stay productive, post-mortems are blameless, focused on systems rather than individuals, time-boxed, and tracked to closure so improvements actually ship and the same failure does not recur.
How do you defend against Post-Mortem?
Defences for Post-Mortem typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Post-Mortem?
Common alternative names include: Blameless review, After-action review, Lessons learned.
● Related terms
- forensics-ir№ 524
Incident Response
The organised process of preparing for, detecting, analysing, containing, eradicating, and recovering from cyber security incidents, then capturing lessons learned.
- forensics-ir№ 525
Incident Response Plan
A documented, approved playbook that defines how an organisation prepares for, detects, contains, eradicates, recovers from, and learns from cyber incidents.
- defense-ops№ 999
Security Playbook
A documented, repeatable procedure that tells responders exactly what to do, in what order, for a specific type of security alert or incident.
- forensics-ir№ 1127
Tabletop Exercise
A discussion-based simulation in which stakeholders walk through a hypothetical cyber incident to test plans, roles, decisions, and communication.
- defense-ops№ 660
Mean Time to Contain (MTTC)
The average time between detecting a security incident and reaching a state where the threat can no longer spread, exfiltrate, or cause further damage.