Who this page is for
This page is for incident managers, SOC and IT leads, crisis team members, data protection and legal functions, and executives who need to understand how their organisation is prepared.
What incident response is
Incident response covers all organisational and technical steps an organisation uses to detect, contain, handle and learn from a security incident. It is more than technical forensics. Communication, decision paths and legal aspects matter just as much.
Preparation beats improvisation
There is no time to clarify basics during an incident. Pre-defined roles, escalation paths, communication templates and external providers save time and reduce damage.
Rehearsed tabletops often surface very quickly that emergency contacts are outdated or that weekend decision paths do not actually work.
Common phases
A widely used model (NIST) distinguishes:
1. Preparation: plans, roles, tooling, exercises
2. Detection and analysis: alerts, triage, assessment
3. Containment: limit impact without destroying forensics
4. Eradication: remove root causes and persistence
5. Recovery: controlled restart
6. Lessons learned: structured review and improvements
Roles and responsibilities
Established roles include:
- Incident commander: coordinates
- Technical analysis: SOC, IT, external forensics where needed
- Communications: internal, customers, authorities, media
- Legal and data protection: duties, notifications, evidence
- Crisis team and executive: business-impact decisions
- HR, when employees are affected
Each role needs a deputy.
Communication during incidents
Communication often determines reputational impact. Templates help: first internal information, status updates, customer communication, regulatory notification, public messaging.
Ground rule: do not speculate, separate confirmed from suspected facts.
Technical prerequisites
Effective response requires:
- Logs over meaningful timeframes
- EDR telemetry on endpoints and servers
- Clean identity visibility
- Backups and a documented recovery plan
- Available forensic tools and partners
Common mistakes
Typical weak points:
- Cleaning up too fast without forensics
- Unclear escalation on weekends
- Purely reactive communication
- No tabletop exercises
- Backups whose restore is never tested
Practical scenario
An incident starts on a Friday evening with unusual EDR alerts. Because contacts and roles are rehearsed, an incident commander takes over, a crisis team meets on Saturday morning, forensics is engaged and customers are informed clearly. Three days later operations are back, lessons learned are turned into actions.
Checklist
- Incident response plan documented and approved
- Clear roles with deputies
- Escalation chain including legal and communications
- Forensics and EDR tools ready
- External providers on retainer
- Communication templates prepared
- Tabletop exercise at least once a year
- Backups and recovery tested
Frequently asked questions
+What is the most important step?
Preparation. Improvising during an incident wastes time and creates mistakes.
+When do you report?
As soon as the regulatory threshold is met. NIS2 and DORA set tight windows, so reporting paths must be rehearsed in advance.
+Who decides during a crisis?
Executive management or a crisis team, based on preparation and assessment by IT, security and legal.
Related topics
A good incident response plan is short enough to be useful in a crisis and concrete enough to speed up decisions. This page describes a pragmatic structure and typical contents.
A security operations centre combines people, process and technology to detect cyber incidents early, handle them in a structured way and learn from them. This page covers tasks, models and common pitfalls.
A SIEM aggregates log and telemetry data, correlates it and provides the foundation for detection and incident response. This page covers function, important data sources and common mistakes.
Ransomware remains one of the most expensive cyber risks. It is typically the result of a chain of weaknesses rather than a single click. This page covers typical patterns, effective controls and an orderly first response.
Phishing remains one of the most common entry points. Modern attacks look professional, use trusted brands and adapt quickly. Technical filters, awareness and a simple report button belong together.
The NIS2 directive raises the cyber security bar in the EU noticeably. This page offers editorial orientation - not legal advice.
A compromised account is one of the most common incident types today. This page outlines causes, early signs and reasonable first actions.
Backups are a core defence against data loss and ransomware. This page explains the 3-2-1 rule, offline and immutable backups, restore tests and common mistakes.
Business email compromise targets money or data flows through manipulated business mail - often via compromised mailboxes or convincing correspondence. This page outlines scenarios and controls.