What is Incident Response?

The Incident Response Lifecycle

The NIST incident response framework defines four phases that provide the standard structure for IR programs: Preparation, Detection and Analysis, Containment and Eradication, and Post-Incident Activity.

Phase 1: Preparation

Preparation encompasses everything done before an incident occurs to enable effective response. This includes developing documented incident response plans, defining the incident response team and roles, establishing communication procedures and escalation paths, implementing the detection and monitoring capabilities that enable incident identification, and conducting tabletop exercises and simulations that validate the plan under realistic conditions. Organizations that invest in preparation demonstrate dramatically better outcomes in actual incidents — not because the plan is followed as a script, but because the team has thought through scenarios, established communication patterns, and identified resource gaps before they need them under pressure.

Phase 2: Detection and Analysis

An incident must be detected before it can be responded to. Detection capability — endpoint detection and response platforms, SIEM correlation, user and entity behavior analytics, and threat hunting — determines how quickly after compromise an attacker is identified. The longer an attacker operates undetected, the more access they acquire, the more damage they cause, and the more complex and expensive the remediation becomes. Analysis determines the nature and scope of the incident: which systems are affected, what the attacker has accessed, how initial access was achieved, and what the attacker's objectives appear to be. This analysis drives containment decisions.

Phase 3: Containment, Eradication, and Recovery

Containment stops the spread of an incident while preserving forensic evidence. Short-term containment might involve isolating an affected endpoint from the network. Long-term containment might involve disabling compromised accounts, blocking attacker infrastructure at the firewall, and deploying compensating controls while eradication is prepared. Eradication removes the attacker's presence from the environment — removing malware, closing unauthorized access paths, resetting compromised credentials, and patching the vulnerabilities used for initial access. Recovery restores systems to normal operation through validated backups, rebuilt systems, or restored configurations.

What Separates Good Incident Response from Bad

Speed of Detection

The single most important variable in incident response outcomes is dwell time — the period between initial compromise and detection. Organizations that detect intrusions within hours contain them to a fraction of the scope of organizations that detect them weeks or months later. Dwell time is primarily a function of detection investment: 24/7 monitoring, behavioral detection tuned to the environment, and threat hunting that actively looks for attacker presence rather than waiting for alerts.

Pre-Established Relationships

Organizations that experience their first significant incident with no prior IR firm relationship, no cyber insurance policy, and no retainer agreement spend the first 24-48 hours of a crisis identifying and negotiating with responders rather than responding. IR firm retainer agreements establish pre-negotiated rates, pre-authorized scope, and an established relationship that enables immediate engagement when an incident occurs. Cyber insurance policies with IR coverage provide access to approved IR firms with pre-authorized response funding. These arrangements are made before incidents, not during them.

Communication Clarity

Major incidents require clear communication protocols: who is notified when, through what channels, with what information, and with what decision authority. The absence of clear communication protocols in a ransomware scenario leads to situations where executives learn about the incident from employees rather than the security team, where conflicting information reaches the board, and where response decisions are delayed because decision authority is unclear. Incident communication plans should specify internal escalation paths, board notification procedures, regulatory notification timelines, and external communications strategy.

Incident Response for PE Portfolios

Portfolio-Level IR Planning

A PE sponsor managing a portfolio of mid-market companies faces a specific challenge: the probability that at least one portfolio company experiences a significant cyber incident in any given year is high, but the specific company and timing cannot be predicted. Portfolio-level IR planning establishes the IR relationships, insurance coverage, and response protocols that can be activated for any portfolio company when an incident occurs, rather than requiring each portfolio company to independently establish these relationships and capabilities.

The M&A Incident Discovery Problem

A significant percentage of M&A due diligence engagements discover evidence of active or historical compromise in the target environment that the target organization was not aware of. Indicators of compromise — attacker persistence mechanisms, unusual outbound connections, anomalous account activity — that have been present for months without detection are discovered in the due diligence review process. Organizations acquiring companies without IR-competent technical due diligence acquire historical breaches along with the business assets. The liability implications of undisclosed historical breaches, including any associated data, are material to deal terms.

Real-World Example: Maersk and NotPetya — Recovery Without Preparation

In June 2017, the NotPetya destructive malware spread through Maersk's global network within hours, taking down 45,000 PCs, 4,000 servers, and 2,500 applications across 130 countries. Maersk had no incident response plan calibrated for a scenario of this scope. Recovery required reinstalling the entire Microsoft Windows infrastructure from scratch — a process that took 10 days and required flying IT teams around the world to physically rebuild systems. The estimated cost was $300 million. The incident was survivable — Maersk recovered its infrastructure — but the absence of IR preparation turned a recoverable incident into a $300 million operational catastrophe. With prepared response procedures and tested backup recovery processes, recovery time and cost would have been a fraction of what was experienced.