Print this. Save it offline. Reference it during active incidents or use it for preparedness audits.<\/p>\n
Phase 1: Preparation (Complete Before Incidents Occur)<\/strong><\/h3>\nGaps in preparation surface at the worst possible moment. Clear roles, current documentation, tested tools, and rehearsed procedures need to be in place before the clock starts running.<\/p>\n
Team Readiness<\/strong><\/h4>\n\n- Incident response team roles assigned with documented responsibilities<\/li>\n
- Incident Manager designated with authority for containment decisions<\/li>\n
- Off-hours contact information current for all team members<\/li>\n
- Escalation paths documented (who calls whom, when)<\/li>\n
- External contacts established: legal counsel, forensics vendor, law enforcement liaison, cyber-insurance carrier<\/li>\n<\/ul>\n
Documentation<\/strong><\/h4>\n\n- Offline contact lists printed and accessible (phone numbers, not just emails)<\/li>\n
- Current network diagrams available without network access<\/li>\n
- System baselines documented for anomaly comparison<\/li>\n
- Client-specific runbooks created (MSPs) or business unit procedures documented (corporate IT)<\/li>\n
- Incident classification criteria defined (P1\/P2\/P3 severity levels)<\/li>\n<\/ul>\n
Technical Preparedness<\/strong><\/h4>\n\n- EDR deployed with behavioral analysis enabled<\/li>\n
- SIEM configured to correlate events across systems<\/li>\n
- File integrity monitoring active on critical systems<\/li>\n
- Backup verification tested within last 30 days<\/li>\n
- Forensic tools staged: packet capture, disk imaging, memory analysis capabilities<\/li>\n
- Clean system images current and tested<\/li>\n
- Isolated recovery environment available<\/li>\n<\/ul>\n
Testing<\/strong><\/h4>\n\n- Tabletop exercise completed within last quarter<\/li>\n
- Backup restoration tested with documented RTO results<\/li>\n
- Communication channels tested (including out-of-band options)<\/li>\n<\/ul>\n
Phase 2: Detection and Analysis (When an Alert Triggers)<\/strong><\/h3>\nEffective threat detection depends on correlating signals across your environment, not chasing individual alerts in isolation. The first 15 minutes after an alert set the trajectory for the entire response.<\/p>\n
Initial Assessment (First 15 Minutes)<\/strong><\/h4>\n\n- Alert validated (confirmed not a false positive)<\/li>\n
- Affected systems identified<\/li>\n
- Incident severity classified (P1\/P2\/P3)<\/li>\n
- Incident Manager notified (P1\/P2 incidents)<\/li>\n
- Timeline started with first indicator timestamp<\/li>\n<\/ul>\n
Scope Determination<\/strong><\/h4>\n\n- Lateral movement indicators checked<\/li>\n
- Additional compromised accounts identified<\/li>\n
- Data exfiltration indicators reviewed<\/li>\n
- Attack vector identified (phishing, exploit, credential compromise, insider threat)<\/li>\n<\/ul>\n
Evidence Collection (Before Containment)<\/strong><\/h4>\n\n- Memory dump captured from affected systems<\/li>\n
- Network traffic logs preserved<\/li>\n
- Authentication logs exported<\/li>\n
- Screenshots of indicators captured<\/li>\n
- Chain of custody documentation started<\/li>\n<\/ul>\n
Phase 3: Containment (Stop the Bleeding)<\/strong><\/h3>\nEvery minute between detection and containment is a minute the attacker uses to move laterally, escalate privileges, and encrypt additional systems. Isolate too aggressively and you lose forensic evidence; move too slowly and the blast radius expands.<\/p>\n
Immediate Actions<\/strong><\/h4>\n\n- Compromised endpoints isolated from network<\/li>\n
- Compromised accounts disabled<\/li>\n
- Malicious processes terminated<\/li>\n
- Command-and-control IPs\/domains blocked at firewall<\/li>\n
- MFA enforced on privileged accounts (if not already active)<\/li>\n<\/ul>\n
Communication<\/strong><\/h4>\n\n- Internal stakeholders notified per escalation matrix<\/li>\n
- Client notification sent (MSPs) or business leadership briefed (corporate IT)<\/li>\n
- Cyber-insurance carrier contacted (if applicable)<\/li>\n
- Legal counsel engaged (if data breach suspected)<\/li>\n<\/ul>\n
Containment Verification<\/strong><\/h4>\n\n- No new indicators appearing on contained systems<\/li>\n
- Attacker lateral movement stopped<\/li>\n
- Evidence preserved before system changes<\/li>\n<\/ul>\n
Phase 4: Eradication and Recovery<\/strong><\/h3>\nContainment stops the bleeding, but the attacker’s foothold remains until you remove it. Missed persistence mechanisms, unpatched entry points, or credentials that were compromised but never rotated are how single incidents become repeat incidents.<\/p>\n
Threat Removal<\/strong><\/h4>\n\n- Malware removed from all affected systems<\/li>\n
- Persistence mechanisms eliminated (scheduled tasks, registry keys, services)<\/li>\n
- Attacker backdoors identified and closed<\/li>\n
- Vulnerabilities exploited in attack patched<\/li>\n<\/ul>\n
Credential Reset<\/strong><\/h4>\n\n- Compromised account passwords reset<\/li>\n
- Service account credentials rotated<\/li>\n
- API keys and tokens regenerated (if applicable)<\/li>\n
- MFA re-enrolled for affected accounts<\/li>\n<\/ul>\n
System Recovery<\/strong><\/h4>\n\n- Systems rebuilt from clean images (preferred) or restored from verified backups<\/li>\n
- Backup integrity verified before restoration<\/li>\n
- Security controls reapplied to rebuilt systems<\/li>\n
- Systems monitored for reinfection indicators<\/li>\n<\/ul>\n
Recovery Verification<\/strong><\/h4>\n\n- Restored systems tested for functionality<\/li>\n
- Security scans clean on recovered systems<\/li>\n
- Business operations confirmed functional<\/li>\n<\/ul>\n
Phase 5: Post-Incident Activity<\/strong><\/h3>\nThe incident is contained and systems are recovered, but the work that prevents the next breach happens here. Teams that skip post-incident review keep making the same mistakes; teams that invest in it build compounding resilience.<\/p>\n
Documentation (Within 72 Hours)<\/strong><\/h4>\n\n- Complete incident timeline documented<\/li>\n
- Attack vector and root cause identified<\/li>\n
- All containment and recovery actions logged<\/li>\n
- Evidence properly archived with chain of custody<\/li>\n<\/ul>\n
Lessons Learned (Within 7 Days)<\/strong><\/h4>\n\n- Post-incident review meeting held with all responders<\/li>\n
- Detection gaps identified (what was missed, why)<\/li>\n
- Response delays analyzed (what slowed the team down)<\/li>\n
- Tool and process improvements documented<\/li>\n<\/ul>\n
Improvements<\/strong><\/h4>\n\n- Runbooks updated with lessons learned<\/li>\n
- Detection rules tuned based on incident indicators<\/li>\n
- Training gaps addressed<\/li>\n
- Security controls strengthened for identified weaknesses<\/li>\n<\/ul>\n
Compliance and Reporting<\/strong><\/h4>\n\n- Breach notification obligations assessed<\/li>\n
- Regulatory reporting completed (if required)<\/li>\n
- Insurance claim documentation prepared (if applicable)<\/li>\n
- Board\/executive summary prepared<\/li>\n<\/ul>\n
How to Use This Checklist<\/strong><\/h2>\nCombine the checklist above with some guidance on how to prioritize items, and when compliance concerns should be addressed.<\/p>\n
Severity Classification<\/strong><\/h3>\n <\/p>\n
- \n
- Incident response team roles assigned with documented responsibilities<\/li>\n
- Incident Manager designated with authority for containment decisions<\/li>\n
- Off-hours contact information current for all team members<\/li>\n
- Escalation paths documented (who calls whom, when)<\/li>\n
- External contacts established: legal counsel, forensics vendor, law enforcement liaison, cyber-insurance carrier<\/li>\n<\/ul>\n
Documentation<\/strong><\/h4>\n
- \n
- Offline contact lists printed and accessible (phone numbers, not just emails)<\/li>\n
- Current network diagrams available without network access<\/li>\n
- System baselines documented for anomaly comparison<\/li>\n
- Client-specific runbooks created (MSPs) or business unit procedures documented (corporate IT)<\/li>\n
- Incident classification criteria defined (P1\/P2\/P3 severity levels)<\/li>\n<\/ul>\n
Technical Preparedness<\/strong><\/h4>\n
- \n
- EDR deployed with behavioral analysis enabled<\/li>\n
- SIEM configured to correlate events across systems<\/li>\n
- File integrity monitoring active on critical systems<\/li>\n
- Backup verification tested within last 30 days<\/li>\n
- Forensic tools staged: packet capture, disk imaging, memory analysis capabilities<\/li>\n
- Clean system images current and tested<\/li>\n
- Isolated recovery environment available<\/li>\n<\/ul>\n
Testing<\/strong><\/h4>\n
- \n
- Tabletop exercise completed within last quarter<\/li>\n
- Backup restoration tested with documented RTO results<\/li>\n
- Communication channels tested (including out-of-band options)<\/li>\n<\/ul>\n
Phase 2: Detection and Analysis (When an Alert Triggers)<\/strong><\/h3>\n
Effective threat detection depends on correlating signals across your environment, not chasing individual alerts in isolation. The first 15 minutes after an alert set the trajectory for the entire response.<\/p>\n
Initial Assessment (First 15 Minutes)<\/strong><\/h4>\n
- \n
- Alert validated (confirmed not a false positive)<\/li>\n
- Affected systems identified<\/li>\n
- Incident severity classified (P1\/P2\/P3)<\/li>\n
- Incident Manager notified (P1\/P2 incidents)<\/li>\n
- Timeline started with first indicator timestamp<\/li>\n<\/ul>\n
Scope Determination<\/strong><\/h4>\n
- \n
- Lateral movement indicators checked<\/li>\n
- Additional compromised accounts identified<\/li>\n
- Data exfiltration indicators reviewed<\/li>\n
- Attack vector identified (phishing, exploit, credential compromise, insider threat)<\/li>\n<\/ul>\n
Evidence Collection (Before Containment)<\/strong><\/h4>\n
- \n
- Memory dump captured from affected systems<\/li>\n
- Network traffic logs preserved<\/li>\n
- Authentication logs exported<\/li>\n
- Screenshots of indicators captured<\/li>\n
- Chain of custody documentation started<\/li>\n<\/ul>\n
Phase 3: Containment (Stop the Bleeding)<\/strong><\/h3>\n
Every minute between detection and containment is a minute the attacker uses to move laterally, escalate privileges, and encrypt additional systems. Isolate too aggressively and you lose forensic evidence; move too slowly and the blast radius expands.<\/p>\n
Immediate Actions<\/strong><\/h4>\n
- \n
- Compromised endpoints isolated from network<\/li>\n
- Compromised accounts disabled<\/li>\n
- Malicious processes terminated<\/li>\n
- Command-and-control IPs\/domains blocked at firewall<\/li>\n
- MFA enforced on privileged accounts (if not already active)<\/li>\n<\/ul>\n
Communication<\/strong><\/h4>\n
- \n
- Internal stakeholders notified per escalation matrix<\/li>\n
- Client notification sent (MSPs) or business leadership briefed (corporate IT)<\/li>\n
- Cyber-insurance carrier contacted (if applicable)<\/li>\n
- Legal counsel engaged (if data breach suspected)<\/li>\n<\/ul>\n
Containment Verification<\/strong><\/h4>\n
- \n
- No new indicators appearing on contained systems<\/li>\n
- Attacker lateral movement stopped<\/li>\n
- Evidence preserved before system changes<\/li>\n<\/ul>\n
Phase 4: Eradication and Recovery<\/strong><\/h3>\n
Containment stops the bleeding, but the attacker’s foothold remains until you remove it. Missed persistence mechanisms, unpatched entry points, or credentials that were compromised but never rotated are how single incidents become repeat incidents.<\/p>\n
Threat Removal<\/strong><\/h4>\n
- \n
- Malware removed from all affected systems<\/li>\n
- Persistence mechanisms eliminated (scheduled tasks, registry keys, services)<\/li>\n
- Attacker backdoors identified and closed<\/li>\n
- Vulnerabilities exploited in attack patched<\/li>\n<\/ul>\n
Credential Reset<\/strong><\/h4>\n
- \n
- Compromised account passwords reset<\/li>\n
- Service account credentials rotated<\/li>\n
- API keys and tokens regenerated (if applicable)<\/li>\n
- MFA re-enrolled for affected accounts<\/li>\n<\/ul>\n
System Recovery<\/strong><\/h4>\n
- \n
- Systems rebuilt from clean images (preferred) or restored from verified backups<\/li>\n
- Backup integrity verified before restoration<\/li>\n
- Security controls reapplied to rebuilt systems<\/li>\n
- Systems monitored for reinfection indicators<\/li>\n<\/ul>\n
Recovery Verification<\/strong><\/h4>\n
- \n
- Restored systems tested for functionality<\/li>\n
- Security scans clean on recovered systems<\/li>\n
- Business operations confirmed functional<\/li>\n<\/ul>\n
Phase 5: Post-Incident Activity<\/strong><\/h3>\n
The incident is contained and systems are recovered, but the work that prevents the next breach happens here. Teams that skip post-incident review keep making the same mistakes; teams that invest in it build compounding resilience.<\/p>\n
Documentation (Within 72 Hours)<\/strong><\/h4>\n
- \n
- Complete incident timeline documented<\/li>\n
- Attack vector and root cause identified<\/li>\n
- All containment and recovery actions logged<\/li>\n
- Evidence properly archived with chain of custody<\/li>\n<\/ul>\n
Lessons Learned (Within 7 Days)<\/strong><\/h4>\n
- \n
- Post-incident review meeting held with all responders<\/li>\n
- Detection gaps identified (what was missed, why)<\/li>\n
- Response delays analyzed (what slowed the team down)<\/li>\n
- Tool and process improvements documented<\/li>\n<\/ul>\n
Improvements<\/strong><\/h4>\n
- \n
- Runbooks updated with lessons learned<\/li>\n
- Detection rules tuned based on incident indicators<\/li>\n
- Training gaps addressed<\/li>\n
- Security controls strengthened for identified weaknesses<\/li>\n<\/ul>\n
Compliance and Reporting<\/strong><\/h4>\n
- \n
- Breach notification obligations assessed<\/li>\n
- Regulatory reporting completed (if required)<\/li>\n
- Insurance claim documentation prepared (if applicable)<\/li>\n
- Board\/executive summary prepared<\/li>\n<\/ul>\n
How to Use This Checklist<\/strong><\/h2>\n
Combine the checklist above with some guidance on how to prioritize items, and when compliance concerns should be addressed.<\/p>\n
Severity Classification<\/strong><\/h3>\n
<\/p>\n
![\"create](\"https:\/\/www.n-able.com\/wp-content\/uploads\/2026\/02\/cybersecurity-incident-response-plan.jpg\")
<\/a><\/p>\n