Incident Response
High scrutiny and high blast radius; proof and governance matter.
Inside this journey
-
Customer Discovery
Rapidly capture incident timeline, impacted assets, decision-makers, and immediate constraints to prioritize response.
Discovery Questions
Start: Tell Us What Happened — in your words
- In a few sentences, how would you describe the incident as you understand it right now?
- When did you first notice anything unusual or receive the first alert?
- Who initially reported or detected the problem (role/team and channel)?
- What immediate symptoms are you seeing (e.g., encryption notice, service outages, unusual outbound traffic)? Please be specific.
- Is an internal team actively responding right now?
- Which executives or business owners are currently briefed (select all that apply)?
If This Were a Movie, Where's the Smoke?
- If an attacker still has a foothold, what single asset or system would you be most afraid they'd control next?
- Which systems or sites are already showing signs of compromise (list names, regions, or critical identifiers)?
- Which data types may be exposed or at risk (select all that apply)?
- Have you observed any indicators of exfiltration or large outbound transfers?
- Are there ransom or extortion messages, threats to publish data, or external claims tied to this incident?
- Roughly, what is the hourly estimated business impact if the affected systems remain impaired?
Who Holds the Keys — and Who Needs to Know?
- Who in your organization can immediately grant the access our team needs to deploy sensors and collect forensic data?
- Please list the primary decision-makers and the best phone/email for urgent escalation (name, role, preferred contact).
- Are there legal, regulatory, or contractual constraints that would limit what we can collect or where we can run tools?
- Is a cyber insurance carrier, panel firm, or outside counsel already engaged or expecting notification?
- Have you notified or do you intend to notify law enforcement at this time?
What Would a Containment Win Look Like — Fast?
- If we removed the attacker within the next 4 hours, what exact systems, processes, or data would you expect to be protected or restored to call it a success?
- Which systems absolutely must remain online during containment efforts (select all that apply)?
- Are there blackout windows, release freezes, or high-risk business periods in the next 72 hours we must avoid interrupting?
- Which containment actions are off-limits under any circumstance (e.g., disconnecting domain controllers, taking backups offline)?
- What is the maximum acceptable downtime for your top three critical systems (list system and acceptable downtime)?
What Evidence Do We Have — and What Might Disappear?
- If we delay collecting volatile data (memory, packet captures) by one shift, what evidence do you fear will be lost?
- Which telemetry sources are currently available and accessible to us (select all that apply)?
- If you selected EDR or SIEM, can you provide credentials or a read-only access path now?
- When were backups last performed, are they isolated/offline, and have they been validated recently?
- Has any system been restarted, reimaged, or patched since the incident began that might alter forensic evidence?
How Have You Tried to Fix This — and What Worked?
- What single mitigation action you took felt most effective at slowing or stopping the activity?
- Which of the following containment/remediation steps have already been attempted (select all that apply)?
- Who executed those steps (internal security, IT ops, third-party) and at what times?
- Did any attempted actions unintentionally reduce visibility or complicate evidence collection?
- On a scale, how confident are you that current measures fully removed the adversary?
- Have you preserved a timeline or incident log of actions taken, and can you share it with our team?
What Would Success Look Like for You — Beyond 'Back Online'?
- When this is fully resolved, what outcome would make leadership say this was handled perfectly?
- Which deliverables are critical for your acceptance of the engagement (select all that apply)?
- Who must sign off on the final deliverables (roles/names)?
- Do you anticipate needing support for external communications, regulator notifications, or customer disclosure?
- Are there KPIs or timelines (e.g., restore within X hours, report within Y days) by which the engagement will be judged?
Practical Constraints — What Could Slow Us Down?
- What single operational or policy limitation is most likely to push our response from hours to days?
- Do existing contracts, procurement rules, or corporate policies require additional approvals before we engage or deploy tools?
- Is there an active retainer or emergency access agreement that covers this work and surge capacity?
- Are there budget limitations or PO requirements that could delay our deployment?
- Are there other ongoing incidents or industry-wide waves that could strain responder availability and affect SLAs?
Next Steps — Who Owns What in the First 8 Hours?
- If we proceed now, who will be the single empowered point of contact for decisions in the first 8 hours?
- What is the preferred urgent communication channel for minute-by-minute updates?
- Are there time-zone constraints or specific hours when we are NOT permitted to act?
- Do we need an NDA, written access authorization, or a formal PO before we begin any collection or sensor deployment?
- Would you like us to schedule an immediate 60-minute incident kickoff to align scope, access, and next steps?
-
Solution Experience
Show how our pre-staged sensors, forensic playbooks, and threat-intelligence graph will identify attacker presence, exfiltration channels, and containment options in this incident.
Experience Meetings
- Current State & Consequence Alignment
- Forensic Sensor Evidence Walkthrough
- Threat‑Intelligence Graph Mapping
- Containment Playbook Options & Tradeoffs Workshop
- Execution & Validation Checklist Alignment
- Confirm legal and evidence-preservation actions required before/after containment.
- Tie Graph Goals to Current/Business Risk
- Map attacker infrastructure to observed artifacts and identify specific containment cut-points.
- Provide prioritized list of nodes (network, host, cloud) to block with estimated effectiveness.
- Agree on confidence levels and residual risk after each potential block.
- Obtain explicit customer validation that the proposed cut-points align with their operational constraints.
- Freeze the list of prioritized block/containment targets and produce a one-page recommended cut plan.
- Update detection rules and firewall/IDS signatures for the IOCs identified in the graph.
- Deliver a short threat actor profile and observed TTPs tied to the customer's artifacts.
- Recap Proven Attacker Paths & Critical Assets
- Select a containment playbook with explicit owner and authorization path.
- Agree on the business-impact tolerance and rollback triggers for the chosen approach.
- Define acceptance tests that must pass to consider the attacker eradicated.
- Introductions and Objective
- Customer to authorize selected containment playbook and name an approval authority.
- Operations to prepare targeted playbook runbooks, including communications templates for execs and regulators.
- Forensics to document chain-of-custody steps to be executed immediately prior to containment.
- Confirm Chosen Containment Plan & Owner
- Obtain explicit go/no-go authorization with named approver and execution start time.
- Lock the validation checklist and acceptance tests that will be used to close the containment phase.
- Ensure evidence preservation and chain-of-custody actions are assigned and scheduled.
- Agree on communications cadence and escalation paths during execution.
- Operator team to begin containment execution per approved playbook at the agreed start time.
- Forensics to capture initial preservation artifacts and upload to the secure evidence repository.
- Schedule the first post‑execution validation checkpoint and the executive summary delivery.
- Produce and agree a single-sentence Current State that everyone can reference during the experience.
- Surface concrete consequences (business, legal, operational) to create urgency for containment decisions.
- Define a single-sentence measurable Future State that the Solution Experience must prove.
- Confirm telemetry and access needed for live sensor and graph demonstrations.
- Customer to deliver a 1-page incident timeline and list of impacted assets and decision-makers (by X hours).
- Seller to draft and circulate the agreed Current State, Consequence summary, and Future State one-liners.
- Technical owner to verify sensor access/read-only endpoints required for the walkthrough.
- Force customer validation that the evidence maps to their observed issues.
- Recap Current State & Future State
- Prove attacker presence (or absence) with time-stamped forensic artifacts.
- Identify initial indicators of exfil activity and which channels show data transfer.
- Confirm sensor coverage is sufficient for next steps or list gaps requiring immediate remediation.
- Export and circulate a signed IOC list (IPs, domains, file hashes, process names) from today's walkthrough.
- Tag and preserve involved endpoints and disk images for chain-of-custody.
- If gaps found, schedule immediate targeted captures or sensor redeployments.
- Playbook A: Surgical Endpoint Containment
- One‑Sentence Current State
- Live Graph Reconstruction
- Execution Timeline & SLA Windows
- Sensor Topology & Data Sources
- Evidence Preservation & Chain-of-Custody
- Quantify Consequence
- Playbook B: Network Segment Isolation (targeted)
- Identify Exfil Channels & Pivot Nodes
- Packet Capture Evidence
- Define One‑Sentence Future State
- Memory & Process Artifacts
- Playbook C: Aggressive Network Cut / Quarantine
- Confidence & Attribution Scoring
- Validation Checklist: 'Attacker Eradicated' Criteria
- Endpoint Telemetry Correlation
- Impact & Legal/Regulatory Considerations
- Forced Validation: Do these cut-points achieve the Future State?
- Communication & Escalation Cadence
- Evidence & Coverage Gaps
-
Solution Scope
Define investigation and containment boundaries, data collection requirements, SLA response windows, roles, and escalation paths.
Scope Configuration
- Deploy forensic sensor suite (packet, memory, endpoint)
- Start continuous full-packet capture
- Acquire live memory snapshots from endpoints
- Image disks with verified chain-of-custody
- Collect and centralize endpoint telemetry
- Isolate and quarantine compromised systems
- Block attacker C2 and exfiltration channels
- Revoke compromised credentials and access tokens
- Malware reverse engineering and IOC extraction
- Threat infrastructure mapping via intelligence graph
- Coordinate evidence transfer with law enforcement
- Deliver forensic investigation report and disclosure package
Scope Questions
Deploy forensic sensor suite (packet, memory, endpoint)
- Is pre-authorized deployment of sensors (agent or appliance) permitted under your current contracts/policies?
- Which environments should sensors be deployed to?
- Estimate the number of endpoints/hosts to target for initial sensor deployment
- What operating systems and device types require sensors?
- Are privileged installer accounts, MDM access, or orchestration credentials available for sensor installation?
- Are there any maintenance windows, change-control constraints, or blackout periods that would restrict immediate sensor deployment?
Start continuous full-packet capture
- Do you have network taps or SPAN ports available at key egress/ingress points for packet capture?
- What capture retention policy is required (how long must full packets be retained for analysis)?
- Are there any bandwidth, storage, or privacy constraints that would limit full-packet capture?
- Is decryption of TLS/encrypted traffic permitted for capture and analysis?
- Which network locations should be prioritized for continuous capture (e.g., internet egress, datacenter core, VPN concentrators)?
- What SLA is required for beginning packet capture after engagement start?
Acquire live memory snapshots from endpoints
- Which endpoint classes require live memory capture (servers, workstations, cloud instances)?
- Are live-forensics tools approved for your environment, or is additional authorization required?
- How quickly must memory snapshots be acquired to meet investigative objectives?
- Is persistent forensic agent pre-deployed (enabling remote memory capture) or will captures require manual on-host access?
- Are there any endpoints with sensitive data or regulated workloads that require special handling during memory acquisition?
- Specify any constraints on memory snapshot size, transfer method, or storage location (e.g., cannot transfer offsite)
Image disks with verified chain-of-custody
- Which systems require full disk imaging (priority list or categories)?
- Is legal or internal compliance approval required before imaging systems?
- Do you require a court-admissible chain-of-custody process and evidence packaging for images?
- Will imaging be performed onsite, via remote acquisition, or via cloud-provider snapshot?
- Are there encrypted disks or self-encrypting drives that will require key retrieval or vendor assistance?
- How soon must imaging begin to preserve volatile evidence and minimize data loss risk?
Collect and centralize endpoint telemetry
- Which telemetry sources should be centralized (EDR, Sysmon, Windows Event, logs, application logs)?
- Is there an existing SIEM or log-aggregation platform to centralize telemetry into?
- What retention and indexing requirements do you have for centralized telemetry during the investigation?
- Are there licensing or ingestion limits (events/day) that could prevent full telemetry centralization?
- Do you permit temporary elevation of telemetry collection (increased verbosity) for scope investigation?
- List any specific telemetry fields or applications that are critical for this investigation (e.g., mail server logs, VPN logs)
Isolate and quarantine compromised systems
- Do you authorize network-level isolation (switch port shutdown, VLAN change) and/or host-level quarantine (EDR block) for suspected systems?
- What is the acceptable impact threshold for isolation actions (e.g., tolerate downtime for critical systems?)
- Are there segmented environments or critical availability constraints (e.g., medical devices, OT) that restrict isolation methods?
- Should quarantined systems remain available for remote evidence collection or be physically removed?
- Are rollback or failback plans required for any isolation action we might take?
- Who must be notified/approve before isolation actions (roles or contact points)?
Block attacker C2 and exfiltration channels
- Do you allow proactive blocking of identified IPs/domains at perimeter and endpoint levels?
- Which control points are available for blocking (firewall, proxy, endpoint policy, DNS, cloud security groups)?
- Are there concerns about false positives impacting business-critical traffic if broad blocks are applied?
- Do you require staged blocking (alert -> soft block -> hard block) or immediate hard blocks?
- Are egress filtering and data-loss prevention (DLP) systems integrated and available to assist with exfiltration detection/blocking?
- List any third-party services or partner connections where blocking could disrupt operations and require special handling
Revoke compromised credentials and access tokens
- Do you permit immediate revocation/rotation of user and service credentials implicated in the incident?
- Which identity systems must be updated (AD, Azure AD, IAM roles, API keys, cloud service accounts)?
- Are there privileged accounts or service tokens that cannot be rotated without maintenance windows?
- Do you require secret management or rotation automation as part of credential revocation?
- Should revocations be logged and reported for legal/compliance purposes (include audit trail)?
- Provide any exceptions or business-critical services where credential revocation must be avoided or scheduled
Malware reverse engineering and IOC extraction
- Do you require reverse engineering for binaries recovered from the environment to identify capabilities and persistence?
- Are samples permitted to be taken offsite or shared with third-party analysts for analysis?
- What turnaround time is required for IOC deliverables (hashes, YARA, network indicators)?
- Should extracted IOCs be automatically pushed to blockers/EDR/SIEM after validation?
- Are there specific analysis outputs required (behavioral summary, persistence mapping, deobfuscation steps)?
- Do you require malware provenance (e.g., linking to known threat actor groups) as part of the RE report?
Threat infrastructure mapping via intelligence graph
- Do you want our intelligence graph integrated with your telemetry to map attacker infrastructure in real time?
- Which external feeds or internal intel sources should be considered for correlation (provide list)?
- Do you require active disruption recommendations (e.g., sinkholing, takedown coordination) based on the mapped infrastructure?
- How granular should mapping be (C2 IPs/domains, ASNs, infrastructure graphs, attacker TTP chains)?
- Are there legal or disclosure constraints on sharing intelligence-derived indicators outside your organization?
- Do you want real-time alerting when intelligence graph identifies new infrastructure linked to this incident?
-
Mutual Commit
Finalize engagement terms, access authorizations, communication cadence with legal and execs, and assurances for surge capacity during attack waves.
Agreement Modules
- Non-Disclosure Agreement (NDA)
- Master Services Agreement (MSA)
- Statement of Work (SOW)
- Service Level Agreement (SLA)
- Access & Authorization Consent
- Evidence Preservation & Chain-of-Custody Protocol
- Data Processing Agreement (DPA)
- Law Enforcement & Regulatory Coordination Consent
- Communication & Executive Escalation Plan
- Surge Capacity & Prioritization Assurance
- Billing, Rates & Payment Terms
- Change Order & Scope Modification
- Termination, Suspension & Exit Plan
- Roles, Responsibilities & RACI
- Insurance, Indemnity & Liability Allocation
-
Deployment
Operationalize incident response with readiness checks, rapid sensor deployment, and validation of containment.
-
Pre-Deployment Readiness
Confirm accounts, network access, sensor targets, evidence preservation rules, and regulator/law-enforcement notification preferences before execution.
Readiness Questions
Tell Us What's Happening Right Now
- Can you briefly describe the incident as you first noticed it—who reported it, what was seen, and roughly when?
- Which specific alerts, logs, or symptoms first raised alarm (select all that apply)?
- Which systems, applications, or datasets do you believe are impacted right now (list hostnames, apps, buckets, or business units)?
- When did you first observe potential compromise?
- How is this incident affecting operations at the moment?
- Who inside the company is currently coordinating the response (names and roles)?
If This Is Worse Than You Think, What Keeps You Up?
- If an attacker is already persistent in your environment, what is the single worst operational or legal consequence you fear in the next 48 hours?
- How confident are you that your existing telemetry would detect lateral movement and cloud compromise?
- Have you experienced a similar breach before? If so, what long-term impacts (regulatory, customer churn, recovery cost) persisted after that event?
- Which regulatory or contractual notification deadlines are most pressing right now (select all that apply)?
- Who from your executive team or board is actively demanding updates or influencing decisions on this incident?
What's Stopping Rapid Containment?
- What specific access, credentials, or permissions do we not currently have that would prevent us from deploying sensors and taking containment actions immediately?
- Which of these accounts or consoles can you provide for immediate access?
- Are there network segments, cloud tenants, or data centers where sensor deployment is prohibited without executive or compliance approval?
- Do encryption, proprietary hardware, or managed network configurations prevent packet capture or deep inspection on key links?
- What internal policies (maintenance freeze, change windows, or critical business processes) would limit aggressive containment on affected systems?
Who Holds the Keys, and How Do They Want to Talk?
- If we recommend an urgent containment step, who has the true authority to approve it — and who has veto power?
- Please provide the names, roles, and preferred secure contact method (phone, secure chat, PGP/email) for each approval owner.
- What is your legal team's required involvement before we execute forensics or collect certain evidence?
- Which third parties must be coordinated with prior to or during our engagement (insurer, MSSP, cloud provider, managed SOC, etc.)?
- Describe the escalation thresholds and who should be looped in at each stage (e.g., executive, board, legal, PR).
Evidence, Privacy, and What We Can (and Can't) Touch
- Which data types or systems are explicitly off-limits for imaging or export under policy, contract, or regulation?
- Do you have an existing legal hold, preservation order, or regulatory inquiry in flight that changes how we handle evidence?
- Which of these sensitive data categories require special handling or redaction?
- Which chain-of-custody procedures or templates must we follow (or attach) for evidence to be admissible to your standards?
- Do you require internal witness or counsel presence for any on-site collection activities?
Where Should We Place Sensors and What Data Can We Collect?
- If you could guarantee one environment we could fully instrument within four hours, which would you choose and why?
- Which environments should be prioritized for our pre-staged sensors (select up to three)?
- Are there systems where memory capture, disk imaging, or packet collection is prohibited or requires elevated approval?
- Do export or cross-border data rules restrict moving captures or images off-premises?
- Do you have an up-to-date asset inventory/CMDB we can use to target sensors? If so, what's the source and last update date?
- Who approves sensor placement outside normal change windows (name and role)?
How Will Success Be Measured Under Pressure?
- If we had only 24 hours to demonstrate progress, what specific outcome would make you feel the engagement was a success?
- Which of these outcome metrics matter most to your stakeholders (select all that apply)?
- What SLA windows are you expecting for initial containment, forensic collection, and final report delivery?
- In a broad attack wave, what minimum on-call team composition would you accept (roles and headcount)?
- Are there fixed budget or contractual ceilings that would prevent surge or travel for our team?
Telling the Story: Notifications, Regulators, and Public Messaging
- If this incident were publicly disclosed tomorrow, what would be the biggest reputational or commercial impact to your organization?
- Do you have pre-approved notification templates for customers, regulators, or partners?
- Which authorities or agencies might we need to notify or coordinate with during the investigation (select all that apply)?
- Do you want us to coordinate directly with law enforcement, or should we route contact through your internal or external counsel?
- Who is authorized to sign off on public statements, and what legal clearance process must be followed before any external communication?
Practical Constraints: Logistics, Windows, and Travel
- What times or maintenance windows are absolutely off-limits for any sensor deployment or host-based collection?
- Are there recurring blackout periods we must avoid (payroll runs, month-end close, regulatory filings)?
- Can our team perform actions outside normal business hours and who must be notified for out-of-hours activity?
- If physical evidence collection is required, how quickly can on-site key-holders or facilities staff be made available?
- Is travel approval or site-access clearance required for our personnel to enter datacenters or offices?
Final Check: What Keeps You From Saying Yes Right Now?
- What concerns, internal approvals, or missing documentation would make you hesitate to grant immediate deployment rights?
- Which of these assurances would most reduce friction for your stakeholders (select up to three)?
- If we proposed a minimally invasive 4-hour starter plan (rapid sensor deploy, triage, and one executive update), what must it include for you to approve it right now?
- When would you like a short readiness call to finalize access, approvals, and the initial action plan?
-
Deployment Enablement
Deploy forensic sensors, collect memory/packet captures and endpoint telemetry, run containment playbooks, and coordinate live investigations.
-
Validation Checklist
Verify attacker eradication, confirm scope of exfiltration, validate system integrity, and document chain-of-custody and acceptance criteria.
Validation Questions
Tell Us What's Burning Right Now
- In 1–2 sentences, describe the incident as you understand it right now (what happened, where you first saw it, and the number one thing keeping you awake)
- When did you first notice unusual activity or receive an alert?
- What’s the highest-priority impact we should address first?
- Which systems, locations, or business units appear affected (list top 3)?
- Has any containment or mitigation already been performed? If yes, what and when?
- Who initiated this engagement and who is our primary point of contact?
Are We Sure the Attacker Is Gone?
- It’s easy to declare an incident contained—what would make you question that confidence right now?
- What concrete signs of persistence have you seen (pick all that apply)?
- When was the last confirmed adversary action logged (rough time/date or window)?
- Which telemetry sources are available for immediate analysis?
- Are there active alerts or automated responses we should prioritize for triage right now?
What Would Losing Control Actually Look Like?
- If the attacker quietly exfiltrated your most sensitive data tonight, what would break first—and how would you notice it?
- Which data types would cause the most legal, financial, or reputational harm if exposed?
- Which systems or repositories hold what you consider the organization’s 'crown jewels'?
- What contractual, regulatory, or insurer notification requirements could be triggered by data loss?
- What are your practical RTO (recovery time objective) and RPO (acceptable data loss) expectations for critical systems?
Who Actually Signs Off When Things Get Real?
- When containment requires business-impacting actions, who has final authority to approve those steps and what drives their decisions?
- Which stakeholders must be notified immediately? Please list name, role, and best contact method for up to 6 people.
- Which teams are already involved or must be looped in for decisions (select all that apply)?
- Do you have standing retainer agreements, pre-approved budgets, or emergency procurement paths we can use immediately?
- Who is authorized to provide forensic access or approve sensor deployment (name or role)?
What Evidence Will Make You Sleep at Night?
- What specific artifacts or documentation would convince you the threat has been removed and evidence is defensible in court or to regulators?
- Which chain-of-custody artifacts do you require as a minimum?
- Is evidence preservation currently required for an insurance claim, litigation hold, or regulator inquiry?
- How long must raw evidence and working copies be retained, and who owns custody decisions?
- Are there internal or third‑party policies that limit moving data offsite or copying logs/images?
How Will We Know We're Done?
- Declaring ‘eradicated’ is a big step—what measurable acceptance criteria would make you sign off on remediation and recovery?
- Which of the following items must be demonstrably satisfied before you consider the incident closed?
- Do you require an external or independent validation step (e.g., third‑party attestation, regulator acceptance)?
- What timeline do you expect for validation activities after containment (select the fastest realistic expectation)?
- What residual risk level are you willing to accept to transition from incident mode to normal operations?
What Could Stop Us From Reaching Closure?
- If this engagement fails to achieve eradication, what practical obstacles will be blamed—and are any of those obstacles already present?
- Which of these constraints worry you most right now?
- Are there specific vendors, cloud providers, or partners we cannot touch or will require separate approvals?
- Have you had previous IR engagements that failed or underperformed? If yes, what was the root cause?
- How would you prefer we escalate and communicate trade-offs or bad news during the engagement?
Can We Get What We Need Right Now?
- We can move within hours—what immediate permissions, credentials, or artifacts can you give us now to start validation and forensic collection?
- Which of the following access items can you authorize immediately?
- Do you already have pre-staged sensors, forensic tooling, or a retainer that speeds deployment?
- Who is the designated contact for evidence custody, and what is their preferred secure handoff method?
- Do you want us to notify or coordinate with law enforcement now, preserve that option, or avoid notification unless legally required?
-
-
Success
Review findings, remediation outcomes, disclosure obligations, and track open issues or follow-ups for continuous improvement.
Success Reviews
- Executive Incident Closure & Risk Brief
- Technical Findings & Validation Review
- Remediation Implementation & Validation Checkpoint
- Legal, Compliance & Disclosure Coordination
- Lessons Learned & Continuous Improvement Workshop
Issues & Enhancements
- Assemble privileged evidence bundle with documented chain‑of‑custody for legal counsel.
- Confirm remediation tasks are completed to agreed acceptance criteria.
- Resolve or escalate blockers and allocate required resources.
- Schedule final verification and signoff for technical closure.
- Complete outstanding patches/configurations and report verification evidence.
- Run and document full restore/recovery tests where applicable.
- Enable and tune detection rules derived from IOCs and confirm alerts cleared.
- Confirm SLA adjustments or surge support scheduling if required.
- Jurisdictional Notification Requirements
- Agree on who will notify which regulators/customers and by what deadlines.
- Ensure privileged materials and evidence are protected and documented for potential legal processes.
- Confirm insurer requirements are met and public/customer messaging is approved.
- Produce and file regulator notifications according to jurisdictional timelines.
- Introductions & Objectives
- Provide insurer with requested documentation and open claim contact.
- Finalize and publish approved customer and public communications.
- Root Cause & Contributing Factors
- Produce a prioritized, time‑bound remediation and improvement plan owned by specific stakeholders.
- Update IR playbooks, evidence handling procedures, and detection content based on findings.
- Schedule and scope a follow‑up tabletop/exercise to validate implemented changes.
- Publish updated incident response playbook and circulation list.
- Implement top priority detection/enforcement changes and verify via test.
- Assign owners and set deadlines for backlog items in the tracking tool.
- Schedule a tabletop exercise within 60–90 days to validate improvements.
- Ensure executives understand the incident impact, remediation status, and residual risk.
- Obtain formal approval for disclosure recommendations and public statements.
- Assign accountable owners and deadlines for unresolved remediation and communications.
- Produce an executive one‑page incident summary for board and regulators.
- Approve and send agreed regulator/customer notification drafts.
- Assign owners and deadlines for each residual risk mitigation task.
- Schedule follow‑up check to confirm remediation closures and communications.
- One‑Sentence Current State & Investigation Scope
- Validate the investigative findings and confirm the scope of systems and data impacted.
- Confirm evidence that attacker persistence has been removed or identify remaining indicators.
- Agree on technical acceptance criteria and next steps to remediate outstanding risks.
- Deliver final forensic report, IOCs, and chain‑of‑custody package to stakeholders.
- Publish IOC set to detection platforms and implement blocking rules.
- Schedule targeted re‑scans and validation windows to confirm eradication.
- Hand off long‑term monitoring and playbook updates to SOC with timeline.
- Remediation Status Dashboard
- Validation Test Results
- Process, People & Tooling Gaps
- Privileged Material & Evidence Handling
- Forensic Evidence Overview
- One‑Sentence Current State
- Outstanding Blockers & Resource Needs
- Timeline & Key Findings
- Prioritized Improvement Backlog
- Exfiltration Scope & Data Impact Validation
- Regulator & Law Enforcement Coordination
- Insurance Claims & Documentation
- Eradication & Containment Validation
- Owners, Timelines & Success Metrics
- Business Impact & Consequences
- SLA Compliance & Capacity Review
- Plan Exercise & Verification
- Schedule Final Verification & Closure Criteria
- Remediation Outcomes & Residual Risk
- Open Technical Risks & Acceptance Criteria
- Public Statement & Customer Notification Drafts