Creating an incident response program and team is the core of any strong cybersecurity program. According to one 2020 report, 7 million data records are compromised every day. With a better understanding of incident response, you can mature your security posture to reduce data breach risks

What is incident response (IR)?

At a very high level, incident response is the set of policies, processes, and procedures an organization has in place to detect, investigate, contain, remediate, and recover from a data security incident.

However, while this might be the quick-hit definition, the reality is that IR is a complex, interrelated set of activities. Security analysts need to detect abnormal activity in their environments and then investigate those anomalies to determine whether the activity is really a threat or just another false positive.

The Six Steps of Incident Response

Two primary approaches exist when discussing IR. The National Institute of Standards and Technology (NIST) “Computer Security Incident Handling Guide” takes a four-step approach while the SANS Institute “Incident Handler’s Handbook” expands that to six steps. Ultimately, they both require the same process, NIST just consolidates containment, eradication, and recovery into one long step while SANS considers them separate.


During the preparation stage, you start by determining all your high-risk data, applications, users, devices, networks, and systems. In other words, you want to think like a cybercriminal and look for high-value targets.

You should also consider likely attack scenarios, including credential theft, Distributed Denial of Service (DDoS), and ransomware.

This aligns to an old military philosophy from Sun Tzu’s  “The Art of War”, know yourself and know your adversary.

Identification or Detection

Often, this is the most difficult step. First, you need to make sure that your security team can detect abnormal activity in your environment. For example, to detect a credential theft attack, they need to have alerts indicating failed login attempts within a certain time frame.

This step is difficult because it also includes investigating the alerts. Threat researchers struggle with this for several reasons:

  • High number of false alerts: Definitions for alerts were set too broadly, triggering too many alerts.
  • Not enough data: Too little source data is available to effectively locate the cause of the alert.
  • Too many locations: Investment in security tools means researchers need to look in a lot of places.
  • Not enough experience: Due to the cybersecurity skills gap, the threat researchers hired lack experience to pivot.
  • Too many formats: Every data source uses its own format and query language making it hard to normalize data and make correlations.

The faster your threat researchers can investigate the security incident, the faster they can contain the threat to reduce the event’s impact.


If the investigation indicates a real threat, then your team needs to limit the impact by containing the threat. In other words, they need to remediate any security vulnerabilities, locate the threat actor, and find a way to prevent additional damage.

Containment activities come in two types:

  • Short term: a rapid response that can include isolating network segments, shutting down systems, or taking servers offline
  • Long term: preventing further movement within systems and networks like eliminating back doors, deleting accounts, or patching software


Eradication is when the security team removes anything the attacker used to propagate the attack and restores affected systems.

This step can include activities like:

  • Deleting malware
  • Remediating vulnerabilities
  • Hardening systems
  • Removing files left in directories


After removing remnants of the attack, the recovery phase tests the impacted systems, monitors for remaining threats, and validates that attackers won’t be able to compromise the system.

Lessons Learned

After recovering from the incident, your team should be able to provide a report that discusses what worked and what didn’t. They should also be able to provide you with actionable steps for preventing a similar event. This is where the continuous monitoring and improvement concept comes in; learnings should always be incorporated into your security program so that you’re always improving your posture.

Query.AI: Faster Investigations for Reduced Time to Respond

Every incident response team struggles with access to data in this decentralized world. The speed at which you can investigate an incident and contain an attack has a significant impact on the amount of damage an incident will have on your organization.

Query.AI is a Unified Incident Response solution that simplifies security investigations across disparate platforms without data duplication. Our technology runs directly from the analyst’s browser and makes human investigations more efficient while reducing SIEM costs.

Query.AI provides capabilities to Access Data,  Investigate, and Response from a single unified platform. With Query.AI, your incident response team has real-time access to all the data necessary to investigate, contain, and eradicate an attacker decreasing response times and increasing fidelity of outcomes.