Incident-Response

An incident response plan defines how an organization prepares for, coordinates, and executes its response to security incidents.

Containment is the phase of incident response focused on limiting damage, stopping spread, and reducing ongoing exposure while the incident is investigated.

Eradication is the incident-response phase focused on removing malicious presence, closing the immediate cause, and preventing the same active issue from persisting.

Recovery is the incident-response phase focused on restoring systems and operations safely after containment and eradication work is sufficiently complete.

Indicators of compromise are observable signs that suggest a system or account may already have been compromised.

Indicators of attack are behavioral signs that suggest malicious activity or attacker techniques are being used, even when a clear compromise artifact is not yet known.

Root cause analysis is the process of determining the underlying reasons an incident happened instead of stopping only at the immediate symptoms.

A tabletop exercise is a structured discussion-based scenario used to practice how teams would respond to a security incident.

A post-incident review is the structured examination of what happened during an incident and what the organization should improve afterward.

Evidence preservation is the practice of protecting relevant incident data so it remains available, trustworthy, and useful for investigation.

Chain of custody is the documented record of how evidence was collected, transferred, handled, and stored over time.

Forensics is the disciplined collection, preservation, and analysis of evidence to understand what happened during a security event.

An incident-response playbook is a documented pattern for handling a specific kind of security event.

Lessons learned are the concrete improvements an organization captures after an incident or exercise.

A runbook is a step-by-step operational procedure used to carry out a repeatable security or response task in a consistent way.

Memory forensics is the analysis of volatile system memory to recover evidence about running processes, connections, credentials, and other activity that may not be preserved elsewhere.

Cloud forensics is the collection and analysis of evidence from cloud services, identities, workloads, and logs during a security investigation.