Incident Response

This section covers incident-response vocabulary: preparation, detection, containment, eradication, recovery, and review.

Use it when the term belongs to how an organization responds to a security event.

Core Articles

• Incident Response Plan
• Containment
• Eradication
• Recovery
• Indicators of Compromise
• Indicators of Attack
• Root Cause Analysis
• Tabletop Exercise
• Post-Incident Review
• Evidence Preservation
• Chain of Custody
• Forensics
• Memory Forensics
• Cloud Forensics
• Playbook
• Runbook
• Lessons Learned

Related Security Operations

Incident response depends heavily on Security Operations Center, Security Information and Event Management, Threat Hunting, and Audit Log because evidence and triage quality shape how quickly and accurately the organization can respond.

In this section

• Chain of Custody
  Chain of custody is the documented record of how evidence was collected, transferred, handled, and stored over time.
• Cloud Forensics
  Cloud forensics is the collection and analysis of evidence from cloud services, identities, workloads, and logs during a security investigation.
• Containment
  Containment is the phase of incident response focused on limiting damage, stopping spread, and reducing ongoing exposure while the incident is investigated.
• Eradication
  Eradication is the incident-response phase focused on removing malicious presence, closing the immediate cause, and preventing the same active issue from persisting.
• Evidence Preservation
  Evidence preservation is the practice of protecting relevant incident data so it remains available, trustworthy, and useful for investigation.
• Forensics
  Forensics is the disciplined collection, preservation, and analysis of evidence to understand what happened during a security event.
• Incident Response Plan
  An incident response plan defines how an organization prepares for, coordinates, and executes its response to security incidents.
• Indicators of Attack
  Indicators of attack are behavioral signs that suggest malicious activity or attacker techniques are being used, even when a clear compromise artifact is not yet known.
• Indicators of Compromise
  Indicators of compromise are observable signs that suggest a system or account may already have been compromised.
• Lessons Learned
  Lessons learned are the concrete improvements an organization captures after an incident or exercise.
• Memory Forensics
  Memory forensics is the analysis of volatile system memory to recover evidence about running processes, connections, credentials, and other activity that may not be preserved elsewhere.
• Playbook
  An incident-response playbook is a documented pattern for handling a specific kind of security event.
• Post-Incident Review
  A post-incident review is the structured examination of what happened during an incident and what the organization should improve afterward.
• Recovery
  Recovery is the incident-response phase focused on restoring systems and operations safely after containment and eradication work is sufficiently complete.
• Root Cause Analysis
  Root cause analysis is the process of determining the underlying reasons an incident happened instead of stopping only at the immediate symptoms.
• Runbook
  A runbook is a step-by-step operational procedure used to carry out a repeatable security or response task in a consistent way.
• Tabletop Exercise
  A tabletop exercise is a structured discussion-based scenario used to practice how teams would respond to a security incident.