When a breach occurs, every minute counts. Organizations with an incident response plan and team save an average of $2.03 million per breach. Here's your comprehensive template for building a response plan before you need it.
258 Days
Avg. Time to Contain
$2.03M
Savings with IR Plan
50%
Don't Have IR Plans
Phase 1: Preparation
Identify incident response team members and roles
Document escalation procedures and contact information
Establish relationships with legal counsel and forensics firms
Create communication templates for various scenarios
Implement credential monitoring for early breach detection
Conduct regular tabletop exercises
Phase 2: Detection & Analysis
1
Confirm the Incident
Determine if an actual breach occurred vs. a false positive. Document initial findings.
2
Assess Scope
What systems are affected? What data was exposed? How many records?
3
Preserve Evidence
Capture logs, memory dumps, and system states before any remediation.
Phase 3: Containment & Eradication
Isolate affected systems to prevent spread
Reset credentials for compromised accounts
Block attacker access (IPs, accounts, malware)
Patch vulnerabilities that enabled the breach
Remove any persistence mechanisms
Phase 4: Notification
Legal Requirements
Most jurisdictions require breach notification within specific timeframes (e.g., GDPR requires 72 hours). Consult legal counsel immediately to understand your obligations.
Internal Notifications
- Executive leadership
- Legal department
- HR (if employee data affected)
- Communications/PR
External Notifications
- Affected customers
- Regulatory authorities
- Law enforcement (if applicable)
- Cyber insurance carrier
Phase 5: Recovery & Lessons Learned
Restore systems from clean backups
Verify eradication was successful
Monitor for signs of continued compromise
Conduct post-incident review
Update security controls based on findings
Implement additional monitoring (like credential monitoring)