When every minute counts.
Active breach containment, digital forensics, and structured recovery — guided by a methodology that has been tested across more than 50 real-world incidents in government, finance, healthcare, and critical infrastructure.
What Is Incident Response
Incident response is the organized approach to addressing and managing the aftermath of a security breach or cyberattack. The goal is to handle the situation in a way that limits damage, reduces recovery time and cost, and provides the information needed to prevent similar incidents in the future. It is not simply "fixing the problem" — it is a disciplined process that balances urgency with thoroughness, preserving evidence while restoring operations.
The foundational framework for incident response comes from NIST Special Publication 800-61 (Computer Security Incident Handling Guide), which defines four phases that form a continuous lifecycle:
1. Preparation
This phase happens before any incident occurs. It encompasses building the IR team, establishing communication channels, deploying monitoring tools, creating playbooks, and — critically — testing all of it through exercises. Preparation also includes establishing relationships with external parties: legal counsel, law enforcement, forensic consultants, insurance providers, and public relations teams. Organizations that invest in preparation respond faster, make fewer mistakes under pressure, and recover more completely.
Preparation is where most organizations underinvest. It's easy to justify buying another security tool; it's harder to justify the ongoing time commitment of maintaining playbooks, running tabletop exercises, and ensuring your team can actually execute a coordinated response at 3 AM when half the staff is on vacation.
2. Detection and Analysis
Detection is the process of identifying that a security event has occurred — through alerts, anomalies, user reports, or external notification. Analysis is the harder part: determining whether the event is a true incident, understanding its scope and severity, and making initial classification decisions that drive the response strategy.
This phase is where signal-to-noise ratio matters enormously. A SOC that generates 10,000 alerts per day but cannot reliably distinguish a commodity phishing campaign from a targeted intrusion will consistently fail at the analysis step. Effective detection requires well-tuned rules, enriched context, and analysts who understand both the technical indicators and the business environment they're protecting.
Common detection sources include endpoint detection and response (EDR) tools, network monitoring systems, SIEM correlation rules, user behavior analytics, threat intelligence feeds, and — more often than security teams would like to admit — end-user reports ("something weird is happening on my computer").
3. Containment, Eradication, and Recovery
Once an incident is confirmed and analyzed, the response shifts to limiting its impact. Containment strategies vary based on the type of incident: isolating a compromised host from the network, blocking command-and-control domains, revoking compromised credentials, or — in severe cases — disconnecting entire network segments.
Containment involves a fundamental tension: the desire to stop the attacker immediately versus the need to preserve evidence and understand the full scope. Pulling the network cable on a compromised server stops the bleeding, but it also destroys volatile memory evidence and may alert the attacker that they've been detected — causing them to accelerate destructive actions on other systems you haven't identified yet.
Eradication removes the threat actor's presence: deleting malware, closing backdoors, patching exploited vulnerabilities, and resetting compromised accounts. Recovery restores affected systems to normal operation, often through rebuilding from known-good images rather than attempting to "clean" compromised systems.
4. Post-Incident Activity
The most undervalued phase. After the immediate crisis is resolved, the organization must conduct a thorough review: what happened, how was it detected, what worked in the response, what didn't, and what needs to change. This produces actionable lessons learned, updates to playbooks and detection rules, and — when done well — a measurable improvement in the organization's ability to handle the next incident.
Post-incident activity also includes regulatory reporting, insurance claims, and executive communication. The forensic report produced during this phase becomes a critical document for legal proceedings, regulatory compliance, and organizational learning.
Why Organizations Need IR Capabilities
The question is no longer whether your organization will face a significant security incident, but when — and whether you'll be ready when it happens.
Financial Impact
The cost of a data breach continues to climb. IBM's Cost of a Data Breach Report consistently shows that organizations without incident response teams and tested IR plans pay significantly more when breaches occur — often millions more. The largest cost drivers are business disruption, detection and escalation delays, and post-breach customer notification and remediation. Organizations with IR teams and regularly tested plans show breach costs that are substantially lower than those without, with average savings exceeding $2 million per incident.
Speed of detection and containment directly correlates with cost. Breaches that are contained within 200 days cost significantly less than those that persist longer. Every hour of undetected attacker presence increases the blast radius — more systems compromised, more data exfiltrated, more complex and expensive recovery.
Regulatory Requirements
The regulatory landscape for incident reporting has tightened dramatically. The EU's NIS2 Directive requires organizations in essential and important sectors to submit an early warning to their CSIRT within 24 hours of becoming aware of a significant incident, followed by a full incident notification within 72 hours. GDPR mandates notification to supervisory authorities within 72 hours for breaches involving personal data. DORA (the Digital Operational Resilience Act) imposes similar requirements on financial entities.
Meeting these timelines is impossible without a pre-established IR capability. You cannot build an incident response process in the middle of a crisis and simultaneously meet a 24-hour reporting deadline. The organizations that comply successfully are the ones that invested in preparation, tested their processes, and have the forensic capability to rapidly determine scope and impact.
Operational Disruption
Ransomware attacks routinely shut down operations for days or weeks. Hospitals divert patients. Manufacturers halt production lines. Financial institutions freeze transactions. The operational impact extends far beyond the directly affected systems — supply chains stall, contractual obligations are missed, and the organizational stress of operating in crisis mode degrades decision-making across every function.
Reputational Damage
How an organization handles an incident matters as much as the incident itself. Organizations that respond transparently, communicate promptly, and demonstrate control of the situation recover their reputation faster than those that appear confused, evasive, or unprepared. A well-executed incident response — even to a serious breach — can actually strengthen stakeholder confidence.
Our IR Methodology
ForgeWork's incident response methodology is built on NIST SP 800-61 and refined through years of operational experience. Here's how we handle an incident from first contact through final report delivery.
Triage
When we receive an incident notification, our first priority is understanding the situation. We conduct an initial assessment call with the client's designated point of contact to determine what is known, what systems are affected, and what actions have already been taken. We classify the incident by type and severity, assemble the appropriate response team, and establish a secure communication channel — typically an out-of-band channel that does not rely on the client's potentially compromised infrastructure.
During triage, we also assess evidence preservation status. If the client has already taken containment actions (powering off systems, restoring from backup), we document what was done and when, as this affects the forensic evidence available for investigation.
Containment
With an initial understanding of scope, we move to containment. The specific strategy depends on the incident type and the attacker's current activity level. For active ransomware deployments, speed is paramount — we work to isolate unaffected segments before encryption spreads. For stealthier intrusions, we may implement monitoring-focused containment that limits the attacker's lateral movement while preserving our ability to observe their activity and map the full scope of compromise.
Containment decisions are always made in consultation with the client's leadership, because they involve trade-offs between security and business continuity. Isolating the finance department's network segment might stop the attacker, but it also stops the finance department. We present options with clear risk assessments and let the client make informed decisions.
Investigation
Forensic analysis drives this phase. We collect and analyze evidence from endpoints (disk images, memory captures, EDR telemetry), network infrastructure (firewall logs, DNS queries, proxy logs, NetFlow data), identity systems (Active Directory logs, authentication events, privilege changes), and cloud environments (audit trails, API logs, configuration changes).
The goal is to reconstruct a complete attack timeline: initial access vector, persistence mechanisms, lateral movement path, privilege escalation, data staging and exfiltration, and — where applicable — the deployment mechanism for destructive payloads. We use DFIR Assist to accelerate evidence processing and correlation, but the analytical conclusions are always driven by experienced human investigators.
Throughout the investigation, we provide regular status briefings to the client's incident commander, typically every 6–12 hours depending on the situation's pace.
Eradication & Recovery
Once we have confidence in the full scope of compromise, we plan and execute eradication — removing the attacker's access in a coordinated manner. This typically involves simultaneous actions: resetting compromised accounts, blocking attacker infrastructure, removing malware and backdoors, and patching exploited vulnerabilities. Coordinated execution is critical; a piecemeal approach gives the attacker time to re-establish access through alternate channels.
Recovery is phased, with critical business systems restored first. We work with the client's IT team to rebuild affected systems from trusted images, validate integrity of restored data, and implement additional monitoring to detect any signs of the attacker's return.
Lessons Learned & Reporting
We deliver a comprehensive forensic report that includes: executive summary, detailed attack timeline, indicators of compromise (IOCs), root cause analysis, and prioritized recommendations for preventing recurrence. We also facilitate a lessons-learned session with the client's technical and leadership teams, focusing on what worked, what didn't, and what specific changes should be made to people, process, and technology.
The report is structured to serve multiple audiences: executives who need to understand business impact, technical teams who need to implement improvements, legal counsel who may need to assess liability, and regulators who require specific incident details.
What to Expect During an Engagement
Transparency and clear communication define how we work with clients during an incident. Here's what you can expect:
Communication Cadence
We establish regular briefing cycles from the start — typically every 6 to 12 hours during active phases, shifting to daily updates as the situation stabilizes. Each briefing covers: current understanding of scope, actions taken since the last update, planned next steps, and any decisions needed from the client. We adapt the format and frequency to the client's needs; some organizations want a written summary, others prefer a 15-minute call.
Status Reports
Written status reports are provided at key milestones: initial assessment complete, containment achieved, investigation findings, eradication plan, and recovery status. These reports are designed for distribution to executive stakeholders and legal counsel, with appropriate classification markings.
Stakeholder Briefings
We support executive briefings that translate technical findings into business impact language. When boards of directors, regulators, or external counsel need to understand the situation, we help prepare materials and — when requested — participate directly in those briefings.
Deliverables
Every incident response engagement produces the following artifacts:
- Forensic Report: Detailed technical analysis of the incident, including attack timeline, evidence sources, and analytical conclusions.
- Executive Summary: Business-oriented summary of the incident, impact assessment, and recommended actions.
- Indicators of Compromise (IOCs): Machine-readable IOC package (STIX format when applicable) for integration into the client's security tools.
- Remediation Recommendations: Prioritized, actionable recommendations for preventing recurrence, organized by implementation timeframe (immediate, short-term, long-term).
- Lessons Learned Report: Facilitated review of the response process with specific improvement recommendations for the client's IR capability.
IR Retainer Model
An incident response retainer is a pre-arranged agreement that guarantees ForgeWork's availability and response speed when an incident occurs. Retainers exist because the worst time to negotiate a consulting contract is when your network is on fire.
What a Retainer Provides
- Guaranteed Response SLA: Retainer clients receive a sub-4-hour response time commitment, 24 hours a day, 7 days a week, 365 days a year. On-demand clients receive best-effort response, but we cannot guarantee availability or speed when we're already engaged on other incidents.
- Pre-scoped Access: During retainer onboarding, we work with your team to establish access procedures, VPN credentials, and documentation that allows us to begin work immediately — without spending the first critical hours navigating procurement and access requests.
- Environmental Familiarity: We maintain a current understanding of your network architecture, critical systems, key personnel, and regulatory obligations. This context accelerates every phase of response because we're not starting from zero.
- Regular Readiness Checks: Quarterly reviews ensure that contact information is current, access mechanisms work, and your team knows how to invoke the retainer. We also use these touchpoints to update our understanding of any environmental changes.
- Proactive Hours: Most retainers include a bank of proactive consulting hours that can be used for tabletop exercises, playbook reviews, detection rule development, or other activities that improve readiness. If you don't use them for a security event, they still deliver value.
Cost Advantages
Retainer rates are significantly lower than on-demand emergency rates. Beyond the per-hour savings, the real financial advantage is speed: a retainer engagement that starts within 2 hours of detection will almost always result in a smaller blast radius, less data loss, shorter business disruption, and lower total incident cost than an on-demand engagement that starts 12 or 24 hours later while contracts are being negotiated.
Is a retainer right for your organization?
IR retainers are most valuable for organizations that face regulatory incident reporting requirements, handle sensitive data, operate critical infrastructure, or simply recognize that a significant incident is a matter of when, not if. If your organization has cyber insurance, check your policy — many insurers offer premium discounts or require organizations to maintain an IR retainer.
Common Questions About Incident Response
We think we've been breached. What should we do right now?
First, don't panic — and don't start deleting things. Your immediate priorities are: (1) document what you're observing, including timestamps; (2) avoid actions that destroy evidence, such as reimaging systems or restoring from backup before forensic collection; (3) contact your IR provider or, if you don't have one, reach out to a reputable firm immediately; (4) activate your incident response plan if you have one. If the situation involves active data destruction (such as ransomware deployment in progress), containment speed takes priority over evidence preservation — isolate affected systems from the network.
How long does an incident response engagement typically last?
It depends entirely on the incident's complexity and scope. A contained business email compromise with a single affected account might be investigated and reported within a week. A widespread ransomware incident affecting hundreds of systems can require 4 to 8 weeks of active engagement, with additional time for monitoring and report finalization. We provide timeline estimates after the initial triage phase and update them as the investigation develops.
Do we need to involve law enforcement?
In many jurisdictions and under various regulations, there are mandatory reporting obligations that may include law enforcement notification. NIS2, GDPR, and sector-specific regulations each have their own requirements. Beyond legal obligations, law enforcement involvement can be beneficial — agencies like Europol's EC3 and national CERTs can provide threat intelligence, coordinate with international partners, and support takedown operations. ForgeWork can advise on reporting obligations and facilitate law enforcement coordination when appropriate.
What if we don't have an incident response plan?
Many organizations that contact us during an incident don't have a formal plan. We bring the methodology, structure, and experience to guide the response regardless. However, the absence of a plan does mean the response will be slower and more expensive than it would be for an organization that invested in preparation. After the incident, developing and testing an IR plan should be a top priority — and it's one of the areas where our proactive consulting services can help.
Can you help with regulatory notification?
We provide the technical findings and analysis that feed into regulatory notifications, and we can advise on the factual content of those reports. We don't provide legal advice — that's your legal counsel's role — but we work closely with legal teams to ensure the technical narrative is accurate, complete, and presented in a way that meets regulatory requirements. We have experience supporting notifications under NIS2, GDPR, DORA, and various sector-specific frameworks.
Related Resources
- Ransomware Response: The First 60 Minutes — A practical guide to the critical first hour after a ransomware detection.
- Why Your Incident Response Plan Matters — The case for investing in preparation before a crisis hits.
- Incident Response Checklist — A downloadable checklist for the first 24 hours of an incident.
- DFIR Assist — ForgeWork's forensic analysis acceleration platform.
Ready to strengthen your incident response capability?
Whether you need an IR retainer for guaranteed response availability, want to develop and test your incident response plan, or are dealing with an active incident right now — ForgeWork is ready to help.