Incident Response Plan Template: Complete Guide for Security Teams

Introduction

Every organization will experience a security incident. It's not a question of "if" but "when." How you respond to that incident can determine whether it's a minor inconvenience or a business-ending catastrophe.

A well-prepared incident response plan reduces damage, speeds recovery, and demonstrates compliance with regulations like SOC 2, GDPR, and HIPAA.

This guide provides a complete incident response plan template and framework you can adapt for your organization.

Why Incident Response Matters

The Numbers:

• Average time to identify a breach: 207 days
• Average time to contain a breach: 69 days
• Average cost of a breach: $4.45 million
• Companies with incident response teams save $2.66 million on average

Benefits of Prepared Response:

• Faster containment reduces costs by 50%+
• Proper documentation satisfies compliance
• Customer trust is maintained with transparent communication
• Legal liability is minimized with documented processes

---

The Incident Response Framework

Based on NIST and industry best practices, your incident response should follow six phases:

┌─────────────────────────────────────────────────────────────────────┐
│                    INCIDENT RESPONSE LIFECYCLE                      │
├─────────────────────────────────────────────────────────────────────┤
│                                                                      │
│   ┌─────────┐    ┌─────────┐    ┌─────────┐    ┌─────────┐         │
│   │PREPARE  │───▶│DETECT   │───▶│CONTAIN │───▶│ERADICATE│         │
│   └─────────┘    └─────────┘    └─────────┘    └─────────┘         │
│        ▲                                        │                    │
│        │                                        ▼                    │
│   ┌─────────┐    ┌─────────┐    ┌─────────┐    ┌─────────┐         │
│   │LESSONS  │◀───│RECOVER  │◀───│REMEDIATE│◀───│CONTAIN  │         │
│   └─────────┘    └─────────┘    └─────────┘    └─────────┘         │
│                                                                      │
└─────────────────────────────────────────────────────────────────────┘

---

Phase 1: Preparation

Building Your IR Team

| Role | Responsibilities | |------|-----------------| | Incident Commander | Overall coordination, decision-making | | Technical Lead | Technical investigation and remediation | | Communications Lead | Internal/external communication | | Legal Counsel | Legal implications, regulatory notification | | Forensics Expert | Evidence collection, analysis | | HR Representative | Employee-related incidents |

## ON-CALL ROTATION EXAMPLE

primary_incident_commander:
  - name: "John Smith"
    phone: "+1-555-0101"
    email: "john@company.com"
    rotation: "Week 1"

secondary_incident_commander:
  - name: "Sarah Johnson"
    phone: "+1-555-0102"
    email: "sarah@company.com"
    rotation: "Week 2"

IR Plan Document Template

# INCIDENT RESPONSE PLAN

## Version: 1.0
## Last Updated: [DATE]
## Next Review: [DATE + 1 YEAR]

### 1. Purpose
This plan outlines the procedures for responding to security incidents at [COMPANY].

### 2. Scope
This plan applies to all employees, contractors, and systems owned or operated by [COMPANY].

### 3. Incident Classification

| Severity | Definition | Examples | Response Time |
|----------|-----------|----------|---------------|
| Critical | Active breach, data exfiltration | Active APT, ransomware | Immediate |
| High | Confirmed vulnerability exploitation | SQL injection, account takeover | 1 hour |
| Medium | Potential security issue | Phishing attempt, weak credentials | 4 hours |
| Low | Security concern | Failed login attempts, policy violation | 24 hours |

### 4. Communication Escalation

- Severity 1-2: CEO, Board notification within 1 hour
- Severity 3-4: CTO notification within 4 hours

### 5. External Contacts

- Law Enforcement: [LOCAL FBI FIELD OFFICE]
- Legal Counsel: [LAW FIRM]
- Insurance: [CYBER INSURANCE CARRIER]
- Forensics: [RETAINED FORENSICS FIRM]

Tools and Resources

Prepare these tools in advance:

## INCIDENT RESPONSE TOOLKIT

Communications:
  - Encrypted messaging: Signal, Wickr
  - Emergency conference line: [NUMBER]
  - Status page template: [LINK]

Investigation:
  - SIEM access: [URL]
  - Endpoint detection: [URL]
  - Network forensics: [TOOLS]

Documentation:
  - Incident tracker: [JIRA/PAGERDUTY]
  - Evidence chain of custody: [TEMPLATE]
  - Timeline template: [TEMPLATE]

Recovery:
  - Backup verification: [PROCESS]
  - Clean system images: [LOCATION]
  - Decryption keys: [SAFE LOCATION]

---

Phase 2: Detection & Analysis

Common Detection Methods

1. Automated Alerts

   • SIEM rules
   • IDS/IPS alerts
   • Endpoint detection
   • Cloud trail anomalies

2. Manual Discovery

   • Employee reports
   • Third-party notifications
   • Security researcher reports

Initial Triage Process

// Initial triage checklist
const initialTriage = (incidentReport) => {
  // Step 1: Validate the incident
  const isValid = validateIncident(incidentReport);
  if (!isValid) return { status: 'rejected', reason: 'False positive' };
  
  // Step 2: Classify severity
  const severity = classifySeverity(incidentReport);
  
  // Step 3: Identify affected systems
  const affectedSystems = identifySystems(incidentReport);
  
  // Step 4: Determine scope
  const scope = determineScope(affectedSystems);
  
  // Step 5: Assign team
  const team = assignTeam(severity, scope);
  
  return {
    status: 'confirmed',
    severity,
    affectedSystems,
    scope,
    team,
    ticketId: createTicket(incidentReport)
  };
};

Evidence Preservation

DO:

• Document everything with timestamps
• Use write-blockers for forensic imaging
• Preserve chain of custody
• Capture volatile data first (memory, network connections)

DON'T:

• Delete suspect files
• Reboot compromised systems
• Modify timestamps
• Panic and make hasty decisions

# Capture volatile data in order
# 1. Network connections
netstat -an > network_connections.txt
# 2. Process list
tasklist > process_list.txt
# 3. Open files
netfiles > open_files.txt
# 4. Clipboard
clipboard > clipboard.txt
# 5. Memory (use tools like LiME or WinPmem)

---

Phase 3: Containment

Short-Term Containment (Immediate)

Stop the bleeding quickly:

## IMMEDIATE CONTAINMENT CHECKLIST

Network:
  - [ ] Block malicious IPs at firewall
  - [ ] Block suspicious domains
  - [ ] Isolate affected systems from network
  - [ ] Enable enhanced logging

Accounts:
  - [ ] Disable compromised accounts
  - [ ] Force password reset for affected users
  - [ ] Revoke suspicious sessions/tokens
  - [ ] Enable MFA for all admin accounts

Applications:
  - [ ] Take affected applications offline
  - [ ] Block malicious user accounts
  - [ ] Preserve application logs
  - [ ] Disable API keys/access tokens

Long-Term Containment

Plan for sustained containment while eradicating:

• Create clean network segments for business continuity
• Implement additional monitoring
• Develop workarounds for compromised functionality
• Deploy additional detection rules

---

Phase 4: Eradication

Root Cause Analysis

## ROOT CAUSE ANALYSIS TEMPLATE

### What happened?
[Detailed description of the incident]

### How did it happen?
[Technical explanation of the attack vector]

### Why did it happen?
[Underlying cause - vulnerability, misconfiguration, human error]

### When was it discovered?
[Timeline of events]

### What was the impact?
[Data accessed, systems affected, business impact]

Eradication Steps

1. Remove Malware

   • Use anti-virus tools
   • Reimage affected systems
   • Verify with multiple tools

2. Patch Vulnerabilities

   • Apply security patches
   • Update configurations
   • Remove unnecessary services

3. Reset Credentials

   • Password resets for all affected accounts
   • Rotate API keys and secrets
   • Update encryption keys if compromised

4. Harden Systems

   • Implement additional controls
   • Update firewall rules
   • Enhance monitoring

---

Phase 5: Recovery

Restoration Process

## RECOVERY PROCEDURE

1. Verify System Cleanliness
   - Run comprehensive scans
   - Review all changes made during incident
   - Confirm no persistence mechanisms remain

2. Restore from Known Good Backups
   - Verify backup integrity before restoration
   - Test restoration process
   - Restore to clean state

3. Validate Functionality
   - Test all critical functions
   - Verify data integrity
   - Confirm monitoring is operational

4. Resume Services
   - Gradual reintroduction
   - Enhanced monitoring
   - Watch for re-infection indicators

5. Lift Enhanced Controls
   - Return to normal operations
   - Document lessons learned
   - Update procedures

Post-Recovery Monitoring

// Enhanced monitoring rules post-incident
const postIncidentRules = [
  // Monitor for persistence attempts
  {
    name: 'New scheduled tasks',
    condition: 'new_scheduled_task',
    alert: true
  },
  // Monitor for lateral movement
  {
    name: 'Unusual network connections',
    condition: 'new_internal_connections',
    alert: true
  },
  // Monitor for privilege escalation
  {
    name: 'Admin group changes',
    condition: 'group_membership_change',
    alert: true
  }
];

---

Phase 6: Lessons Learned

Post-Incident Review

Schedule review within 1-2 weeks of incident closure:

## POST-INCIDENT MEETING AGENDA

1. Timeline review (30 min)
   - Detection to containment
   - Containment to eradication
   - Eradication to recovery

2. What worked well (20 min)
   - Detection speed
   - Communication
   - Technical response

3. What needs improvement (30 min)
   - Process gaps
   - Tool limitations
   - Training needs

4. Action items (20 min)
   - Who will do what by when

5. Follow-up schedule (10 min)
   - 30-day check-in
   - 90-day review

Metrics to Track

| Metric | Target | |--------|--------| | Mean Time to Detect (MTTD) | < 24 hours | | Mean Time to Contain (MTTC) | < 4 hours | | Mean Time to Recover (MTTR) | < 24 hours | | False positive rate | < 20% | | Employee training completion | 100% |

---

Incident-Specific Playbooks

Ransomware Response

## RANSOMWARE PLAYBOOK

Detection:
  - Monitor for mass file encryption
  - Watch for ransom notes
  - Check for unusual processes

Immediate Actions (within 15 minutes):
  1. Isolate affected systems (disconnect from network)
  2. Identify ransomware variant
  3. Check for available decryptors (nomoreransom.org)
  4. Notify incident commander

Containment:
  1. Identify initial infection vector
  2. Block lateral movement
  3. Preserve evidence for forensics
  4. Enable enhanced monitoring

Recovery:
  1. Restore from clean backups
  2. Verify backup integrity
  3. Rebuild affected systems
  4. Gradually restore services

Data Breach Response

## DATA BREACH PLAYBOOK

Assessment:
  - What data was exposed?
  - How many individuals affected?
  - What is the risk to individuals?

Notification Decisions:
  - Regulatory notification required? (72 hours for GDPR)
  - Individual notification required?
  - Law enforcement notification required?

Communication:
  - Prepare statement for affected individuals
  - Prepare FAQ for customer support
  - Plan press/media response
  - Document all communications

Phishing Response

## PHISHING PLAYBOOK

Immediate Actions:
  1. Identify affected users
  2. Reset credentials for clicked links
  3. Block sender/domains
  4. Scan for compromise

Investigation:
  - Analyze email headers
  - Check for credential use
  - Look for lateral movement

Prevention:
  - Update email filters
  - Send company-wide alert
  - Provide additional training

---

Incident Documentation

Chain of Custody

## EVIDENCE CHAIN OF CUSTODY

| Evidence ID | Description | Collected By | Date/Time | Location | Integrity Hash |
|-------------|-------------|--------------|-----------|----------|----------------|
| EV-001 | Hard drive image | John Smith | 2026-01-15 14:30 | Lab | SHA256:abc123... |
| EV-002 | Network logs | Sarah Johnson | 2026-01-15 15:00 | AWS | SHA256:def456... |

Incident Timeline Template

| Timestamp | Action | Actor | System | Notes |
|-----------|--------|-------|--------|-------|
| 10:00 | Alert received | SIEM | production | Failed login spike |
| 10:15 | Initial triage | On-call | - | Medium severity |
| 10:30 | Investigation started | SOC team | - | Assigned to team A |
| 11:00 | Root cause identified | Team A | web-01 | Compromised API key |

---

Testing Your Plan

Types of Exercises

| Type | Frequency | Description | |------|-----------|-------------| | Tabletop | Quarterly | Walk through scenarios verbally | | Functional | Semi-annual | Test specific components | | Full-scale | Annual | Simulate complete incident |

Tabletop Exercise Template

## TABLETOP EXERCISE: RANSOMWARE SCENARIO

Scenario: Company discovers ransomware affecting 50+ systems

Questions:
1. Who is the incident commander?
2. What is our first action?
3. How do we communicate with employees?
4. Do we pay the ransom?
5. How do we restore operations?

Discussion:
- Capture lessons learned
- Identify plan gaps
- Assign improvement tasks

---

Conclusion

An incident response plan is not a document you create once and forget. It requires:

1. Regular updates - Review and update quarterly
2. Continuous training - Practice with tabletop exercises
3. Tool readiness - Ensure all tools are configured and accessible
4. Clear communication - Know who to contact and when

The time to prepare is before an incident happens. Organizations with well-tested IR plans save an average of $2.66 million per breach.

---

Need help building your incident response capability?

• Request a Security Assessment
• View Our Services
• Contact Our Team