← Lessons

quiz vs the machine

Platinum1800

System Design

Incident Detection and Response

Spotting security incidents quickly and following a clear process to contain them.

6 min read · advanced · beat Platinum to climb

Speed is everything

Breaches are detected through monitoring, and the time to detect and respond determines the damage. A defined incident response process turns panic into a repeatable set of steps.

Detection

  • Aggregate signals from logs, metrics, and alerts into one place.
  • Correlate events to spot patterns a single signal would miss, such as many failed logins followed by a success.
  • Baseline normal behavior so anomalies stand out.

The response lifecycle

  • Identify confirms a real incident and its scope.
  • Contain stops the spread, for example isolating a host or revoking credentials.
  • Eradicate removes the attacker foothold and root cause.
  • Recover restores service and verifies it is clean.
  • Learn runs a blameless review to prevent recurrence.

Practice in advance

Run drills so the team knows roles and tools before a real incident. The first time you exercise the runbook should not be during a breach.

Key idea

Incident response follows identify, contain, eradicate, recover, and learn, backed by correlated detection and rehearsed drills so response is fast and calm.

Check yourself

Answer to earn rating on the learn ladder.

1. Why correlate events rather than alert on single signals?

2. What is the goal of the contain step?

3. Why run incident response drills in advance?