The Risk
When a breach occurs, improvising wastes time and often makes things worse. Teams may tip off the attacker, destroy evidence, or restore from a backup that is also compromised. The danger is having no plan, no clear roles, and no practice, so the response is slow and chaotic exactly when speed matters.
A breach is not the moment to invent your process.
The Defense
A standard response follows clear phases.
- Prepare with a plan, defined roles, contacts, and backups you have tested.
- Detect and analyze to confirm an incident and understand its scope.
- Contain to stop the spread, for example isolating affected hosts while preserving evidence.
- Eradicate the root cause, removing the foothold rather than only the symptom.
- Recover by restoring from known good state and watching for return.
- Learn in a blameless review that feeds fixes back into prevention.
Key idea
Decide roles, steps, and tested backups before an incident, then move through contain, eradicate, and recover so a breach is handled calmly rather than improvised.