Incident-Response

An incident response plan defines how an organization prepares for, coordinates, and executes its response to security incidents.

Containment is the incident-response phase focused on limiting damage, slowing spread, and reducing immediate exposure while an incident is still being investigated.

Eradication is the incident-response phase focused on removing the active cause of an incident and closing the foothold it used.

Recovery is the incident-response phase focused on restoring systems and operations safely after containment and eradication work is sufficiently complete.

Indicators of compromise are observable signs that suggest a system or account may already have been compromised.

Indicators of attack are behavioral signs that suggest malicious activity or attacker techniques are being used, even when a clear compromise artifact is not yet known.

Root cause analysis is the process of determining the underlying reasons an incident happened instead of stopping only at the immediate symptoms.

A tabletop exercise is a structured discussion-based scenario used to practice how teams would respond to a security incident.

A post-incident review is the structured examination of what happened during an incident and what the organization should improve afterward.

Evidence preservation is the practice of protecting relevant incident data so it remains available, trustworthy, and useful for investigation.

Chain of custody is the documented record of how evidence was collected, transferred, handled, and stored over time.

Forensics is the disciplined collection, preservation, and analysis of evidence to understand what happened during a security event.

An incident-response playbook is a documented pattern for handling a specific kind of security event.

Lessons learned is the post-incident review that turns what happened into concrete improvements for controls, workflows, and decisions.

A runbook is a step-by-step operational procedure used to carry out a repeatable security or response task in a consistent way.

Memory forensics is the analysis of volatile system memory to recover evidence about running processes, connections, credentials, and other activity that may not be preserved elsewhere.

Cloud forensics is the collection and analysis of evidence from cloud services, identities, workloads, and logs during a security investigation.