Incident Response
Terms for incident handling, containment, eradication, recovery, evidence preservation, and post-incident review.
Incident Response
This section covers incident-response vocabulary: preparation, detection, containment, eradication, recovery, and review.
Use it when the term belongs to how an organization responds to a security event. It is especially useful for responders, security operations teams, and IT leaders coordinating response steps.
Start Here
Detect And Triage
Contain, Eradicate, Recover
Evidence And Forensics
Review And Improve
Incident response depends heavily on Security Operations Center, Security Information and Event Management, Threat Hunting, and Audit Log because evidence and triage quality shape how quickly and accurately the organization can respond.
In this section
- Chain of Custody Record
Chain of custody is the documented record of how evidence was collected, transferred, handled, and stored over time.
- Cloud Forensics for Incident Evidence
Cloud forensics is the collection and analysis of evidence from cloud services, identities, workloads, and logs during a security investigation.
- Digital Forensics
Forensics is the disciplined collection, preservation, and analysis of evidence to understand what happened during a security event.
- Eradication in Incident Response
Eradication is the incident-response phase focused on removing the active cause of an incident and closing the foothold it used.
- Evidence Preservation for Incident Investigations
Evidence preservation is the practice of protecting relevant incident data so it remains available, trustworthy, and useful for investigation.
- Incident Containment
Containment is the incident-response phase focused on limiting damage, slowing spread, and reducing immediate exposure while an incident is still being investigated.
- Incident Response Plan Structure
An incident response plan defines how an organization prepares for, coordinates, and executes its response to security incidents.
- Incident Response Playbook
An incident-response playbook is a documented pattern for handling a specific kind of security event.
- Incident Response Runbook
A runbook is a step-by-step operational procedure used to carry out a repeatable security or response task in a consistent way.
- Indicators of Attack
Indicators of attack are behavioral signs that suggest malicious activity or attacker techniques are being used, even when a clear compromise artifact is not yet known.
- Indicators of Compromise
Indicators of compromise are observable signs that suggest a system or account may already have been compromised.
- Lessons Learned in Incident Response
Lessons learned is the post-incident review that turns what happened into concrete improvements for controls, workflows, and decisions.
- Memory Forensics for Incident Analysis
Memory forensics is the analysis of volatile system memory to recover evidence about running processes, connections, credentials, and other activity that may not be preserved elsewhere.
- Post-Incident Review Process
A post-incident review is the structured examination of what happened during an incident and what the organization should improve afterward.
- Recovery After Security Incidents
Recovery is the incident-response phase focused on restoring systems and operations safely after containment and eradication work is sufficiently complete.
- Root Cause Analysis for Security Incidents
Root cause analysis is the process of determining the underlying reasons an incident happened instead of stopping only at the immediate symptoms.
- Tabletop Exercise for Incident Readiness
A tabletop exercise is a structured discussion-based scenario used to practice how teams would respond to a security incident.