Six Phases of Incident Response
A structured, documented process aligned to NIST SP 800-61 and NCSC guidance — ensuring a consistent, thorough response regardless of incident type or severity.
Preparation
The most important phase happens before any incident occurs. A documented incident response plan, tested playbooks, pre-approved containment actions, retainer agreements, and regular tabletop exercises ensure your organisation can respond decisively when — not if — an incident occurs.
- ›IR plan documentation and playbook development
- ›Tabletop exercises simulating ransomware, BEC, and data breach scenarios
- ›Retainer agreements with defined SLAs for rapid response
- ›Security tooling configuration for forensic data retention
Detection & Analysis
Rapid, accurate incident scoping determines the appropriate response scale. Attacker dwell time is reduced by swift identification of the initial access vector, compromised systems, data accessed, and current attacker position in the kill chain.
- ›Alert triage and initial incident classification
- ›Indicator of compromise (IOC) collection and enrichment
- ›Scope determination — which systems, users, and data are affected
- ›Severity classification and escalation to appropriate response level
Containment
Preventing further spread is the immediate priority. Short-term containment isolates affected systems while preserving forensic evidence. Long-term containment may involve network segmentation, credential rotation, and additional monitoring while the root cause is investigated.
- ›Endpoint isolation — network quarantine of compromised systems
- ›Credential rotation for affected accounts and privileged access
- ›Firewall rule implementation to block attacker C2 communications
- ›Evidence preservation — forensic imaging before remediation begins
Eradication
Every malicious artefact, backdoor, and persistence mechanism must be identified and removed before recovery begins. Premature restoration from infected backups or missed persistence mechanisms leads to re-infection — the most expensive mistake in incident response.
- ›Malware removal and persistence mechanism elimination
- ›Identification and patching of exploited vulnerabilities
- ›Verification that all attacker footholds have been removed
- ›Clean backup identification — confirming restore points pre-date compromise
Recovery
Phased restoration from verified clean backups, with enhanced monitoring throughout the recovery window. Systems are restored in priority order, tested before return to production, and monitored for signs of re-infection. Business continuity is restored as rapidly as possible.
- ›Phased system restoration from verified clean backups
- ›Enhanced monitoring during the recovery window
- ›Testing of restored systems before return to production
- ›Business continuity handoff and stakeholder communications
Post-Incident Review
Every incident is a learning opportunity. A structured post-incident review identifies root causes, documents the timeline, assesses the effectiveness of the response, and produces actionable recommendations — preventing recurrence and strengthening defences for future incidents.
- ›Root cause analysis and attack timeline reconstruction
- ›Response effectiveness review — what worked, what didn't
- ›Control improvement recommendations with prioritisation
- ›Regulatory reporting — ICO notification, NCSC reporting where required
How We Respond to Different Incidents
Ransomware Infection
- ✓Immediate isolation of encrypted systems to prevent further spread across the network
- ✓Ransomware variant identification to determine if free decryptors exist before any ransom consideration
- ✓Recovery from Rubrik or Veeam immutable backups — no ransom payment required
- ✓Forensic investigation of initial access vector to prevent re-infection post-recovery
Data Breach & Exfiltration
- ✓DLP log analysis and cloud storage audit to determine what data was accessed and exfiltrated
- ✓Attacker dwell time calculation — understanding when the breach began, not just when it was discovered
- ✓GDPR Article 33 notification assessment — 72-hour ICO reporting obligation determination
- ✓Affected individual notification planning and regulatory correspondence support
Business Email Compromise
- ✓Mailbox audit to identify forwarding rules, compromised contacts, and sent messages
- ✓Financial institution notification if fraudulent payments were initiated
- ✓Microsoft 365 tenant hardening — MFA enforcement, legacy auth blocking, OAuth review
- ✓NCSC guidance followed for reporting significant BEC incidents to Action Fraud
Insider Threat Incident
- ✓Privileged session recording review to reconstruct all actions taken by the insider
- ✓Data access log analysis — identifying what was copied, printed, or emailed externally
- ✓HR and legal coordination — evidence preservation for disciplinary or criminal proceedings
- ✓Access revocation and entitlement audit to prevent similar abuse by other accounts
Your GDPR Obligations When a Breach Occurs
UK GDPR and the Data Protection Act 2018 impose strict obligations on organisations that experience a personal data breach. The 72-hour clock starts from the moment of awareness.
Article 33 requires notification to the ICO within 72 hours of becoming aware of a personal data breach — unless the breach is unlikely to result in risk to individuals.
Nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
Article 34 requires direct notification to affected individuals without undue delay when the breach is likely to result in high risk to their rights and freedoms.
Where a Data Protection Officer is appointed, they must be informed immediately. We help coordinate DPO engagement and ICO correspondence throughout the incident.
Do you have an incident response plan?
Most organisations discover they don't — in the middle of an incident. An IR retainer gives you pre-agreed response procedures, defined escalation paths, and the assurance that expert help is available the moment you need it.