Incident Response (IR): Plan & Process

JJ Cranford - April 17, 2023

What is Incident Response?

Incident response (IR) is the steps used to prepare for, detect, contain, and recover from a data breach.

What is an Incident Response Plan?

An incident response plan is a document that outlines an organization’s procedures, steps, and responsibilities of its incident response program.


Incident response planning often includes the following details:

  • how incident response supports the organization’s broader mission
  • the organization’s approach to incident response
  • activities required in each phase of incident response
  • roles and responsibilities for completing IR activities
  • communication pathways between the incident response team and the rest of the organization
  • metrics to capture the effectiveness of its IR capabilities

It’s important to note that an IR plan’s value doesn’t end when a cybersecurity incident is over; it continues to provide support for successful litigation, documentation to show auditors, and historical knowledge to feed into the risk assessment process and improve the incident response process itself.

Free Incident Response Tracking Tool

Download the same IR Tracker that the CrowdStrike Services team uses to manage incident investigations.

Download Now

What are the Incident Response Steps?

According to the National Institute of Standards and Technology (NIST), there are four key phases to IR:

  • Preparation: No organization can spin up an effective incident response on a moment’s notice. A plan must be in place to both prevent and respond to events.
  • Detection and analysis: The second phase of IR is to determine whether an incident occurred, its severity, and its type.
  • Containment and eradication: The purpose of the containment phase is to halt the effects of an incident before it can cause further damage. 
  • Post-incident recovery: A lessons learned meeting involving all relevant parties should be mandatory after a major incident and desirable after less severe incidents with the goal of improving security as a whole and incident handling in particular.

Learn More

Follow along as CrowdStrike breaks down each step of the incident response process into action items your team can follow.Incident Response Steps In-depth

Why is an Incident Response Plan Important?

Cyber incidents are not just technical problems – they’re business problems. The sooner they can be mitigated, the less damage they can cause.

Think of recent breaches that lingered in the headlines for weeks. Was the company notified far in advance but failed to address the issue? Did their public communications downplay the severity of the incident, only to be contradicted by further investigation? Were communications with affected individuals poorly organized, resulting in greater confusion? Were executives accused of mishandling the incident — either by not taking it seriously or by taking actions, such as selling off stock, that made the incident worse? These are telltale signs that the organization didn’t have a plan.

Because an incident response plan is not solely a technical matter, the IR plan must be designed to align with an organization’s priorities and its level of acceptable risk.

Incident response leaders need to understand their organizations’ short-term operational requirements and long-term strategic goals in order to minimize disruption and limit data loss during and after an incident.

The information gained through the incident response process can also feed back into the risk assessment process, as well as the incident response process itself, to ensure better handling of future incidents and a stronger security posture overall. When investors, shareholders, customers, the media, judges, and auditors ask about an incident, a business with an incident response plan can point to its records and prove that it acted responsibly and thoroughly to an attack.

Front Lines Report

Every year our services team battles a host of new adversaries. Download the Cyber Front Lines report for analysis and pragmatic steps recommended by our services experts.

Download Now

Most Organizations Lack a Plan

Although the need for incident response plans is clear, a surprisingly large majority of organizations either don’t have one, or have a plan that’s underdeveloped.

According to a survey by Ponemon, 77 percent of respondents say they lack a formal incident response plan applied consistently across their organization, and nearly half say their plan is informal or nonexistent. Among those that do have IR plans, only 32 percent describe their initiatives as “mature.” 

These figures are concerning, especially when you consider that fifty-seven percent or organizations say the length of time to resolve cyber incidents in their organizations is lengthening, and 65 percent say the severity of the attacks they’re experiencing is increasing.

Those two statements are tightly coupled: in cybersecurity, speed is the essential factor in limiting damage. The more time attackers can spend inside a target’s network, the more they can steal and destroy. An IR plan can limit the amount of time an attacker has by ensuring responders both understand the steps they must take and have the tools and authorities to do so.

Learn More

Want to know the toughest challenge of incident response? Read this blog post to find out:  “Confessions of a Responder: The Hardest Part of Incident Response Investigations” Read Blog

Incident Response Plan Templates and Examples

Below are a few example IR plan templates to give you a better idea of what an incident response plan can look like.

Learn More

Read our post on cloud incident response to learn the differences between a traditional incident response plan and one focused on responding to an incident in the cloud. Read: Cloud Incident Response (IR)

CrowdStrike’s Incident Response Service

Organizations often lack the in-house skills to develop or execute an effective plan on their own. If they are lucky enough to have a dedicated team, they are likely exhausted by floods of false positives from their automated detection systems or are too busy handling existing tasks to keep up with the latest threats.

CrowdStrike prides itself on being a leader in incident response and brings control, stability, and organization to what can become a chaotic event. CrowdStrike works closely with organizations to develop IR plans tailored to their team’s structure and capabilities.

Through this guidance, we help companies improve their incident response operations by standardizing and streamlining the process. We’ll also analyze an organization’s existing plans and capabilities, then work with their team to develop standard operating procedure “playbooks” to guide your activities during incident response. Lastly, our services team can help battle-test your playbooks with exercises like penetration testing, red team blue team exercises, and adversary emulation scenarios.

Learn how CrowdStrike can help you respond to incidents faster and more effectively:

CrowdStrike IR Services


JJ Cranford is a Senior Manager of Product Marketing at CrowdStrike primarily responsible for Incident Response and Advisory Services. JJ previously held roles at Cybereason, OpenText and Guidance Software where he drove go-to market strategy for XDR, EDR and DFIR product suites. JJ provides insight into market trends, industry challenges, and solutions in the areas of incident response, endpoint security, risk management, and ransomware defense.