A comprehensive study guide covering the five-phase IR lifecycle, incident definition, CSIRT team roles, playbooks and call lists, data criticality types, communication plans and out-of-band communications, response coordination stakeholders, reporting requirements and breach disclosure, business continuity planning (BCP/DRP), continuity site types, training and testing (tabletop exercises and penetration tests).
An incident is an act of violating an explicit or implied security policy — from stolen credentials and installed malware to data exfiltration and denial of service. The incident response lifecycle describes the structured approach to handling these events. There are two common models:
NIST SP 800-61
Four phases
Preparation → Detection & Analysis → Containment, Eradication & Recovery → Post-Incident Activity. The standard reference for incident response professionals in the field.
CompTIA model
Five phases ★ exam
Same as NIST but splits the third phase into two: Containment is separate from Eradication & Recovery. This five-phase model is what the CySA+ exam tests.
The five CompTIA IR phases — pipeline (signature element)
1
Preparation
Harden systems, write policies, train staff, set up communication channels
2
Detection & Analysis
Determine if incident occurred, triage, notify stakeholders
⟳ Note: IR is not always linear — after detection you may cycle between phases 2, 3, and 4 multiple times before reaching phase 5.
Exam tip: Know the five CompTIA phases by name and what happens in each. Common exam questions: "Which phase involves limiting spread?" (Containment). "Which phase analyses what went wrong?" (Post-Incident Activity). "Which phase involves removing malware?" (Eradication & Recovery). "It's not a matter of if you'll have an incident — it's a matter of when."
2
CSIRT — Incident Response Team Roles
The Computer Security Incident Response Team (CSIRT) is the single point of contact for security incidents. It may be part of the SOC or an independent team — and may be fully in-house, fully outsourced, or hybrid. CSIRT availability must be 24/7, which makes staffing expensive and prone to burnout. Smaller organisations typically outsource.
IR Manager / Team Lead
Oversees and prioritises actions during detection, analysis, and containment. Communicates status to executives and management. May interface with law enforcement and media. Requires strong soft skills in addition to technical depth.
Triage Analyst
Works on the network during the incident — configures and tunes IDS/IPS to filter false positives, performs ongoing monitoring to detect new or continuing intrusions. Focused on the present state of the network.
Forensic Analyst
Focused on detective work — recovering key artefacts and evidence, building a timeline of events that led to the incident. Determines what happened, how, and when. Primarily historical analysis.
Threat Researcher
Provides threat context — keeps current with threats in the organisation's industry, knows historical attack patterns. Part futurist (predicts adversary moves), part historian (knows past attack patterns). Helps the team stay ahead of attackers.
Cross-functional Support
Management, HR (insider threats), legal counsel, public relations, system/network/DBA administrators. These come from outside the security team but are essential for business decisions, employment law compliance, legal action, and media management.
Internal vs. external CSIRT: External/outsourced CSIRT teams can be more objective (especially for insider threat investigations — no personal bias). Internal teams know the environment better but are more expensive and susceptible to burnout. Many organisations use a hybrid: internal analysts for day-to-day triage and external specialists for complex incidents.
3
Documenting Procedures — Playbooks, Call Lists & Incident Forms
Preparation without documentation is not preparation. Written procedures ensure that during an actual incident — when stress is high and decisions must be fast — every analyst knows exactly what to do. Preparation phase documentation is created before any incident occurs.
Playbook
Standard operating procedure per scenario
A playbook defines exactly what to do in response to a specific type of incident — phishing, DDoS, ransomware, data exfiltration, etc. It walks a junior analyst through the complete process: preparation, detection, analysis, containment, eradication, recovery, and post-incident steps — using flowcharts. Free starting point: incidentresponse.com/playbook.
Call list
Pre-defined escalation contacts
A hierarchical list of incident response contacts showing who to notify, in what order, and via which communication method. Answers: who do I wake up at 3 AM? What phone number? Corporate email or personal? The call list prevents hesitation and ensures nothing gets missed during escalation.
Incident form
Real-time evidence log
Records all details about a reported incident: date/time/location, reporter and handler names, detection method (which alert or log triggered it?), incident type, scope, and running event log. Becomes the case file that follows the incident through all phases and is used for lessons-learned and potential legal proceedings.
Lessons learned integration: Previous incident findings must be incorporated into updated playbooks and training materials. Writing down lessons learned does nothing if nobody reads them or trains on them. The cycle is: incident → lessons learned → update playbook → train staff → test → repeat.
4
Data Criticality — Seven Types
Data criticality determines how you prioritise resources during an incident response. Not all data is equally valuable — a compromised credit card server requires a faster, more intensive response than a compromised email server. Knowing your data criticality hierarchy before an incident means you know which servers to check first.
PII
Personally Identifiable Information
Name, birthday, SSN, biometrics, place of birth. Enables identity theft and physical targeting. Most common breach type. Protected under GDPR, CCPA, and many other laws.
SPI
Sensitive Personal Information
Religious belief, political opinion, union membership, gender, sexual orientation, racial/ethnic origin, genetic data. Protected by GDPR as a specially-protected category. US has no single equivalent law.
PHI
Personal / Protected Health Information
Medical records, insurance records, lab results, fitness data. Protected by HIPAA in the US. High black-market value — enables insurance fraud, blackmail. Can't be cancelled like a credit card.
Financial
Financial Information
Bank accounts, investment accounts, payroll, tax returns, credit card data. Governed by PCI DSS (credit cards), SOX (public companies). Directly monetisable by attackers.
IP
Intellectual Property
Copyrights, patents, trademarks, trade secrets. The product of the organisation. Trade secrets are especially sensitive — unlike patents, they have no expiration date and don't require public disclosure.
Corporate
Corporate Information
Confidential business data — profit, salaries, market share, key customers, contracts. Can affect share prices if leaked prematurely. Useful to competitors and short-sellers.
HVA
High Value Assets
Information systems that process data critical to a mission-essential function. Not just the data — the system itself. All servers look alike in a rack; knowing which ones are HVAs tells you where to look first during an incident.
5
Communication Plans — Out-of-Band & Escalation
How you communicate during an incident is as critical as what you do. If an attacker has compromised your corporate email system and VoIP infrastructure, using those channels to coordinate your response tells the attacker exactly what you're doing — giving them time to cover tracks and move deeper into your network.
Out-of-band communication
Communication via a path separate from the primary network. Examples: cell phone calls instead of corporate VoIP, personal email instead of corporate email, end-to-end encrypted messaging apps (WhatsApp, Signal, Off the Record). Pre-establish an OOB channel before any incident occurs.
Contact list accuracy
Maintain an up-to-date roster with phone numbers, email addresses (personal and corporate), and preferred contact methods for every CSIRT member and key stakeholder. An out-of-date contact list fails at the worst possible moment.
Escalation thresholds
Pre-define exactly what severity level triggers a 3 AM call vs. waiting until morning vs. a daily report. Be specific about which incident types require which executives to be woken up. Contract personnel escalation may have financial cost implications.
Notification methods
High-priority = phone call + in-person, followed by email/report. Medium = email or voicemail. Low = daily/weekly report or intranet portal. Match the method to the urgency — and ensure everyone who needs to be notified knows which method applies to them.
Information control — preventing premature release: Restrict all incident information to the CSIRT until cleared for wider release. Any information going outside the CSIRT — to media, employees, partners, or the public — must go through public relations and appropriate approval chains. A junior analyst posting to personal social media during an active breach is a serious breach of protocol.
6
Reporting Requirements & Breach Disclosure
Many breach types trigger mandatory reporting obligations under law or regulation. Knowing your reporting requirements before an incident ensures your response includes the necessary notifications within required timeframes.
Five breach types — most to least severe
Most severe
Data exfiltration — External attacker breaks in and transfers data out. Triggers the most comprehensive reporting obligations. Example: credit card database stolen by external threat actor.
Severe
Insider data exfiltration — Employee or ex-employee uses legitimate privileges to transfer data. Example: employee copies files to USB and uploads to WikiLeaks. Intentional and harder to detect because credentials are valid.
Significant
Device theft or loss — Device containing data is lost or stolen. Example: smartphone with corporate email left in a taxi; laptop stolen from a car. Risk depends on whether the device was encrypted.
Moderate
Accidental breach — Unintentional public disclosure caused by human error or misconfiguration. Not malicious — someone made a mistake. Still triggers reporting obligations depending on the data type exposed.
Least severe
Integrity / availability breach — Data corruption or system destruction. Example: ransomware encrypting files (integrity) or DDoS taking a system offline (availability). Confidentiality not necessarily affected.
Key regulatory reporting requirements
HIPAA (US)
PHI breaches affecting >500 individuals require notification to: affected individuals, HHS Secretary, and media. Timeframe varies but small breaches can be reported annually; large breaches must be reported promptly.
GDPR (EU)
Personal data breach must be reported to supervisory authorities within 72 hours of awareness. Individuals must also be notified if the breach is likely to result in high risk. Applies to any organisation processing EU residents' data — regardless of where the org is located.
PCI DSS
Payment card data breaches require notification to card brands and acquiring bank. PCI DSS is a contractual requirement (not law) between merchants and their payment processor — but non-compliance results in fines and loss of card processing ability.
Breach disclosure content
What was breached
Clear description of what data was exposed or compromised — specific data types (names, SSNs, card numbers) without needlessly alarming details.
Point of contact
Who affected individuals should contact for questions, including phone/email, and how long it will be active.
Likely consequences
What risks arise from this specific breach — identity theft, fraud, credit impact. Be honest without being alarmist.
Mitigation measures
What the organisation has done and is doing — remediation, monitoring services offered, patches applied.
7
Response Coordination — Six Stakeholder Groups
An incident response involves more than the security team. Technical decisions have business, legal, and reputational consequences. Response coordination means knowing which stakeholders to involve and when — and understanding that not every technical decision is yours to make.
Internal
Senior Leadership
Executives and managers responsible for business operations. Make business decisions (e.g., "shut down the credit card system" = business decision, not technical). Must understand second and third-order business impacts of every technical action.
External
Regulatory Bodies
Government bodies overseeing compliance — HHS (HIPAA), state AGs (CCPA), financial regulators, PCI SSC. Notify according to breach type and applicable regulations. Pre-establish relationships and reporting procedures.
Internal
Legal Counsel
Mitigates risk of civil lawsuits. Provides guidance on what actions can and cannot be taken during response. Must be in the room — your response decisions may be examined in court. Controls whether law enforcement is engaged.
External
Law Enforcement
May assist with incident handling and pursue legal action against attackers. Decision to involve law enforcement belongs to senior executives with legal guidance — not the incident responder. Some breaches require mandatory law enforcement notification.
Internal
Human Resources
Required for insider threat investigations. Before questioning employees or accessing employee files, consult HR — to avoid breaching employment law or employee contracts. Also handles employment consequences for insiders.
External
Public Relations
Manages negative publicity from serious incidents. Incident responders should not speak to media directly. PR crafts a consistent on-brand message. Larger breaches always attract media interest — PR must be looped in early, especially before any external communications go out.
The Twitter example (2020): When high-profile accounts (Obama, Biden, Bezos, Musk) were compromised in a Bitcoin scam, Twitter immediately locked affected accounts, engaged the FBI, and identified the attacker within two weeks. This is the coordination model in action — technical containment (lock accounts) + external law enforcement engagement + legal oversight + PR management — all running simultaneously.
8
Business Continuity Planning — BCP, DRP & Site Types
A Business Continuity Plan (BCP) ensures the organisation can continue to operate during and after a disruptive event — whether a cyberattack, natural disaster, power failure, or civil unrest. A Disaster Recovery Plan (DRP) is a subset of the BCP focused specifically on recovering from disasters faster. BCP/DRP development is a senior management responsibility.
Seven BCP steps — NIST SP 800-34
Step 1
Develop a contingency planning policy
Step 2
Conduct a Business Impact Analysis (BIA)
Step 3
Identify preventive controls
Step 4
Create recovery strategies
Step 5
Develop the business continuity plan
Step 6
Test, train, and exercise the BCP
Step 7
Maintain and update the BCP
Four continuity site types — speed vs. cost
Hot Site
Minutes to switch
$$$$ — most expensive
Fully operational mirror — desks, chairs, phones, computers, network, data. Employees walk in and start working immediately. Requires constant synchronisation with primary site. Ideal via cloud infrastructure for servers; rarely used for full office operations.
Warm Site
Days to activate
$$$ — moderate
Building with power, network, phone lines, some furniture. No computers or phones installed. Can get operational in a few days once hardware is purchased and installed. Most common compromise between cost and speed.
Cold Site
Weeks to months
$$ — cheaper
Basic leased space — bathrooms, tables, chairs. No network, no power (or minimal), no phones, no computers. Lowest ongoing cost but longest recovery time (1–2 months to fully set up as a working office).
Mobile Site
Hours to days
Varies
Portable/independent units (trailers, tents) delivered to your location. Can be hot, warm, or cold. Example: US military DJC2 — a fully equipped command centre in tents, deployable anywhere in 72 hours, operational for 200 people within 24 hours.
9
Training & Testing — Tabletop Exercises & Penetration Tests
Knowing your procedures is not the same as knowing how to execute them under pressure. Training teaches what to do; testing verifies you can actually do it.
Training
Education — what to do
Role-specific: responders learn technical procedures (re-imaging, malware removal, configuration changes). Managers learn risk vs. reward and communication. End users learn how to report incidents and avoid phishing. Include soft skills and lessons-learned from previous incidents.
Testing
Practical exercise — can you do it
Simulate a significant incident to verify that everyone can actually execute their assigned roles. Testing is costly and complex — but an untested response plan is an unproven response plan. Testing validates both the plan and the people.
Two test types
Tabletop Exercise (TTX)
Discussion-based, low-cost
Experts gather around a table and walk through an incident scenario by discussion — what would you do? Each participant describes their actions. Can include red team vs. blue team role-playing where each side responds to the other's moves. Benefits: low cost, no network impact, good for identifying process gaps. Limitation: no hands-on keyboard experience — purely theoretical.
Penetration Test
Hands-on, high-cost
Red team attempts an actual intrusion using a scenario based on threat modelling — not just random attacks but a specific, realistic adversary approach. Requires a clearly defined methodology and rules of engagement agreed in advance. Much more expensive but provides real-world validation. Tools seen in pen tests: Metasploit, Cobalt Strike, Kali Linux, ParrotOS, Commando OS.
Pen test tools as IOCs: As a defender, if you see Metasploit, Cobalt Strike, Kali Linux, or similar penetration testing tools on your network — and no authorised penetration test is in progress — treat it as an incident IOC. These are open-source tools freely available to attackers as much as to testers.
Rules of engagement for pen tests: Always agree on scope, methodology, and explicit rules of engagement before a penetration test begins. What is off-limits? (DDoS? Production systems? Specific hours?) What is the test goal? Documented rules protect both the tester and the organisation and ensure the test models realistic adversary behaviour.
IR Manager (leads + communicates up). Triage Analyst (current network monitoring + IDS tuning). Forensic Analyst (historical timeline reconstruction). Threat Researcher (threat context). Cross-functional (HR, legal, PR, sysadmins). Available 24/7. Outsource if small org.
Documentation
Playbook = SOP per incident type (incidentresponse.com/playbook). Call list = escalation contacts in order. Incident form = running evidence log (date/time/type/scope/description). Lessons learned must feed back into updated playbooks + training.
Data criticality (7 types)
PII (identity). SPI (beliefs/orientation — GDPR). PHI (health — HIPAA). Financial (cards — PCI DSS). Intellectual Property (trade secrets, patents). Corporate (profits, salaries, market). High Value Assets (systems critical to mission). Know which servers = HVAs before an incident.
Communication plan
Out-of-band = separate channel from compromised network (Signal, WhatsApp, cell phones). Maintain current contact list. Pre-define escalation thresholds. High priority = phone + in-person → follow-up email. Low = daily/weekly report. Control information release via PR, not responders directly.
Senior leadership (business decisions). Regulatory bodies (compliance). Legal (mitigate lawsuits + control law enforcement contact). Law enforcement (external, senior decision + legal guidance). HR (insider threats + employment law). PR (media management — responders don't talk to press).
BCP / DRP
BCP = response to any disruptive event. DRP ⊂ BCP = disaster recovery subset. NIST 800-34 steps: policy → BIA → preventive controls → recovery strategies → develop plan → test/train → maintain. Senior management leads; committee from all departments.
Continuity sites
Hot = instantly operational, $$$. Warm = days, $$. Cold = weeks-months, $. Mobile = portable (tents/trailers), varies. Choose based on RTO (Recovery Time Objective). Servers best suited for hot (cloud). Offices often warm. Most orgs combine site types by business function.
Training vs. testing
Training = education (what to do). Testing = verification (can you do it). Tabletop (TTX) = discussion around a table, cheap, no hands-on. Pen test = actual intrusion attempt, expensive, requires rules of engagement. Pen test tools as IOCs: Metasploit, Cobalt Strike, Kali Linux, ParrotOS, Commando OS.