Incident Response Plan Starter
A practical starting point for small and mid-market organizations that need a credible incident response plan today. Aligned to NIST SP 800-61r2. Use it as a baseline, then tailor to your environment.
The six phases
Roles named (commander, scribe, comms, legal, exec sponsor). Contact tree printed and stored offline. Tooling and access verified.
Triage source (SIEM, MDR, user report). Confirm scope, classify severity, open incident record, start the timeline.
Short-term containment (isolate hosts, block IOCs) then long-term (rotate creds, rebuild). Preserve evidence before wiping.
Remove attacker persistence: accounts, scheduled tasks, web shells, golden tickets. Patch the root cause.
Restore from known-good backups. Validate integrity. Re-enable monitoring on the recovered estate before re-opening to users.
Post-incident review within 10 business days. Track corrective actions to closure. Update detections, playbooks, and the IR plan itself.
Core roles
| Role | Responsibility |
|---|---|
| Incident Commander | Owns decisions, scope, and escalation. Single point of accountability. |
| Technical Lead | Drives investigation, containment, and eradication actions. |
| Scribe | Maintains the timeline, decisions log, and evidence chain. |
| Communications Lead | Internal updates, executive briefings, customer comms drafts. |
| Legal / Privacy | Regulatory notification clocks, breach counsel, contractual obligations. |
| Executive Sponsor | Authorizes business-impacting actions (shutdowns, public statements). |
Severity matrix
Material business disruption or confirmed sensitive data loss.
IC engaged ≤ 15 min · exec brief ≤ 1 hr
Significant degradation, contained but spreading risk.
IC engaged ≤ 1 hr · daily exec brief
Limited scope, single system or user.
Handled in-team · weekly summary
First-24-hour runbook
- 0:00 — Open incident record. Assign IC, Tech Lead, Scribe.
- 0:15 — Initial severity call. Notify exec sponsor and legal if ≥ SEV-2.
- 0:30 — Begin containment. Preserve volatile evidence first (memory, sessions).
- 1:00 — Stand up secure comms channel out-of-band from the affected estate.
- 2:00 — Engage IR retainer / MDR / breach counsel if SEV-1.
- 4:00 — First written executive brief: what we know, what we don't, what we're doing.
- 8:00 — Validate containment held. Begin eradication planning.
- 12:00 — Notification clock review with legal (GDPR 72h, sector regulators, contractual SLAs).
- 24:00 — Status update to all stakeholders. Decision: continue, escalate, or stand down.
Want this tailored and tabletop-tested?
Dephiant builds organization-specific IR plans and runs facilitated tabletop exercises with your executive team, IT, and legal.