First response to cyber security incidents

Taking clear action in the first few hours of a crisis to minimise future risk

Gabriel Currie
3 min readFeb 21, 2019


Incident response is hard, and the hardest part can often be in the first few hours where chaos reigns supreme and nobody really knows what’s going on or what they should be doing.

Follow the seven steps for immediate incident response to provide clear direction, take appropriate action, and lay the foundations for an effective response: confirm, triage, document, escalate, plan, mobilise, and report. These are shown as a linear process, however the reality may of course be different, with concurrent or reordered tasks.

Seven steps for immediate incident response

Seven Steps for First Responders


Confirm that the incident report is not a false-positive (for example, through verification of logging or alerting system data), and confirm basic details about the incident such as:

  • How was the incident initially detected, when, and by who?
  • What systems and data have been impacted?
  • What security controls (eg. anti-virus software, network monitoring, file integrity monitoring) exist in the impacted environment?


Triage the incident to identify:


Document the known facts relating to the incident and actions taken to date, preferably in a pre-prepared template (for example, using this template from the IAPP).


Escalate internally as required (usually determined by the impact/priority), for example, to IT management, executives, or the board.


Plan for the response, and consider defining:

  • Response objectives (for example, is the objective to minimise cyber security risk, minimise legal risk, to protect customer data?)
  • Response strategy (for example, “whack a mole” or “watch and wait”) and plan, including workstreams and tasks, logistics, update cadence, and budgeting
  • Roles and responsibilities, possibly using a framework such as FEMA’s NIMS Incident Command System or Gold/Silver/Bronze
  • Watch out situations, i.e. those situations which represent an immediate and significant risk and require urgent action, for example, threat actor access to a production domain controller or Internet-facing web server
  • Communications strategy, both internal (communicating with the incident team, other internal stakeholders, and employees) and external (communicating with customers, suppliers, regulators, shareholders)
  • Risk appetite for the response, i.e. how much access will the threat actor be allowed to maintain while the team


Mobilise teams to enable an effective response, including digital forensics, crisis management, legal, communications, and any third-party providers.


Report the incident as needed to regulators, insurance brokers, and law enforcement or security services. This should be guided in part by the incident triage, which will identify any mandatory reporting obligations.



Gabriel Currie

Head of Cyber Security at the UK Government’s @Cabinet_Office