Incident Response — What to Do When Breached
Response plans, communication protocols, forensics, and recovery procedures for security incidents
17 min readsecurity, incident-response, breach, forensics, recovery
It's 2 AM on a Saturday. Your phone buzzes. Monitoring shows suspicious database queries, your API CPU just spiked to 100%, and a user reports an unknown login.
You've been breached.
What you do in the next 60 minutes determines whether this becomes a contained incident or a catastrophic failure. The difference between the two isn't technical skill — it's preparation.
The Incident Response Framework
Incident response follows a structured process. Every major framework (NIST, SANS, ISO 27001) uses some variation of these phases:
- Preparation — Before the incident
- Detection & Analysis — Identifying and understanding the incident
- Containment — Stopping the bleeding
- Eradication — Removing the threat
- Recovery — Returning to normal operations
- **Post-
This lesson is part of the Guild Member curriculum. Plans start at $29/mo.