Respond
Take action regarding a detected cybersecurity incident. Contain the damage, communicate to stakeholders, analyze the cause, and mitigate the impact.
Move Now
An incident has been detected. What happens next determines whether it’s a paragraph in a report or a headline in the news. Respond is the function that turns detection into action — and the speed and quality of that action defines your organization’s resilience.
Categories
- RS.MA — Incident Management — Responses to detected cybersecurity incidents are managed
- RS.AN — Incident Analysis — Investigations are conducted to ensure effective response and support forensics and recovery activities
- RS.CO — Incident Response Reporting & Communication — Response activities are coordinated with internal and external stakeholders as required
- RS.MI — Incident Mitigation — Activities are performed to prevent expansion of an event and to mitigate its effects
Key Concepts
Incident response is a process, not an improvisation. RS.MA requires documented playbooks that define who does what, in what order, with what authority. When the adrenaline is flowing is not the time to figure out the communication chain.
Forensics-ready from the start. RS.AN means preserving evidence while you respond. Log integrity, chain of custody, volatile data capture — if you might need to involve law enforcement or prove compliance, the evidence must survive the response.
Communication is part of the response. RS.CO covers internal (leadership, legal, affected teams) and external (regulators, customers, law enforcement, media). Saying the wrong thing or saying nothing at all can be as damaging as the incident itself.
Containment before eradication. RS.MI prioritizes stopping the spread — isolate affected systems, revoke compromised credentials, block attacker infrastructure — before you begin root cause analysis. Stop the bleeding first.