Guide
Incident response checklist and how-to
Use this practical playbook to run incidents with confidence. It includes step-by-step actions, communication tips, and a downloadable checklist your team can use during high-pressure moments.
Step-by-step actions
Prepare
Define roles, escalation trees, and offline copies of contact details. Run tabletop drills quarterly.
Identify
Confirm scope using logs, EDR, and cloud telemetry. Capture volatile memory before rebooting.
Contain
Isolate impacted hosts, rotate credentials, and block malicious domains/IPs. Ensure backups are offline and unmodified.
Eradicate
Remove persistence, patch exploited services, and validate with IOC sweeps across endpoints and cloud resources.
Recover
Restore prioritized systems, validate integrity, and monitor for recurrence for at least 72 hours.
Learn
Document timelines, root causes, and improvement actions. Update controls, playbooks, and training.
Communications template
Use this quick structure for leadership updates:
- What happened: threat type, when detected, current status.
- Impact: systems affected, data exposure, business impact.
- Actions taken: containment steps, partners engaged, next milestones.
- Requests: approvals needed, downtime expectations, external notifications.
Validation checklist
- All compromised credentials rotated and MFA enforced.
- Backups tested and restored systems validated with fresh scans.
- IoCs swept across endpoints, SaaS, and cloud logs.
- Post-incident report drafted with owners and due dates.
Conversion block
Run your next incident with Cyvex on bridge
We guide your team live, provide executive-ready updates, and close gaps after recovery.