Incident response (IR) is the set of processes, roles and tools an organization activates when a security event threatens the confidentiality, integrity or availability of its systems. A mature IR program reduces financial and reputational impact, preserves evidence for forensic analysis and meets regulatory obligations — such as the notification to the ANPD required by the LGPD.

What defines a security incident

Not every security event is an incident. An event is any observable occurrence — a failed login, an external port scan — whereas an incident is an event that actually violates or threatens to violate security policies, acceptable-use agreements or standard security practices (NIST SP 800-61r2, 2012). Classic examples include: running ransomware, exfiltration of customer data, compromise of privileged credentials, website defacement and DDoS attacks that disrupt operations.

Severity classification — typically P1 (critical, immediate business impact) through P4 (low, no operational impact) — determines the speed and level of escalation of the response. Teams that do not classify incidents at the moment of detection waste the first critical minutes trying to decide whom to call.

The NIST SP 800-61 cycle: the four phases

NIST's Computer Security Incident Handling Guide organizes the response into four cyclical phases. The cyclical nature is intentional: each incident feeds the preparation for the next.

1. Preparation

The most neglected — and the most decisive — phase. It involves inventorying critical assets, drafting playbooks by threat type, establishing crisis communication channels, acquiring tools (SIEM, EDR, forensic solution) and running tabletop exercises. Organizations that invest in preparation reduce MTTD by up to 60%, according to the Verizon Data Breach Investigations Report. Preparation also includes relationships with external suppliers — cyber-specialized lawyers, crisis communication advisors and the IR retainer team itself.

2. Detection and analysis

Detection occurs through continuous monitoring (a SIEM correlating events from multiple sources), through a third-party alert (customer, partner, security researcher) or through accidental discovery. Analysis goes beyond confirming that something happened: it requires determining the scope (which systems, which data, which time window), the initial vector and the level of compromise. In this phase evidence is preserved — logs, volatile-memory captures, disk images — following a rigorous chain of custody for use in legal or regulatory proceedings.

3. Containment, eradication and recovery

Short-term containment (isolating an endpoint, blocking an IP, revoking a credential) must be done without destroying evidence. Long-term containment keeps compromised systems operating in a controlled manner while eradication is prepared — useful when immediate isolation would cause critical operational impact. Eradication removes malicious artifacts, closes exploited vulnerabilities and validates the cleanup with a post-eradication scan. Recovery restores systems from clean backups and monitors for reinfection during the first 72 hours.

4. Post-incident activity

The post-incident review (PIR or lessons learned) should occur within 5 business days of closure. The goal is not to assign blame, but to document the timeline, root cause, what worked, what failed and improvements with a defined owner and deadline. Organizations that skip the PIR repeat the same mistakes — and the same incidents.

The SANS PICERL model: operational granularity

The SANS Institute popularized the PICERL model, which divides the response into six steps: Preparation, Identification, Containment, Eradication, Recovery and Lessons Learned. Compared with NIST, PICERL explicitly separates identification (confirmation and classification of the incident) from containment, which is useful in highly complex environments where the initial analysis can take hours. The two structures are complementary: NIST guides program governance; PICERL guides the analyst during the crisis.

CSIRT roles and structure

An effective Computer Security Incident Response Team (CSIRT) distributes clear responsibilities to avoid decision paralysis during a crisis.

  • Incident commander (IC): coordinates all activities, makes escalation decisions and maintains the chronological record (war room log). This does not have to be the most technical analyst — it needs to be the best communicator under pressure.
  • Technical analysts: perform detection, forensics, containment and eradication. On small teams, one analyst may take on multiple roles; in P1 incidents, it is advisable to separate analysis, forensics and operational containment.
  • Legal: assesses notification obligations (LGPD, BACEN, CVM), advises on evidence preservation for litigation and manages communication with authorities.
  • Communications and public relations: prepares messages for customers, the press and regulators. The absence of this role in incidents with public exposure is one of the most frequent causes of amplified reputational damage.
  • Business manager: makes decisions involving trade-offs between security and operational continuity — such as deciding whether a critical system should be isolated immediately or monitored for longer.
  • Data protection officer (DPO): required by the LGPD; assesses whether personal data was exposed and coordinates notification to the ANPD and to data subjects.

Playbooks by incident type

A playbook is a step-by-step procedure for a specific type of incident. Quality playbooks reduce response time, decrease errors under pressure and allow less experienced analysts to conduct the initial response safely. The essential types are:

  • Ransomware and double extortion: immediate isolation, evidence preservation, backup assessment, decision on payment (legal + C-level), regulatory communication.
  • Credential compromise / ATO: identifying the scope of access, revoking sessions, forced reset, MFA review, investigation of lateral movement.
  • Data leak: identifying the volume and nature of the data, mapping affected data subjects, engaging the DPO, notifying the ANPD within 3 business days.
  • DDoS: activating mitigation (CDN/scrubbing center), assessing operational impact, communicating with the ISP, post-attack monitoring for variants.
  • BEC/EAC (business email compromise): blocking the compromised account, tracing financial transactions, contacting the bank within 1 hour for reversal, legal communication.
  • Unauthorized access to critical systems: analyzing access logs, identifying changes to configurations or data, assessing persistent backdoors.

Maturity metrics: MTTD and MTTR

Two metrics are universally adopted to measure the efficiency of an IR program:

Metric Definition Benchmark (IBM 2024) Mature target
MTTD Average time between the start of an incident and its detection 194 days (global) Under 30 days
MTTR Average time between detection and containment/resolution 64 days (global) Under 7 days (P1)

In addition to these, mature programs track incident volume by severity per month, the false-positive rate in the SIEM, playbook coverage (% of incident types with a documented playbook) and regulatory notification time.

Essential IR tools

No tool replaces process and people, but the absence of adequate technology severely limits the ability to respond at scale.

  • SIEM (Security Information and Event Management): aggregates and correlates logs from multiple sources in real time. Examples: Microsoft Sentinel, Splunk, IBM QRadar, Elastic SIEM. Its effectiveness depends on the quality of the correlation rules and the coverage of data sources.
  • EDR/XDR (Endpoint/Extended Detection and Response): deep endpoint visibility with the ability to isolate remotely, collect forensic data and respond automatically. Examples: CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint.
  • SOAR (Security Orchestration, Automation and Response): automates repetitive workflows — alert enrichment, notifications, ticket creation — and integrates disparate tools into executable playbooks. It reduces MTTR by eliminating low-value manual tasks.
  • Forensic platforms: enable the acquisition and analysis of volatile memory (Volatility), disk images (FTK, Autopsy, Axiom) and network traffic (Wireshark, Zeek). Essential for attribution and for preserving evidence with a chain of custody.
  • Threat intelligence: IoC (indicator of compromise) feeds, platforms such as MISP or OpenCTI, and tactical intelligence on TTPs (MITRE ATT&CK) guide the investigation and reduce analysis time.
  • Incident management platform: records the timeline, task assignments, evidence and communications in a single auditable location. It can be a dedicated system (PagerDuty, TheHive) or integrated into the SOAR.

In-house IR versus external retainer

The decision between building an in-house IR team or hiring an external retainer depends on size, regulation and risk profile. In-house teams have context about the environment, immediate access to systems and sub-hour response capability — but they require ongoing investment in salaries, tools, training and retention. The Brazilian market has a chronic shortage of senior IR analysts, which makes this equation unfavorable for companies under 500 employees.

An IR retainer contracted with an SLA guarantees access to a multidisciplinary team of specialists — digital forensics, threat hunting, cyber legal, crisis communication — without the fixed cost of a dedicated team. The most efficient model for mid-sized companies is the hybrid one: an in-house security coordinator who knows the environment and maintains day-to-day operations, with an external retainer that can be activated 24x7 for P1 and P2 incidents.

Regulatory obligations in Brazil

Incident response in Brazil operates under a growing set of legal obligations that determine the deadlines and recipients of notifications:

  • LGPD / ANPD (Resolution CD/ANPD No. 15/2024): incidents involving personal data with relevant risk or harm to data subjects must be reported to the ANPD and to the data subjects within 3 business days of becoming aware of the incident. The report must include the nature of the data, the number of data subjects, the containment measures and the DPO's details.
  • Central Bank (BCB Resolution No. 85/2021 and Circular No. 3.909): financial institutions regulated by BACEN must report relevant incidents within 72 hours and adopt a Cybersecurity Policy with a documented and tested IR plan.
  • ANATEL: telecommunications providers follow specific regulations for incidents that affect the continuity or confidentiality of services.
  • ISO/IEC 27035: an international standard that structures the process of managing information security incidents, complementary to NIST SP 800-61 and adopted as a reference in ISO 27001 compliance audits.

Organizations that operate across multiple regulated sectors must map all applicable obligations in their IR plan — failure to meet notification deadlines, regardless of the technical quality of the response, constitutes a standalone violation.

References

  • NIST SP 800-61 Revision 2 — Computer Security Incident Handling Guide (2012), National Institute of Standards and Technology.
  • SANS Institute — Incident Handler's Handbook, Patrick Kral (2011).
  • ISO/IEC 27035-1:2023 — Information technology — Information security incident management.
  • IBM Security — Cost of a Data Breach Report 2024.
  • ANPD — Resolution CD/ANPD No. 15, of April 24, 2024.
  • MITRE ATT&CK Framework — Adversarial Tactics, Techniques, and Common Knowledge, version 15.

Frequently asked questions

What is the difference between the NIST SP 800-61 cycle and the SANS PICERL model?
NIST SP 800-61 organizes the response into four phases: Preparation; Detection and Analysis; Containment, Eradication and Recovery; and Post-Incident Activity. The SANS PICERL model breaks the third phase into smaller steps — Preparation, Identification, Containment, Eradication, Recovery and Lessons Learned — offering greater operational granularity. In practice, the two approaches are complementary: NIST provides the governance structure, and PICERL guides the technical team during the crisis.
How quickly must a company notify the ANPD after an incident involving personal data?
The LGPD and Resolution CD/ANPD No. 15/2024 require the controller to notify the ANPD and the affected data subjects within 3 business days of becoming aware of the incident, where there is relevant risk or harm. The notification must describe the nature of the data, the number of affected data subjects, the containment measures taken and the name of the Data Protection Officer (DPO). Unjustified delays constitute a violation subject to administrative sanctions.
What are MTTD and MTTR, and why do these metrics matter?
MTTD (Mean Time to Detect) is the average time between the start of an incident and its detection; MTTR (Mean Time to Respond) is the average time between detection and containment or resolution. These metrics quantify the maturity of the response program: a high MTTD indicates monitoring failures or insufficient log coverage; a high MTTR points to playbook bottlenecks, lack of automation or a slow decision structure. Industry benchmarks (IBM Cost of a Data Breach 2024) record a global average MTTD of 194 days — organizations with mature SIEM and SOAR reduce that number to under 30 days.
When is it worth hiring an IR retainer instead of building an in-house team?
In-house teams offer environment context and immediate response, but they require ongoing investment in training, tools and talent retention — unfeasible for most SMEs. An IR retainer guarantees access to a multidisciplinary team of specialists available 24x7 under a contractual SLA, often at a lower cost than a single senior analyst. The hybrid model — an in-house coordinator plus an external retainer — is the most widely adopted by mid-sized companies in Brazil.
Which playbooks are mandatory in a minimum incident response program?
A minimum program should cover: (1) ransomware and double extortion; (2) credential compromise and account takeover (ATO); (3) data leak or exfiltration; (4) denial-of-service attack (DDoS); (5) business email compromise (BEC/EAC); (6) unauthorized access to critical systems. Each playbook should contain activation triggers, a decision tree, escalation contacts, evidence to preserve and closure criteria.
Do IR tools replace specialized consulting?
No. SIEM, EDR, SOAR and forensic platforms reduce detection time and automate repetitive tasks, but they do not replace human judgment in high-uncertainty situations — such as threat attribution, deciding whether to isolate critical production systems, or negotiating with ransomware actors. Poorly calibrated tools generate a volume of alerts without context (alert fatigue) and can create a false sense of security. Investment in technology must be matched by proportional investment in people and processes.

How Decripte handles incident response

Decripte offers 24x7 incident response and digital forensics for organizations of 1 to more than 100,000 employees. Our team combines IR analysts, forensics specialists, cyber legal and crisis communication — available within minutes via a retainer or a one-off contract. We work on immediate containment, root-cause analysis, evidence preservation with a chain of custody, regulatory notification (LGPD/ANPD, BCB) and post-incident review with an improvement plan. For companies that want to be ready before an incident happens, we offer the Incident Response plan with preparation, tabletop exercises and priority access to the team. Explore the Incident Response plan or get started for free with the Threat Plan.