When SolarWinds disclosed in December 2020 that threat actors had compromised their Orion software update mechanism — affecting up to 18,000 organizations including multiple U.S. government agencies — it became the most significant supply chain attack in modern history. The organizations that responded effectively didn't improvise. They followed tested cyber incident response steps that they'd drilled before the crisis hit. The ones that floundered? They were writing their playbook while the building burned.

I've worked through enough incidents to know the difference between a team that's prepared and one that isn't. This guide covers the exact cyber incident response steps that seasoned professionals follow — not theory, but what actually happens when the alerts start firing and executives start calling.

Why Most Incident Response Plans Fail Before They Start

Here's something the Verizon 2020 Data Breach Investigations Report made painfully clear: 72% of breaches involving large organizations took months or longer to discover. The problem isn't that organizations lack an incident response plan. Most have one buried somewhere on a SharePoint site. The problem is that nobody has read it since it was written, and it hasn't been tested against a realistic scenario.

I've seen organizations with 40-page incident response documents that couldn't answer basic questions during an actual breach: Who makes the call to isolate a network segment? When do we contact legal? Who talks to the press? These aren't theoretical concerns. They're the questions that paralyze teams at 2 AM on a Saturday when ransomware has encrypted half the file servers.

A plan that hasn't been exercised is just a document. And a document doesn't stop a data breach.

The 6 Cyber Incident Response Steps Professionals Actually Follow

The gold standard framework comes from NIST Special Publication 800-61, the Computer Security Incident Handling Guide. It breaks incident response into phases that build on each other. But I'm going to tell you what each phase looks like in practice — not just in a PDF.

Step 1: Preparation — The Step Everyone Skips

Preparation isn't sexy. Nobody gets promoted for building an incident response toolkit. But it's the single step that determines whether everything else succeeds or collapses.

Preparation means having:

  • A documented, reviewed, and tested incident response plan with clear roles and escalation paths
  • An incident response team with defined members from IT, security, legal, communications, and executive leadership
  • Pre-established relationships with external forensics firms, law enforcement contacts, and your cyber insurance carrier
  • A communication plan that covers internal notifications, regulatory obligations, and media response
  • Baseline configurations and network maps so you can identify what's abnormal
  • Employees trained to recognize and report social engineering, phishing, and suspicious activity

That last point is critical. Your employees are your earliest detection layer. Organizations that invest in cybersecurity awareness training detect incidents faster because their people know what to look for and aren't afraid to report it.

I've responded to incidents where the initial phishing email was reported by a user within minutes — and incidents where the same type of email sat unreported for three weeks. The difference wasn't technology. It was training.

Step 2: Detection and Analysis — Where the Clock Starts

Detection is the moment you shift from normal operations to incident mode. It can come from a SIEM alert, an endpoint detection tool, a user report, or an external notification from a partner, customer, or law enforcement agency like the FBI's Internet Crime Complaint Center (IC3).

The analysis phase is where I see the most mistakes. Teams rush to containment before they understand what they're dealing with. You need to answer several questions first:

  • What type of incident is this? Ransomware? Credential theft? Data exfiltration? An insider threat?
  • What systems are affected, and what's the blast radius?
  • Is the threat actor still active in the environment?
  • What's the timeline? When did initial compromise likely occur?
  • What data is at risk?

Document everything from this point forward. Timestamps, screenshots, log entries, who did what and when. This documentation will matter for legal proceedings, regulatory reporting, insurance claims, and your own post-incident review.

One critical mistake: don't reboot compromised machines. Volatile memory contains evidence — running processes, network connections, loaded malware — that disappears the moment you power cycle. Image the drive. Capture memory. Then proceed.

Step 3: Containment — Stop the Bleeding Without Killing the Patient

Containment has two sub-phases: short-term and long-term. Short-term containment stops the immediate damage. Long-term containment keeps things stable while you prepare for eradication.

Short-term containment might include:

  • Isolating affected network segments
  • Disabling compromised user accounts
  • Blocking known malicious IPs and domains at the firewall
  • Taking affected servers offline or moving them to a quarantine VLAN

Long-term containment is about keeping business operations running while you work the problem. This might mean standing up clean systems from known-good backups, implementing additional monitoring on unaffected segments, or deploying temporary multi-factor authentication requirements on sensitive systems that didn't previously require them.

Here's a real-world lesson I keep learning: the urge to "just wipe everything and start over" is strong, especially from executives who want the problem gone. Resist it until you've completed forensic analysis. If you don't understand the initial access vector, you'll rebuild the same vulnerability right back into production.

Step 4: Eradication — Removing the Threat Actor Completely

Eradication means eliminating the root cause and every artifact the threat actor left behind. This is harder than it sounds, especially with sophisticated attackers who establish multiple persistence mechanisms.

Eradication typically involves:

  • Removing malware, backdoors, and unauthorized accounts
  • Patching the vulnerability that enabled initial access
  • Resetting credentials — not just for compromised accounts, but potentially for service accounts and privileged accounts that may have been exposed
  • Rebuilding compromised systems from known-clean images
  • Verifying that backup integrity hasn't been compromised

During the 2020 SolarWinds incident, CISA issued Emergency Directive 21-01 requiring federal agencies to disconnect or power down affected Orion products. That's an extreme eradication step, but it illustrates the principle: if you can't trust a system, remove it from the environment entirely.

In ransomware incidents, eradication often means determining whether the threat actor exfiltrated data before encrypting it — the double extortion model that groups like Maze and REvil popularized this year. Eradicating the ransomware itself is meaningless if stolen data is already being used for leverage.

Step 5: Recovery — Bringing Systems Back with Confidence

Recovery is the process of restoring systems to normal operations. The key word is confidence. You need to be confident that the threat has been eliminated, that restored systems are clean, and that you're monitoring closely enough to catch any resurgence.

Recovery steps include:

  • Restoring systems from verified clean backups
  • Gradually reconnecting isolated network segments with enhanced monitoring
  • Validating system integrity through vulnerability scanning and configuration review
  • Implementing additional security controls identified during analysis — this is your opportunity to close gaps
  • Monitoring restored systems intensively for 30-90 days post-recovery

Don't rush this phase. I've seen organizations declare recovery complete on a Friday afternoon, only to find the same threat actor back in the environment Monday morning through a persistence mechanism that was missed during eradication. Patience here prevents repeat incidents.

Step 6: Lessons Learned — The Step That Makes You Stronger

This is the most valuable step and the one most often skipped. Within two weeks of incident closure, bring together everyone involved for a blameless post-incident review.

Answer these questions honestly:

  • How did the threat actor gain initial access?
  • How long were they in the environment before detection?
  • What worked in our response? What didn't?
  • Were there security awareness gaps that contributed to the incident?
  • What tools, processes, or training would have changed the outcome?
  • Do we need to update our incident response plan based on what we learned?

Write it up. Share it with leadership. Use it to justify budget requests and process changes. An incident that doesn't produce improvements is a wasted crisis.

What Are the Key Cyber Incident Response Steps?

The six core cyber incident response steps are: Preparation, Detection and Analysis, Containment (short-term and long-term), Eradication, Recovery, and Lessons Learned. This framework comes from NIST SP 800-61 and represents the industry standard approach used by security teams worldwide. Each phase builds on the previous one, and skipping any step — especially Preparation and Lessons Learned — dramatically increases the risk of a worse outcome or a repeat incident.

Where Security Awareness Fits Into Incident Response

Every phase of incident response is improved when your people are trained. In the Preparation phase, employees who've completed phishing awareness training are more likely to recognize a phishing simulation — and more importantly, a real attack. In the Detection phase, trained users report suspicious emails faster, shrinking the window between compromise and response.

The Cybersecurity and Infrastructure Security Agency (CISA) has consistently emphasized that human behavior is a critical layer in any security program. Phishing remains the top initial access vector according to the Verizon DBIR year after year. All the endpoint detection tools in the world won't help if an employee hands over credentials to a convincing phishing page.

Security awareness isn't a checkbox exercise. It's an operational control that directly impacts how quickly you detect incidents and how effectively you contain them.

The $4.88M Reason to Get This Right

IBM and Ponemon Institute's 2020 Cost of a Data Breach Report found the global average cost of a data breach was $3.86 million. But organizations with an incident response team and a tested incident response plan saved an average of $2 million per breach compared to those without.

That's not a rounding error. That's the difference between a painful but survivable event and an existential threat — especially for mid-size organizations.

The same report found that the average time to identify and contain a breach was 280 days. Organizations that identified breaches in under 200 days saved over $1 million on average. Speed matters. And speed comes from preparation, training, and tested processes — not from scrambling after the fact.

Building Your Incident Response Capability Now

If you don't have a tested incident response plan today, here's what I'd prioritize this week:

  • Designate your incident response team. Name specific people. Include IT, security, legal, HR, communications, and an executive sponsor. Don't just list titles — list names and phone numbers.
  • Draft a one-page escalation guide. Who gets called for what severity level? What constitutes a Severity 1 vs. a Severity 3? Keep it simple enough to use at 2 AM.
  • Run a tabletop exercise. Pick a realistic scenario — ransomware hitting your file servers, a compromised executive email account, a vendor breach affecting your data. Walk through each of the six cyber incident response steps. You'll find gaps immediately.
  • Enroll your team in cybersecurity awareness training. Your people need to recognize threats before they become incidents. This is the single highest-ROI investment in your security posture.
  • Establish relationships with external resources before you need them. Forensic firms, your cyber insurance carrier's breach hotline, your local FBI field office, and legal counsel with breach notification experience. You don't want to be Googling these during an active incident.

The threat landscape in 2020 has been relentless. Between the rapid shift to remote work, the explosion of ransomware, supply chain attacks like SolarWinds, and increasingly sophisticated social engineering campaigns, the question isn't whether your organization will face an incident. It's when. And when it happens, the quality of your response will be determined entirely by the work you do before the first alert fires.

Get your cyber incident response steps documented. Test them. Train your people. Then do it all again next quarter. That's what actually works.