The Breach That Exposed a Missing Playbook

In 2023, MGM Resorts lost an estimated $100 million after a social engineering attack gave threat actors access to critical systems. The attackers called the help desk, impersonated an employee, and got in. What made the damage so severe wasn't just the initial compromise — it was the chaos that followed. Their cyber incident response steps either didn't exist in a usable form or fell apart under pressure.

I've worked incidents where the technical team knew exactly what to do and incidents where everyone froze. The difference almost always comes down to whether someone documented, practiced, and pressure-tested a real response plan before the crisis hit.

This post walks you through the cyber incident response steps that seasoned professionals actually follow during a breach — not the sanitized textbook version, but the practical sequence that keeps a bad day from becoming an extinction event.

What Are Cyber Incident Response Steps?

Cyber incident response steps are the structured phases an organization follows when detecting, containing, and recovering from a security incident. The most widely adopted framework comes from NIST's Computer Security Incident Handling Guide (SP 800-61), which breaks the process into four core phases: Preparation, Detection & Analysis, Containment/Eradication/Recovery, and Post-Incident Activity.

Every organization — whether you have 20 employees or 20,000 — needs these steps documented, accessible, and rehearsed. The framework scales. Your excuses don't.

Step 1: Preparation — The Phase Everyone Skips

Here's what actually happens at most organizations: they buy security tools, assume the vendor handles incidents, and never build a response plan. Then ransomware hits on a Friday night and nobody knows who to call.

What Preparation Really Looks Like

  • Identify your incident response team. Names, roles, phone numbers, backup contacts. Print it out. Servers might be encrypted when you need it.
  • Define what counts as an incident. A phishing email someone reported? A confirmed credential theft? A ransomware note on a shared drive? Your team needs clear escalation criteria.
  • Train your people. Technical staff need tabletop exercises. Everyone else needs cybersecurity awareness training so they can recognize and report threats before they escalate.
  • Establish communication channels. If your email is compromised, how does the team coordinate? Out-of-band communication — a separate messaging platform, a phone tree — is non-negotiable.
  • Pre-engage legal and forensics. Negotiating retainer agreements during an active breach is like shopping for insurance while your house burns.

Preparation is where 80% of incident response success is determined. I've seen well-prepared 50-person companies outperform Fortune 500 firms that treated their IR plan as a compliance checkbox.

Step 2: Detection and Analysis — Finding the Fire

The Verizon 2024 Data Breach Investigations Report found that the median time for a user to fall for a phishing email is less than 60 seconds. Detection speed matters because every minute a threat actor operates undetected, your exposure multiplies.

Practical Detection Priorities

  • Monitor for indicators of compromise (IOCs). Unusual login locations, impossible travel alerts, spikes in data exfiltration, new admin accounts appearing — these are your early warning signals.
  • Correlate alerts, don't just collect them. A single failed login is noise. Fifty failed logins followed by a successful one from a new device at 3 AM is a story.
  • Empower employees to report. Your staff are sensors. Organizations that run regular phishing awareness training for their teams detect phishing simulations and real attacks faster because employees know what to look for and aren't afraid to speak up.
  • Document everything from the start. Timestamps, affected systems, screenshots, log snippets. This evidence chain feeds every phase that follows, including legal and regulatory obligations.

Analysis means answering three questions fast: What happened? What's affected? Is it still happening?

Step 3: Containment — Stop the Bleeding

Containment is where adrenaline meets discipline. The instinct is to shut everything down. That instinct is often wrong.

Short-Term Containment

Isolate affected systems from the network without powering them off. Killing a machine destroys volatile memory — the forensic goldmine that tells you exactly what the threat actor did. Segment the network. Block malicious IPs. Disable compromised accounts. If credential theft is confirmed, force password resets for affected users and enforce multi-factor authentication immediately.

Long-Term Containment

Once you've stopped the active bleeding, build a clean environment to operate from. Patch the vulnerability that was exploited. Apply zero trust principles: verify every user, device, and connection before granting access to rebuilt systems. This is not the time for convenience — it's the time for control.

A critical mistake I see repeatedly: containing the incident but leaving the attacker's persistence mechanisms in place. Backdoors, scheduled tasks, rogue SSH keys — if you don't hunt for these, you'll be back here in a week.

Step 4: Eradication — Remove the Root Cause

Containment is a tourniquet. Eradication is surgery. You need to identify and eliminate every artifact the attacker left behind.

  • Remove malware, backdoors, and unauthorized accounts from all affected systems.
  • Identify the root cause. Was it an unpatched server? A phishing email that led to credential theft? A misconfigured cloud storage bucket?
  • Scan your environment broadly, not just the systems you know were compromised. Threat actors move laterally. If they were in one server, assume they explored others.
  • Rebuild compromised systems from known-good images. Cleaning an infected system is a gamble. Rebuilding is a guarantee.

Skip this step or rush it, and you're just setting up a sequel to the same breach.

Step 5: Recovery — Getting Back to Business

Recovery is restoring systems to normal operations while watching like a hawk for any sign the threat actor is still present.

A Measured Return to Operations

Bring systems back online in phases. Start with the most critical business functions. Monitor restored systems with heightened alertness — increased logging, tighter alert thresholds, and active threat hunting for at least 30 to 90 days post-incident.

Validate backups before you restore them. I've seen organizations recover from ransomware using backups that were also compromised — the attacker had been in the environment for months and the backup cycle had faithfully preserved their malware.

Coordinate with your communications team. Customers, regulators, partners, and employees may all need to be notified depending on the scope of the data breach and applicable laws.

Step 6: Post-Incident Activity — The Phase That Pays Dividends

This is the most undervalued step in the entire cyber incident response process. Most teams are so exhausted after recovery that they skip the debrief. That's how organizations get breached the same way twice.

Run a Blameless Post-Mortem

  • What happened, in precise technical and chronological detail?
  • What worked in your response? What failed?
  • Where were the gaps in detection, communication, or authority?
  • What specific changes to tools, processes, or training will prevent recurrence?

Document the lessons formally. Update your incident response plan. Feed findings back into your security awareness program. If the breach started with a phishing email — and according to CISA, phishing remains the most common initial access vector for ransomware — then your phishing simulation cadence and training content need to evolve.

The Mistake That Ties All Six Steps Together

The single biggest mistake I see across organizations of every size is treating incident response as an IT problem. It's not. It's a business problem that requires coordination between IT, legal, HR, communications, and executive leadership.

Your CEO doesn't need to understand packet captures. But they need to know their role during an incident, who makes the call on paying a ransom demand, and when to notify law enforcement. These decisions can't be made in the moment — they have to be decided in advance during the preparation phase.

Build Your Foundation Before the Next Incident

Every set of cyber incident response steps is only as strong as the people executing them. The most sophisticated playbook in the world fails if an employee clicks a credential harvesting link and nobody reports it for three days.

Start with your people. Build a culture where security awareness is continuous, not annual. Equip your workforce with practical cybersecurity awareness training and run ongoing phishing simulations that reflect the social engineering tactics threat actors actually use in 2026.

Your incident response plan is a living document. Test it. Break it. Fix it. Then test it again. Because the next breach isn't a matter of if — it's a matter of when, and how ready your team will be when it arrives.