
Incident Response
The discipline of detecting, containing, eradicating, and recovering from a cybersecurity breach.
Last refreshed: 24 June 2026
What does a 393-day average dwell time mean for your IR programme?
Timeline for Incident Response
Mentioned in: Splunk lands its first-ever KEV entry
Cybersecurity: Threats and DefencesMentioned in: IR staff pleaded guilty to using ALPHV
Cybersecurity: Threats and DefencesWhat is incident response in cybersecurity?
How long does it take to detect hackers inside a company network?
What is the difference between NIST and SANS incident response frameworks?
Background
Incident Response (IR) is the structured discipline for managing a cybersecurity breach from initial detection through to recovery and lessons-learned. The canonical lifecycle comes from two competing frameworks that have converged in practice: NIST SP 800-61 (Preparation, Detection and Analysis, Containment, Eradication, Recovery) and the SANS/PICERL model (Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned). Enterprise organisations typically retain an external IR firm on retainer, complementing internal SOC capability for major incidents that exceed internal capacity.
The headline performance metric for IR programmes is dwell time: the gap between attacker first-access and defender detection. Mandiant's M-Trends 2026 report set a 393-day average dwell time benchmark for the UNC5221 BRICKSTORM campaign, a figure substantially higher than the global median and explained partly by the campaign's exploitation of log-source coverage gaps in enterprise SIEMs. Recovery Denial is an accelerating ransomware tactic in which attackers deliberately target backup and disaster-recovery infrastructure before detonating ransomware, extending the IR window and inflating recovery costs.
The Goldberg-Martin case (2026) introduced a distinct IR risk category: insider abuse. Ryan Goldberg, an IR professional at Sygnia, and Kevin Martin, a ransomware negotiator at DigitalMint, pleaded guilty to using ALPHV/BlackCat ransomware against victims they were engaged to assist. The case prompted a sector-wide review of access controls and personnel screening at IR vendors. For buyers procuring IR services, it added a due-diligence requirement for personnel-control verification alongside technical competence assessment.