Skip to content
You can now search across every topic, entity and event.What's new
Incident Response
Concept

Incident Response

The discipline of detecting, containing, eradicating, and recovering from a cybersecurity breach.

Last refreshed: 24 June 2026

Key Question

What does a 393-day average dwell time mean for your IR programme?

Timeline for Incident Response

#818 Jun

Mentioned in: Splunk lands its first-ever KEV entry

Cybersecurity: Threats and Defences
#112 Mar

Mentioned in: IR staff pleaded guilty to using ALPHV

Cybersecurity: Threats and Defences
View full timeline →
Common Questions
What is incident response in cybersecurity?
Incident Response (IR) is the structured process of detecting, containing and recovering from cybersecurity breaches. It involves forensic investigation, malware removal, credential rotation, and system restoration, typically performed by specialist firms or in-house security teams.
How long does it take to detect hackers inside a company network?
Mandiant's M-Trends 2026 report documented a 393-day average dwell time for UNC5221 BRICKSTORM intrusions, meaning Chinese state-linked attackers remained inside enterprise networks for over a year on average before detection.Source: Mandiant M-Trends 2026
What is the difference between NIST and SANS incident response frameworks?
NIST SP 800-61 defines four phases: Preparation, Detection and Analysis, Containment/Eradication/Recovery, and Post-Incident Activity. The SANS/PICERL model splits these into six named phases (Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned). In practice they are nearly identical; PICERL is more commonly used in IR playbooks because each phase has a clear action-verb name, making it easier to track status during an active incident.Source: NIST SP 800-61 / SANS Institute

Background

Incident Response (IR) is the structured discipline for managing a cybersecurity breach from initial detection through to recovery and lessons-learned. The canonical lifecycle comes from two competing frameworks that have converged in practice: NIST SP 800-61 (Preparation, Detection and Analysis, Containment, Eradication, Recovery) and the SANS/PICERL model (Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned). Enterprise organisations typically retain an external IR firm on retainer, complementing internal SOC capability for major incidents that exceed internal capacity.

The headline performance metric for IR programmes is dwell time: the gap between attacker first-access and defender detection. Mandiant's M-Trends 2026 report set a 393-day average dwell time benchmark for the UNC5221 BRICKSTORM campaign, a figure substantially higher than the global median and explained partly by the campaign's exploitation of log-source coverage gaps in enterprise SIEMs. Recovery Denial is an accelerating ransomware tactic in which attackers deliberately target backup and disaster-recovery infrastructure before detonating ransomware, extending the IR window and inflating recovery costs.

The Goldberg-Martin case (2026) introduced a distinct IR risk category: insider abuse. Ryan Goldberg, an IR professional at Sygnia, and Kevin Martin, a ransomware negotiator at DigitalMint, pleaded guilty to using ALPHV/BlackCat ransomware against victims they were engaged to assist. The case prompted a sector-wide review of access controls and personnel screening at IR vendors. For buyers procuring IR services, it added a due-diligence requirement for personnel-control verification alongside technical competence assessment.

More questions
How long do attackers typically stay inside a network before being detected?
Global median dwell time has fallen from over 200 days in the early 2010s to around 16 days globally (Mandiant M-Trends 2025). However, sophisticated campaigns with deliberate anti-detection measures remain much longer: Mandiant documented a 393-day average dwell time for UNC5221's BRICKSTORM campaign (M-Trends 2026), partly because the attacker operated through VMware virtualisation logs that were not captured in victims' SIEMs.Source: Mandiant M-Trends 2026
What is Recovery Denial and how does it affect ransomware incident response?
Recovery Denial is a ransomware tactic in which attackers identify and destroy or encrypt backup and disaster-recovery (DR) infrastructure before detonating the main ransomware payload. Without viable backups, victim organisations face a binary choice between paying the ransom and rebuilding from scratch. It significantly extends the IR window, inflates recovery costs, and tests whether offline or immutable backups are in place. IR programmes must now validate backup Integrity and isolation as a pre-incident readiness check.Source: Mandiant M-Trends 2026 / CISA ransomware guidance
How should companies vet an incident response vendor after the Goldberg-Martin case?
The Goldberg-Martin case (2026), in which an IR professional and a ransomware negotiator pleaded guilty to using ALPHV/BlackCat against victims they were engaged to assist, expanded vendor due diligence beyond technical competence. Buyers should now assess: background-check rigour for personnel with privileged access, access-control policies governing victim environment credentials, audit logging of IR firm activity inside client networks, and contractual liability clauses for insider-abuse scenarios.Source: DOJ / Goldberg-Martin prosecution
Why do IR retainers exist and what do they include?
An IR retainer is a pre-agreed contract with an external IR firm, purchased before any incident occurs. It guarantees response time SLAs, pre-loads the vendor with network diagrams and credential escrow so they can act immediately at breach, and is typically cheaper than engaging an IR firm reactively during a live incident (when emergency fees apply). Retainers usually include a set number of pro-active readiness hours (tabletop exercises, playbook reviews) that offset some of the retainer cost.Source: Industry standard practice