An incident response plan tells your team exactly what to do when something goes wrong. Without one, the average data breach costs small businesses $120,000 and takes 280 days to contain.

The four phases of incident response

NIST SP 800-61 defines four phases: preparation, detection and analysis, containment and eradication, and recovery.

1. Preparation

You need a documented plan, a response team with defined roles, and the tools required to execute. At minimum: a contact list, offline backups, a clean laptop for forensics, and legal counsel.

Role Responsibility Backup
Incident Commander Coordinates response, makes decisions IT lead or owner
Technical Lead Contains the threat, preserves evidence IT staff or MSP contact
Communications Lead Internal and external messaging Office manager
Legal Contact Legal and regulatory obligations Outside counsel

2. Detection and analysis

Common indicators: antivirus alerts, unusual network traffic, locked user accounts, ransom notes. When something looks wrong, assume it is and escalate.

3. Containment and eradication

Isolate affected systems. Disable compromised accounts. Block malicious IPs. Remove malware, patch vulnerabilities, rotate credentials.

4. Recovery

Restore from clean backups. Verify data integrity. Monitor for recurrence. Communicate with customers and regulators as required.

Testing your plan

Run a tabletop exercise every six months. Walk through a scenario with your team and identify gaps. Common gaps include unclear decision authority and backup systems that do not restore.

NIST Incident Response PhasesPhaseKey ActivitiesPriority1. PreparationPlan, team, tools, backupsCritical2. Detection & AnalysisMonitor, alert, escalateCritical3. Containment & EradicationIsolate, remove, patchUrgent4. RecoveryRestore, verify, monitorEssentialNIST SP 800-61 defines these four phases. Preparation is most neglected but most critical.
NIST Incident Response Phases
NIST Incident Response FrameworkPreparationPlan, team, toolsBackups, trainingPRIORITY: CRITICALDetection & AnalysisMonitor, detectAlert, escalatePRIORITY: CRITICALContainment& EradicationIsolate, removePatch, remediatePRIORITY: URGENTRecoveryRestore systemsVerify, monitorPRIORITY: ESSENTIAL‘A simple plan that gets tested is betterthan a complex plan that gathers dust.’NIST SP 800-61 Rev. 3
The NIST Incident Response Framework (SP 800-61 Rev. 3) defines four phases. Preparation is the most neglected but most critical.

Verdict

Start with a single page that defines roles, a 9-step response flow, and a contact list. Test it twice a year. A simple plan that gets tested is infinitely better than a complex plan that gathers dust.

Related articles

This article was reviewed and updated on July 7, 2026. Information may change after publication. Always verify details with the vendor.