█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Cybersecurity/Incident Response/What is Incident Response?
30 minBeginner

What is Incident Response?

After this lesson, you will be able to: Define what counts as a security incident and explain why preparation matters more than reaction.

Every organization will have a security incident eventually, it's just a question of when. Incident Response is the discipline of being ready before that day arrives.

Prerequisites:Intro to Cybersecurity

Event vs incident

An event is anything observable on a system (a login, a file write, a network connection). An incident is an event (or chain of events) that violates security policy or threatens CIA. Most events are noise. The art of IR is finding the signal, and acting on it fast.

The NIST IR lifecycle

Preparation, build the team, plan, and tools before you need them. Detection & Analysis, recognize an incident and understand its scope. Containment, stop the bleeding. Eradication, remove the attacker and the malware. Recovery, restore systems and verify they're clean. Post-Incident, write the report, update controls, learn.

Preparation
team, plan, tools
→
Detection & Analysis
recognize and scope
→
Containment
stop the bleeding
→
Eradication
remove the attacker
→
Recovery
restore and verify clean
→
Post-Incident
report and learn
↩loops back to Preparation
The NIST IR lifecycle. Post-Incident feeds directly back into Preparation, so every incident makes the next response faster.

💡 The hardest part is recognition

Most incidents go undetected for days or weeks (median dwell time in 2024 reports is ~10 days). Detection is where most defense investment should go, you can't respond to what you don't see.

Why preparation beats heroism

Without a plan, IR turns into improv: who calls the lawyer? who isolates the host? who talks to the press? A pre-built runbook with named owners, tested in a tabletop exercise, turns a terrifying 3am page into a methodical execution.

Quick Check

An employee clicks a phishing link. Event or incident?

Choose the right framing.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
Back to Incident Response
Preparation and Planning→