Incident Response Plan Template 2026: A Step-by-Step IR Playbook
On this page
Why You Need a Tested IR Plan
The $2.66 Million Statistic: IBM's 2025 Cost of a Data Breach Report found that organizations with an incident response team AND regularly tested IR plan experienced breaches that cost $2.66 million less on average ($3.26M vs $5.92M).
| Factor | Cost Impact | Source |
|---|---|---|
| Having an IR team + tested plan | -$2.66M (saves) | IBM 2025 |
| DevSecOps practices | -$1.68M | IBM 2025 |
| Extensive use of AI/automation | -$2.22M | IBM 2025 |
| Not having an IR plan | +$3.35M (costs more) | IBM 2025 |
| Mean time to identify (with IR plan) | 168 days | IBM 2025 |
| Mean time to identify (without) | 259 days | IBM 2025 |
The 6-Phase IR Framework
Based on NIST SP 800-61r3 (Computer Security Incident Handling Guide):
Phase 1: Preparation
| Element | Details |
|---|---|
| IR Team Roster | Names, roles, contact info (including personal phones) |
| Escalation Matrix | Who to call at what severity level |
| Communication Templates | Pre-written messages for customers, media, regulators |
| Tool Kit | Forensic tools, evidence bags, write blockers, clean laptops |
| Legal Ready | External counsel on retainer, breach notification templates |
| Insurance | Cyber insurance policy details and claims process |
| War Room | Dedicated physical/virtual space for incident coordination |
Phase 2: Detection & Analysis
Severity Classification:
| Severity | Definition | Example | Response Time |
|---|---|---|---|
| SEV-1 (Critical) | Active breach, data exfiltration, ransomware | Customer data actively being stolen | < 15 minutes |
| SEV-2 (High) | Confirmed compromise, no active exfiltration | Unauthorized access to production server | < 1 hour |
| SEV-3 (Medium) | Suspicious activity, unconfirmed | Anomalous login patterns | < 4 hours |
| SEV-4 (Low) | Policy violation, minor security event | Failed penetration test finding | Next business day |
Phase 3: Containment
Short-Term Containment (Stop the Bleeding):
- Isolate affected systems from network (don't power off)
- Block attacker IPs at firewall/WAF
- Disable compromised accounts
- Revoke compromised API keys and tokens
- Activate pre-defined containment playbooks
Long-Term Containment (Stabilize):
- Apply emergency patches
- Rebuild compromised systems from clean images
- Reset all potentially compromised credentials
- Deploy additional monitoring on affected segments
- Establish clean communication channel for IR team
Phase 4: Eradication
- Remove all traces of attacker access (backdoors, persistence mechanisms)
- Scan environment for indicators of compromise (IoCs)
- Verify attackers are fully evicted before restoration
- Update all security tools with new IoCs
Phase 5: Recovery
- Restore systems from verified clean backups
- Monitor restored systems intensively for 30 days
- Gradually return to normal operations
- Verify data integrity
- Re-enable user access in stages
Phase 6: Post-Incident Review
Blameless Post-Mortem Template:
| Section | Content |
|---|---|
| Incident summary | What happened, when, impact |
| Timeline | Minute-by-minute chronology |
| Root cause | Technical and process root causes |
| What went well | Effective responses and detections |
| What could improve | Gaps, delays, communication failures |
| Action items | Specific improvements with owners and deadlines |
| Metrics | Time to detect, time to contain, time to recover |
Communication Templates
Internal Notification (SEV-1)
SUBJECT: [CONFIDENTIAL] Security Incident - SEV-1 - [Date/Time]
SITUATION: A potential security incident has been detected involving
[brief description]. The IR team has been activated.
IMPACT: [Affected systems/data]. [Number of users potentially affected].
CURRENT STATUS: Containment in progress. [What's being done right now].
ACTIONS REQUIRED:
- Do NOT discuss this incident outside the IR team
- Do NOT contact the media
- Direct all inquiries to [IR Lead name]
NEXT UPDATE: [Time] or sooner if situation changes.
IR Lead: [Name] - [Phone]
Customer Notification
Subject: Important Security Notice from [Company]
Dear [Customer],
We are writing to inform you of a security incident that may have
affected your information.
What happened: [Brief, factual description]
When: [Date discovered, estimated date of incident]
What information was involved: [Specific data types]
What we're doing: [Actions taken and ongoing]
What you can do: [Password reset link, monitoring suggestions]
We sincerely apologize for this incident. We are committed to
protecting your data and have taken steps including [specific measures]
to prevent future incidents.
For questions: [Dedicated support line] | [Support email]
Legal and Regulatory Notification Requirements
| Regulation | Notification Deadline | Who Is Notified |
|---|---|---|
| GDPR | 72 hours | Data Protection Authority + affected individuals |
| CCPA/CPRA | "Without unreasonable delay" | California AG + affected consumers |
| HIPAA | 60 days | HHS + affected individuals + media (if > 500) |
| PCI DSS | Immediately | Card brands (Visa, MC) + acquiring bank |
| SEC (public companies) | 4 business days | SEC filing (8-K) |
| State breach notification laws | Varies (30-90 days) | State AG + affected residents |
IR Tabletop Exercise
Run quarterly tabletop exercises using these scenarios:
- Ransomware attack — All systems encrypted, ransom demanded
- Insider data theft — Employee downloaded customer database before resignation
- Supply chain compromise — Vendor SDK compromised, customer data potentially exposed
- Cloud breach — Misconfigured S3 bucket found by researcher, unknown exposure duration
- Account takeover wave — Credential stuffing attack compromising thousands of user accounts
Further Reading
- NIST SP 800-61r3 — Incident handling guide
- Ransomware Defense Playbook — Ransomware-specific IR
- IBM (2025), "Cost of a Data Breach Report" — IR plan ROI statistics
- GDPR & CCPA Compliance — Breach notification requirements
Published by SecureCodeReviews
This article is part of our original AI security and cybersecurity content library. We show publish and update dates, keep company and policy pages public, and update important guidance when material changes affect readers.
Want an expert review before this issue reaches production?
We combine manual code review with AppSec tooling to find vulnerabilities, logic flaws, and insecure patterns before release or audit deadlines.
Advertisement
Free Security Tools
Try our tools now
Expert Services
Get professional help
OWASP Top 10
Learn the top risks
Related Articles
Major Cyberattacks of 2024–2025: Timeline, Impact & Lessons Learned
A detailed analysis of the most significant cyberattacks of 2024-2025, including Snowflake, Change Healthcare, MOVEit aftermath, and AI-powered attacks. With interactive charts and key takeaways.
Ransomware Defense Strategy 2026: Prevention, Detection & Recovery Playbook
Ransomware caused $20B in damages in 2025. This playbook covers the modern ransomware kill chain, prevention controls, detection strategies, negotiation considerations, and tested recovery procedures.
Insider Threat Detection & Prevention: Building an Effective Program
Insider threats account for 35% of all data breaches and cost an average of $15.4M per incident. This guide covers insider threat indicators, detection strategies using UEBA, and building a comprehensive insider risk program.