Read Dynamic Incident Response one chapter at a time, or jump directly to the topic you need. You can also read the complete book as a single page or download the PDF.
Front Matter
- Foreword John Strand introduces the book and reflects on the evolution of incident response as a discipline.
- Preface Joshua Wright on the motivation behind the Dynamic Approach to Incident Response (DAIR) and the contributors who shaped the book.
Part 1: Elements of Incident Response
- Case Study: Supply Chain Calamity A fictional case study that follows an organization through a supply chain attack, illustrating the challenges and decisions that arise during a real incident.
- Introduction The scope and nature of modern incidents, why incident response matters, and the challenge of building effective response programs.
- Getting Started Foundational concepts for incident response, including terminology, team roles, and the relationship between incidents and the broader security program.
- Incident Response Models and Their Shortcomings An examination of established IR frameworks including NIST SP 800-61, SANS, and other models that have shaped the discipline, and where traditional linear models fall short against modern threats.
Part 2: A Dynamic Approach to Incident Response
- A Dynamic Approach to Incident Response Introducing the Dynamic Approach to Incident Response (DAIR) framework, built on Boyd's OODA loop. The core model for the rest of the book.
- Prepare Building organizational readiness: policies, team structure, communication plans, playbooks, training, and proactive defenses.
- Detect Detection methodologies including signature-based, behavioral, and AI-driven approaches. Detection data sources, threat hunting, and Sigma rules.
- Verify and Triage Validating potential incidents, assessing severity, classifying events, and working with decision makers to determine response priorities.
- Response Actions Loop The iterative cycle at the heart of DAIR: how scoping, containment, eradication, and recovery repeat as new evidence emerges.
- Scope Determining the full extent of compromise through IOC hunting, lateral movement analysis, and enterprise-wide investigation techniques.
- Contain Containment strategies and technical implementation: network isolation, host containment, credential revocation, and evidence preservation.
- Eradicate Investigation techniques, persistence mechanism removal, root cause analysis, and digital forensics including memory analysis, log investigation, and malware analysis.
- Recover Pre-restoration verification, system validation, coordinated production restoration, enhanced monitoring, and recovery strategies.
- Debrief Post-incident documentation, lessons learned, root cause analysis, incident reporting, and driving organizational improvement.
Part 3: Special Considerations in Incident Response
- Accelerating Incident Response with AI Practical AI applications for log analysis, threat detection, playbook generation, report writing, and agentic investigation workflows using large language models.
- Incident Response for Ransomware Comprehensive ransomware response: containment, negotiation considerations, recovery planning, decryption options, and lessons from real-world attacks.
- Incident Response for Cloud Systems Cloud-specific IR techniques for AWS, Azure, and GCP. Evidence preservation, log analysis, IAM investigation, and container security.
- Incident Response for Operational Technology OT/ICS incident response: Purdue model segmentation, safety instrumented systems, bridging the IT-OT gap, and critical infrastructure considerations.
- Integrating DAIR with NIST CSF 2.0 Mapping DAIR activities to all six NIST CSF 2.0 functions and building compliance artifacts from incident response operations.
- Afterword Final reflections on the practice of incident response and looking ahead.