It’s a strange thing about writing a book that the preface, the part that sits at the very beginning, is almost always the last thing written. The author can’t introduce the work until it is finished, and the work’s shape is clear. Even with planning and an outline, the writing process is not linear. It loops back to revisit assumptions, redefine goals, and pursue new objectives.

Incident response has long been taught as a linear process: preparation, identification, containment, eradication, recovery, and lessons learned. Over many years of teaching and working cases, I watched responders follow the prescribed steps, only to find that the incident was not over when they thought it was. Attackers returned after containment, the scope was underestimated, and eradication efforts missed persistence mechanisms that quietly restored access. The linear models were not wrong, but they were not enough to support modern incident response needs.

Conventional models were built for an era when incidents were simpler and less frequent. The most recent revision of the National Institute of Standards and Technology (NIST) SP 800-61 shifted to align with the broader Cybersecurity Framework, but in doing so, moved away from practical guidance for responders doing the work. I believe what the field needs is an adaptive, iterative approach to incident response. It should include explicit verification, triage, and scoping steps to give organizations the insight they need to minimize impact and damage from incidents.

This book addresses that need with a new model: the Dynamic Approach to Incident Response (DAIR). These pages do not attempt to replace the excellent resources that address specific investigative techniques, such as memory forensics, malware analysis, or threat hunting. Instead, they occupy the space between tool-focused guides and executive strategy, providing a framework for technical analysts to respond to incidents more effectively.

I did not write this book alone. Ryan Chapman brings deep expertise in ransomware and cyber extortion response. Megan Roddie-Fonseca contributes specialized knowledge in cloud incident response. Dean Parsons adds a critical perspective on control systems and operational technology. I am thankful for their partnership and support in this work. Their contributions extend the approach presented here into the specialized domains where modern responders operate.

My goal is to make this book as widely useful as possible. To that end, I am publishing it under a Creative Commons license (CC BY-SA 4.0). It is freely available for anyone to read, share, and adapt for commercial or non-commercial use, provided that you give appropriate credit, provide a link to the license, and indicate if changes were made. You can find this book online at dynamicincidentresponse.com.

What follows is a practical, iterative incident response framework built on real-world experience. Like this preface, an effective response starts wherever the situation demands, not where a checklist says it should.

We wrote this book to provide a comprehensive guide for responding to cybersecurity incidents. It covers the essential concepts, methodologies, and tools needed to effectively manage and mitigate the impact of breaches and attacks in modern organizations. The book is structured to guide readers through the entire incident response lifecycle, applying practical techniques learned through real-world scenarios.

The book is organized into three parts:

Each chapter concludes with Step-by-Step sections that translate concepts into actionable checklists readers can apply immediately.

This book is intended to serve as a resource for cybersecurity professionals working in incident response roles, including incident responders, security analysts, IT professionals, and anyone interested in learning about effective incident management. While the book addresses advanced topics, its content is accessible to readers with varying levels of cybersecurity and incident response experience. Readers should have a basic understanding of networking, operating systems, and cybersecurity concepts to fully benefit from this book’s material.

This book is not intended to be a comprehensive guide to all aspects of cybersecurity or incident response investigation. Instead, it focuses on practical techniques and methodologies applicable to real-world scenarios. Readers who influence their organization’s incident response practices will likely find the most value in this book.

Start with Case Study: Supply Chain Calamity, the opening case study. It’s a fun narrative that follows a cloud architect through a supply chain compromise, and it sets the stage for why incident response matters.

If you’re just getting started in incident response, continue with Introduction, Getting Started, and Incident Response Models and Their Limitations. They cover the history, foundational concepts, and existing models that the rest of the book builds on.

If you’re not sure what problems this book is trying to solve, read Shortcomings in Existing Models. That section outlines the specific gaps in how organizations have traditionally approached incident response and motivates the framework introduced in Part 2.

Part 2 is the heart of the book. Start with A Dynamic Approach to Incident Response for an overview of the DAIR model, then explore the chapters that address your most pressing questions. If you’re implementing DAIR in your own organization, work through each chapter carefully and take notes on what applies to your environment.

Part 3 covers specific domains and industry trends. Maybe you’re trying to figure out how AI is reshaping incident response (Accelerating Incident Response with AI), or your organization needs to align incident response with compliance requirements in an operational technology environment (Incident Response for Operational Technology). Jump to whatever is most relevant to your situation.

Otherwise, flip around until something catches your attention. I hope you bookmark, highlight, underline, and annotate as you make your way through this book, and pick up useful tactics to minimize the impact of the next incident you have to work on.

Throughout this book, you’ll encounter first-person narratives and fictional case studies that illustrate incident response concepts in action. These stories are inspired by the Stealing the Network series by Ryan Russell, Johnny Long, and a community of contributors whose chapters blended real security assessment experiences into compelling, educational fiction. I loved reading those books when they came out in the mid-2000s, and I later learned that most of the chapters were drawn from practical experiences, tweaked, merged, and reshaped to protect the identities of the organizations involved.

The narratives in this book follow a similar approach. Incident responders are frequently constrained by non-disclosure agreements that prevent us from sharing the details of cases we’ve worked on. Fictional narratives give us an opportunity to draw on firsthand experience by blending elements of past incidents while preserving customers' anonymity and compliance with those agreements.

I hope the narratives are relatable to modern cybersecurity issues and serve as a practical way to reinforce each chapter’s learning objectives.

Table 1 illustrates the typography conventions used throughout this book.

Links in the text serve as either internal or external references. Internal references point to other sections within this book and appear as section titles, such as Getting Started. External references point to resources outside the book and appear as labeled links, such as MITRE ATT&CK.

Listing blocks are used to denote output from tools used during our analysis. Content that is bold represents commands that are entered to run or interact with a command-line tool. Important outputs are noted with a numeric circle callout, with details following the listing. An example is shown in Listing 1.

I welcome questions, comments, and feedback on this book. You can reach me through any of the following channels:

My colleague Mike Murr had the idea that we needed to break out of the linear incident response model and developed the early concept for what would become the Dynamic Approach to Incident Response. His work inspired me, and I am thankful for his many contributions to incident response.

Many other brilliant and generous people contributed to this work. Special thanks to:

Joshua Wright is a SANS Faculty Fellow and author of SEC504: Hacker Tools, Techniques, and Incident Handling, one of the most widely taken courses in the SANS curriculum. For more than two decades, he has trained thousands of professionals worldwide in incident response techniques and developed the hands-on exercises that prepare students for the GIAC Certified Incident Handler (GCIH) certification. Joshua serves as Dean of Students at the SANS Technology Institute, an NSA Center of Academic Excellence in Cyber Defense, where he mentors the next generation of security professionals. As Senior Technical Director at Counter Hack, he leads cybersecurity engagements for customers across diverse industries, bringing real-world experience directly into his teaching and research.

Ryan Chapman is a SANS Certified Instructor and a team lead at a managed threat-hunting and incident-response firm, bringing over fourteen years of experience in digital forensics and incident response. He is the author of FOR528: Ransomware and Cyber Extortion and a co-author of FOR610: Reverse Engineering Malware. Ryan’s career spans incident response consulting, security operations, and cyber incident response teams, where he has guided organizations from initial detection through remediation. His expertise in ransomware analysis, threat hunting, and malware reverse engineering informs his practical approach to teaching responders how to handle complex intrusions.

Ryan contributed Incident Response for Ransomware to this book.

Megan Roddie-Fonseca is a SANS Certified Instructor and Senior Security Engineer at Datadog, where she focuses on cloud security, digital forensics, and incident response. She is the author of FOR509: Enterprise Cloud Forensics and Incident Response, which prepares students for the GIAC Cloud Forensics Responder certification. Megan co-authored Practical Threat Detection Engineering, a hands-on guide to developing and validating detection capabilities. She holds two master’s degrees and serves as CFO of Mental Health Hackers, advocating for neurodiversity in cybersecurity careers. Her work bridges technical depth with accessible instruction, helping responders navigate complex cloud investigations.

Megan contributed Incident Response for Cloud Systems to this book.

Dean Parsons is a SANS Principal Instructor and CEO of ICS Defense Force, where he builds operational technology security programs and leads incident response operations for critical infrastructure organizations worldwide. He is the author of ICS515: ICS Visibility, Detection, and Response and co-author of ICS418: ICS Security Essentials for Leaders. Dean co-authored The ICS Cybersecurity Field Manual and produces the SANS ICS Rapid Response and SANS ICS Security Brief video series. His teaching translates real-world experience protecting energy, water, and electric sector environments into practical guidance for defending industrial control systems.

Dean contributed Incident Response for Operational Technology to this book.

Steve Armstrong-Godwin's career began more than twenty-five years ago when he joined the UK Royal Air Force (RAF), bringing with him a love of IT and a desire to protect others. When the opportunity to move into information security presented itself, Steve jumped at the chance, eventually leading the RAF’s penetration and TEMPEST testing teams and having some memorable work experiences along the way.

Steve has more than fourteen years of experience in incident response and management, handling cyber incidents worldwide. He currently serves as the Lead of Security Incident Response and Threat Management at Danske Bank, where he brings his extensive operational background to defending one of Scandinavia’s largest financial institutions.

Steve is a SANS Principal Instructor and the author of the LDR553: Cyber Incident Management course. His students regularly praise his engaging teaching style, contagious energy, and ability to make complex incident management concepts relatable through real-world scenarios.

I believe we have a right to know when the content we are consuming is generated by AI. Further, I think it’s reasonable for readers to ask if the book they are thinking about reading is worth their investment versus being a shallow piece of content generated by AI tools. In this section, I disclose how I used AI tools in the research, coding, image creation, and writing of this book.

At several points, I used AI tools, including Claude, Claude Code, and ChatGPT, to conduct research for this book. Many of the stories and experiences came from my own work, but I also used AI tools to research topics and gather supportive or contradictory information to ensure I showcased a broader perspective than just my own experiences.

I carefully reviewed the output from ChatGPT Deep Research and other AI tools, along with my own experiences and knowledge, to ensure the information was accurate and relevant to the topics in this book.

Claude Code was my go-to tool for much of the custom code developed in the examples used in this book. This includes the stealer code Pyrix uses in Case Study: Supply Chain Calamity, various sample scripts (including the AWS Lambda function in [aws_lambda_deny_and_log_function]), and the timeline of incident response models ([timeline-of-incident-response-models]). Claude Code also helped with all the build tools used to produce the book itself (I will be forever thankful not to have to remember Makefile syntax).

I also used Claude Code to help build an index for this book, using a three-step process:

All code generated by Claude Code was carefully reviewed, tested, and modified as needed to ensure it met my requirements for accuracy, security, and quality. I reviewed all content generated by Python code used to produce this book (including the index) for accuracy.

In a few cases, I used AI tools (mostly Gemini’s Nano Banana Pro model) to help with images and illustrations. Most of the images I manually created using PowerPoint, flowchart tools such as Mermaid and Diagrams.net, Apple Freeform sketches, Affinity Designer 2 for vector drawing, and other photo editing tools. For the more illustrative images, I made an initial sketch and then used Gemini to create a more polished version, as shown in Figure 2.

The output images were imperfect, requiring multiple edits after downloading them from Gemini, but I think they produced a better final result than I could have achieved on my own without investing a lot more time learning Adobe Illustrator.

I have been writing technical content for nearly thirty years, but creative writing has never been my strength. I know that creative writing narratives are powerful for explaining complex topics and for exposing readers to different perspectives for learning. I knew I wanted to include narratives (the opening narrative, Chapter 1: Supply Chain Calamity, and supporting narratives after each chapter in Part 3: Special Considerations in Incident Response), but I struggled to write them in a way that felt authentic and engaging.

I used Claude Code as a tool to help in the development of these narratives:

I believe the end result is content that is more engaging and effective for learning, and likely much better than I could have written from scratch.

I scrutinized each chapter and narrative for accuracy, tone, and style, ensuring they met my standards. I expanded content and included chunking elements (listings, tables, images, admonitions, etc.) where it aligned with my vision for the learning objectives in this book.

This is the big one. I wrote the vast majority of the words in this book, though sometimes it’s hard to distinguish what words would have been written without AI assistance.

Some days, the words just didn’t come easily, and I used Claude Code to help me get unstuck:

In several cases, I used Claude Code to help me after writing an initial pass of the chapter to identify opportunities to improve the writing:

I used Claude Code to review much of the content I wrote for quality and appropriateness with an overarching goal of making the content more engaging and easier to read, especially in moments where I doubted my own writing skills:

Despite using AI as a tool to help with writing, I feel as though the words in this book are my own. Even when AI generated a paragraph or a subsection of content for me, I reviewed it carefully, edited it heavily, and ensured that it aligned with my own voice and style.

I believe that AI tools are powerful aids for writers, and I see them as a way to augment my own skills rather than replace them. Because I could accelerate some of the writing tasks using AI tools, I was able to focus more time on the creative elements of what would make this book more engaging and effective for learning. I hope, dear reader, that you find the end result to be a book that is worth your time.