Step-by-Step Incident Response Checklists
These checklists distill each phase of the incident response lifecycle into actionable steps, based on the Dynamic Approach to Incident Response (DAIR) framework. Available in PDF and Markdown formats for use during active incidents, tabletop exercises, or team training.
Prepare
Building IR capabilities, team structure, communication plans, and tooling before an incident occurs.
Detect
Establishing detection sources, threat hunting, Sigma rules, SIEM correlation, and refining detection capabilities.
Verify and Triage
Validating a potential incident, assessing risk, and determining response priorities.
Response Actions Loop
Managing the iterative cycle of scoping, containment, eradication, and recovery.
Scope
Determining the full extent of compromise through IOC hunting, lateral movement analysis, and enterprise-wide investigation.
Contain
Stopping attacker activity through network isolation, host containment, credential revocation, and evidence preservation.
Eradicate
Investigating attacker presence, removing persistence mechanisms, conducting root cause analysis, and remediating vulnerabilities.
Recovery
Pre-restoration verification, system validation, coordinated production restoration, and enhanced post-incident monitoring.