Overview

This checklist follows the PICERL phase model (Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned) — the structure of NIST SP 800-61 Rev 2 and the SANS incident-handling curriculum. NIST SP 800-61 Revision 3 (April 2025) restructured the publication to integrate incident response throughout the NIST Cybersecurity Framework 2.0 risk-management lifecycle (Govern, Identify, Protect, Detect, Respond, Recover) rather than as discrete phases. Both models are valid; the phase-based view below is most useful during an active incident as a literal checklist, while the CSF 2.0 mapping below it is the orientation auditors and board-level reviewers will expect.

Use this checklist during active incidents to ensure no critical steps are missed.

NIST CSF 2.0 quick mapping (per SP 800-61 r3)

CSF 2.0 Function	Where the work happens in this checklist
Govern (GV)	Phase 1: IR plan documented, roles assigned, legal counsel identified
Identify (ID)	Phase 1: forensic toolkit, logging infrastructure, asset inventory
Protect (PR)	Phase 1: communication templates, backup integrity
Detect (DE)	Phase 2: alert validation, triage, scoping
Respond (RS)	Phases 2-4: investigation, containment, eradication
Recover (RC)	Phases 5-6: restore, verify, lessons learned

Important: Document everything. Every action taken, every decision made, and every timeline entry matters for post-incident review and potential legal proceedings.

Phase 1: Preparation (Before Incidents)

Incident response plan documented and approved — Current version accessible to all team members
IR team roles and contact info current — Include after-hours escalation paths
Communication templates prepared — Pre-written notifications for stakeholders, customers, legal
Forensic toolkit ready — Jump bag with write blockers, bootable USB, imaging tools
Logging infrastructure verified — SIEM ingesting from all critical systems
Backup integrity confirmed — Recent restore test completed successfully
Legal counsel identified — Know when to engage legal (breach notification laws)
Third-party contacts listed — ISP, cloud provider, cyber insurance, law enforcement

Phase 2: Detection & Analysis

Initial Triage

Alert received and acknowledged — Record source, time, and initial indicators

Timestamp: _______________
Alert Source: _______________
Initial IOCs: _______________
Severity Assessment: [ ] Critical [ ] High [ ] Medium [ ] Low

Validate the alert — Confirm this is a true positive, not a false alarm
Assign incident ID and severity — Use your classification matrix
Notify IR team lead — Escalate based on severity threshold
Begin incident timeline — Chronological log of all events and actions

Investigation

Identify affected systems — Scope the blast radius

Affected Hosts: _______________
Affected Services: _______________
Affected Users: _______________

Collect volatile evidence first — Memory dumps before shutdown

# Linux memory capture
sudo dd if=/dev/mem of=/forensics/memory.dump bs=1M
# Network connections
ss -tulpn > /forensics/netstat.txt
# Running processes
ps auxef > /forensics/processes.txt

Preserve log data — Copy logs before rotation
Identify attack vector — How did the attacker get in?
Determine data exposure — What data was accessed/exfiltrated?
Check for lateral movement — Are other systems compromised?
Map observed activity to MITRE ATT&CK — For each IOC and adversary action, record the corresponding ATT&CK tactic and technique ID (e.g., T1078 Valid Accounts, T1059.001 PowerShell). The technique IDs accelerate detection-rule reuse and let analysts pattern-match against known threat-actor playbooks.
Establish chain-of-custody for forensic evidence — Every disk image, memory dump, and log export gets a hash (SHA-256), a collector name, a timestamp, and a destination storage location. If prosecution is possible, this record is what makes evidence admissible.
```
# SHA-256 a forensic image and log it
sha256sum /forensics/disk.img | tee -a /forensics/chain-of-custody.log
```
Switch to out-of-band communications — If the suspected blast radius includes corporate email, Teams/Slack, or your IdP, assume those channels are compromised. Use a pre-arranged Signal group, personal phone numbers, or a bridge line. Do not discuss specifics in primary chat.

Phase 3: Containment

Short-Term Containment

Isolate affected systems — Network segmentation, not shutdown

# Block at firewall level
iptables -A INPUT -s <attacker-ip> -j DROP
# Or isolate VLAN

Disable compromised accounts — Revoke access immediately
Block malicious IPs/domains — Update firewall and DNS blackhole

Capture forensic images — Before making changes

dd if=/dev/sda of=/forensics/disk.img bs=4M status=progress

Long-Term Containment

Apply temporary fixes — Patch vulnerability, update rules
Increase monitoring — Enhanced logging on affected and adjacent systems
Rotate credentials — All credentials on affected systems
Verify containment effective — Confirm no new IOCs appearing

Phase 4: Eradication

Remove malware/backdoors — Clean all affected systems
Patch exploited vulnerability — Close the attack vector
Remove unauthorized accounts — Check for persistence mechanisms
Scan all systems for IOCs — Ensure no other systems compromised
Update detection signatures — Add new IOCs to SIEM/EDR
Verify clean state — Rescan after eradication

Phase 5: Recovery

Restore from clean backups — Use verified pre-incident backups
Rebuild if necessary — Fresh OS install for severely compromised systems
Gradually restore services — Monitor closely during each phase
Verify system integrity — Compare against known-good baselines
Confirm business operations normal — All services functioning correctly
Maintain heightened monitoring — 30-day elevated watch period

Phase 6: Post-Incident

Conduct lessons learned meeting — Within 1 week of resolution
Update incident response plan — Incorporate improvements
Submit final incident report — Include timeline, impact, root cause, recommendations
Update detection rules — Prevent recurrence
Brief stakeholders — Executive summary of incident and improvements
Fulfill notification obligations — See the regulatory timelines below; missing a statutory deadline can cost more than the incident itself.

Regulatory notification timelines

Confirm the current deadlines with your counsel before relying on this list — privacy law revises faster than checklists.

Jurisdiction / Regime	Trigger	Deadline	Notify
PIPEDA (Canada)	Real risk of significant harm from a breach of security safeguards	"As soon as feasible" — generally 72 h	OPC + affected individuals
GDPR (EU)	Personal data breach	72 h from awareness	Lead supervisory authority; data subjects if high risk
CIRCIA (US, critical infrastructure)	Substantial cyber incident; ransomware payment	72 h (incident); 24 h (payment)	CISA
HIPAA Breach Notification	Unsecured PHI breach	60 days from discovery (individuals); annual or 60-day for HHS depending on scope	HHS, individuals, sometimes media
PCI DSS	Cardholder data compromise	"Immediately" per acquirer/brand contract	Acquirer + card brands
State / provincial laws	Varies (CA CCPA, NY SHIELD, IIROC, FINTRAC)	Varies — often 30-60 days, some 72 h	Per statute
SEC (US public companies)	Material cybersecurity incident	4 business days after determining materiality	SEC Form 8-K Item 1.05

Schedule the next tabletop exercise — A real incident is the best forcing function for plan changes. Book a tabletop within 90 days that uses this incident as the scenario; invite legal, comms, and an executive sponsor.

Severity Classification Matrix

Severity	Description	Response Time	Examples
Critical	Active data breach, ransomware	Immediate	Data exfiltration, active attacker
High	Confirmed compromise, no data loss yet	1 hour	Malware on server, unauthorized access
Medium	Suspicious activity, potential threat	4 hours	Anomalous login, policy violation
Low	Informational, minor policy violation	24 hours	Failed login attempts, scan detected

Key Contacts Template

Role	Name	Phone	Email
IR Lead
Security Analyst
IT Operations
Legal Counsel
Communications
Executive Sponsor
Cyber Insurance
Law Enforcement

Overview

Use this checklist during active incidents to ensure no critical steps are missed.

NIST CSF 2.0 quick mapping (per SP 800-61 r3)

CSF 2.0 Function	Where the work happens in this checklist
Govern (GV)	Phase 1: IR plan documented, roles assigned, legal counsel identified
Identify (ID)	Phase 1: forensic toolkit, logging infrastructure, asset inventory
Protect (PR)	Phase 1: communication templates, backup integrity
Detect (DE)	Phase 2: alert validation, triage, scoping
Respond (RS)	Phases 2-4: investigation, containment, eradication
Recover (RC)	Phases 5-6: restore, verify, lessons learned

Important: Document everything. Every action taken, every decision made, and every timeline entry matters for post-incident review and potential legal proceedings.

Phase 1: Preparation (Before Incidents)

Incident response plan documented and approved — Current version accessible to all team members
IR team roles and contact info current — Include after-hours escalation paths
Communication templates prepared — Pre-written notifications for stakeholders, customers, legal
Forensic toolkit ready — Jump bag with write blockers, bootable USB, imaging tools
Logging infrastructure verified — SIEM ingesting from all critical systems
Backup integrity confirmed — Recent restore test completed successfully
Legal counsel identified — Know when to engage legal (breach notification laws)
Third-party contacts listed — ISP, cloud provider, cyber insurance, law enforcement

Phase 2: Detection & Analysis

Initial Triage

Alert received and acknowledged — Record source, time, and initial indicators

Timestamp: _______________
Alert Source: _______________
Initial IOCs: _______________
Severity Assessment: [ ] Critical [ ] High [ ] Medium [ ] Low

Validate the alert — Confirm this is a true positive, not a false alarm
Assign incident ID and severity — Use your classification matrix
Notify IR team lead — Escalate based on severity threshold
Begin incident timeline — Chronological log of all events and actions

Investigation

Identify affected systems — Scope the blast radius

Affected Hosts: _______________
Affected Services: _______________
Affected Users: _______________

Collect volatile evidence first — Memory dumps before shutdown

# Linux memory capture
sudo dd if=/dev/mem of=/forensics/memory.dump bs=1M
# Network connections
ss -tulpn > /forensics/netstat.txt
# Running processes
ps auxef > /forensics/processes.txt

Preserve log data — Copy logs before rotation
Identify attack vector — How did the attacker get in?
Determine data exposure — What data was accessed/exfiltrated?
Check for lateral movement — Are other systems compromised?
Map observed activity to MITRE ATT&CK — For each IOC and adversary action, record the corresponding ATT&CK tactic and technique ID (e.g., T1078 Valid Accounts, T1059.001 PowerShell). The technique IDs accelerate detection-rule reuse and let analysts pattern-match against known threat-actor playbooks.
Establish chain-of-custody for forensic evidence — Every disk image, memory dump, and log export gets a hash (SHA-256), a collector name, a timestamp, and a destination storage location. If prosecution is possible, this record is what makes evidence admissible.
```
# SHA-256 a forensic image and log it
sha256sum /forensics/disk.img | tee -a /forensics/chain-of-custody.log
```
Switch to out-of-band communications — If the suspected blast radius includes corporate email, Teams/Slack, or your IdP, assume those channels are compromised. Use a pre-arranged Signal group, personal phone numbers, or a bridge line. Do not discuss specifics in primary chat.

Phase 3: Containment

Short-Term Containment

Isolate affected systems — Network segmentation, not shutdown

# Block at firewall level
iptables -A INPUT -s <attacker-ip> -j DROP
# Or isolate VLAN

Disable compromised accounts — Revoke access immediately
Block malicious IPs/domains — Update firewall and DNS blackhole

Capture forensic images — Before making changes

dd if=/dev/sda of=/forensics/disk.img bs=4M status=progress

Long-Term Containment

Apply temporary fixes — Patch vulnerability, update rules
Increase monitoring — Enhanced logging on affected and adjacent systems
Rotate credentials — All credentials on affected systems
Verify containment effective — Confirm no new IOCs appearing

Phase 4: Eradication

Remove malware/backdoors — Clean all affected systems
Patch exploited vulnerability — Close the attack vector
Remove unauthorized accounts — Check for persistence mechanisms
Scan all systems for IOCs — Ensure no other systems compromised
Update detection signatures — Add new IOCs to SIEM/EDR
Verify clean state — Rescan after eradication

Phase 5: Recovery

Restore from clean backups — Use verified pre-incident backups
Rebuild if necessary — Fresh OS install for severely compromised systems
Gradually restore services — Monitor closely during each phase
Verify system integrity — Compare against known-good baselines
Confirm business operations normal — All services functioning correctly
Maintain heightened monitoring — 30-day elevated watch period

Phase 6: Post-Incident

Conduct lessons learned meeting — Within 1 week of resolution
Update incident response plan — Incorporate improvements
Submit final incident report — Include timeline, impact, root cause, recommendations
Update detection rules — Prevent recurrence
Brief stakeholders — Executive summary of incident and improvements
Fulfill notification obligations — See the regulatory timelines below; missing a statutory deadline can cost more than the incident itself.

Regulatory notification timelines

Confirm the current deadlines with your counsel before relying on this list — privacy law revises faster than checklists.

Jurisdiction / Regime	Trigger	Deadline	Notify
PIPEDA (Canada)	Real risk of significant harm from a breach of security safeguards	"As soon as feasible" — generally 72 h	OPC + affected individuals
GDPR (EU)	Personal data breach	72 h from awareness	Lead supervisory authority; data subjects if high risk
CIRCIA (US, critical infrastructure)	Substantial cyber incident; ransomware payment	72 h (incident); 24 h (payment)	CISA
HIPAA Breach Notification	Unsecured PHI breach	60 days from discovery (individuals); annual or 60-day for HHS depending on scope	HHS, individuals, sometimes media
PCI DSS	Cardholder data compromise	"Immediately" per acquirer/brand contract	Acquirer + card brands
State / provincial laws	Varies (CA CCPA, NY SHIELD, IIROC, FINTRAC)	Varies — often 30-60 days, some 72 h	Per statute
SEC (US public companies)	Material cybersecurity incident	4 business days after determining materiality	SEC Form 8-K Item 1.05

Schedule the next tabletop exercise — A real incident is the best forcing function for plan changes. Book a tabletop within 90 days that uses this incident as the scenario; invite legal, comms, and an executive sponsor.

Severity Classification Matrix

Severity	Description	Response Time	Examples
Critical	Active data breach, ransomware	Immediate	Data exfiltration, active attacker
High	Confirmed compromise, no data loss yet	1 hour	Malware on server, unauthorized access
Medium	Suspicious activity, potential threat	4 hours	Anomalous login, policy violation
Low	Informational, minor policy violation	24 hours	Failed login attempts, scan detected

Key Contacts Template

Role	Name	Phone	Email
IR Lead
Security Analyst
IT Operations
Legal Counsel
Communications
Executive Sponsor
Cyber Insurance
Law Enforcement

Incident Response Checklist

Overview

NIST CSF 2.0 quick mapping (per SP 800-61 r3)

Phase 1: Preparation (Before Incidents)

Phase 2: Detection & Analysis

Initial Triage

Investigation

Phase 3: Containment

Short-Term Containment

Long-Term Containment

Phase 4: Eradication

Phase 5: Recovery

Phase 6: Post-Incident

Regulatory notification timelines

Severity Classification Matrix

Key Contacts Template

Incident Response Checklist

Overview

NIST CSF 2.0 quick mapping (per SP 800-61 r3)

Phase 1: Preparation (Before Incidents)

Phase 2: Detection & Analysis

Initial Triage

Investigation

Phase 3: Containment

Short-Term Containment

Long-Term Containment

Phase 4: Eradication

Phase 5: Recovery

Phase 6: Post-Incident

Regulatory notification timelines

Severity Classification Matrix

Key Contacts Template