A template for your incident response plan

Thursday, 6 August, 2020

Welcome aboard

Cyber security incidents can be high-pressure situations with serious consequences for both businesses and individuals alike. That stress can compromise decision making (especially when tired!) and a good cyber incident response plan helps organisations to get their response right.

Recently while working with a client on improving their blue team and incident response capability they mentioned that they hadn’t been able to find an example of a good cyber incident response plan.

That came as a bit of a surprise, but they weren’t wrong. There are ‘how-tos,’ some thinly veiled vendor pitches, and plenty of other marketing materials. Some of it is old. Lots talk at a high level about the ‘phases’ of response. Many more are just ‘plans for a plan.’

There were a few notable exceptions - for example, the NCSC incident management collection has some good pointers - though we struck out looking for an example of ‘what good looks like’ that anyone can pick up and use as a base.

Given how critical responding to security incidents is we were surprised to not find a decent template to start from. So we set about researching, distilling and compiling all the best practice, augmented from our experience responding to some of the highest-profile cyber events in recent years.

Today we’re open-sourcing that work for any organisation, business or charity, to pick up and use as a base for their own cyber incident response plan (for free!)



It’s built around an ‘OODA loop’ where feedback from an observe, orientate, decide, act cycle helps you to remain agile and adjust to unfolding situations.

Analysis of Competing Hypotheses (ACH)

We also encourage you to use the analysis of competing hypotheses, an intelligence technique, to help keep things objective and rational while emotions are heightened.


It even includes incident response checklist for each step so you can make sure that you haven’t forgotten anything.

What you need to do

First up you’ll need to spend some time on…

  1. Who your key contacts are, and who deputises for them
  2. Tailoring the severity levels and escalation criteria
  3. Choosing the categories that you’ll assign to incidents

There are a few other bits highlighted yellow (on the GDocs and PDF versions) where you need to add details specific to your organisation. Those things will be unique to your organisation and where you should invest your time initially. The underlying process is complete and ready to go.

Once you’ve done that it’s time to communicate your plan. Arrange a session to discuss the process and responsibilities with all involved. Then schedule some exercises to test everyone’s understanding. This can be a desktop exercise or a technical simulation. NCSC’s Exercise-in-a-Box can help you to run either of these yourself, or you can seek support from an independent facilitator.


You can download the free, open-source incident response plan from cydea.Tools.

From there you can view the project on GitHub, access and copy a GDocs version, or download a PDF copy.

Remember if you’ve got any questions then get in touch or let us know how you’re getting on by tweeting @cydeaTools.

Thank you

Before publishing this work we’re thankful to have had input from Exercise3, Phil Huggins, and a few others that work at other leading cyber consultancies and government agencies.

Happy defending!

Photo by Nick Fewings on Unsplash