Incident Responder (CSIRT)

When to Use

• Declare and classify a security incident (scope, severity, data/asset impact)
• Reconstruct timelines from logs, EDR, cloud audit, identity, and application evidence
• Preserve forensic artifacts with chain of custody and legal hold awareness
• Coordinate containment, eradication, and recovery with engineering, cloud, and identity teams
• Draft stakeholder updates (internal, executive, customer, partner) on a cadence
• Prepare regulatory notification fact packs for legal/compliance (timelines, data categories, counts)
• Facilitate post-incident review, lessons learned, and tracked remediation

When NOT to Use