100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace

Security Incident Response Cheat Sheet

Security Incident Response Cheat Sheet

Covers the standard incident response lifecycle, containment strategies, and evidence handling for effectively managing security incidents.

2 PagesIntermediateFeb 8, 2026

Incident Response Lifecycle (NIST SP 800-61)

The standard phases of handling a security incident.

  • 1. Preparation- Build IR plan, playbooks, tooling, and trained team before an incident occurs
  • 2. Detection & analysis- Identify indicators, confirm the incident, determine scope and severity
  • 3. Containment- Limit damage: short-term (isolate host) and long-term (patch, rotate creds)
  • 4. Eradication- Remove the root cause: malware, backdoors, compromised accounts
  • 5. Recovery- Restore systems to normal operation, monitor closely for recurrence
  • 6. Post-incident (lessons learned)- Document timeline, root cause, and improvements to prevent recurrence

Quick Triage Commands (Linux Host)

Commands to gather volatile evidence early in an investigation.

bash
# Active network connections and listening portsss -tulnp# Running processes with full command linesps auxww# Recently modified files (last 24 hours)find / -mtime -1 -type f 2>/dev/null# Logged-in users and login historywlast -20# Scheduled tasks (common persistence mechanism)crontab -lls -la /etc/cron.d/

Containment Strategies

Common approaches to stop an incident from spreading.

  • Network isolation- Move affected host to a quarantine VLAN instead of full power-off, to preserve volatile evidence
  • Disable compromised accounts- Force password reset and revoke active sessions/tokens
  • Block indicators of compromise- Deny known malicious IPs/domains/hashes at firewall, proxy, and EDR
  • Preserve evidence first- Capture memory/disk images before remediation actions overwrite evidence

Key IR Team Roles

Typical responsibilities during an active incident.

  • Incident commander- Coordinates the response, makes final decisions, manages communication
  • Security analyst- Performs technical investigation, log analysis, and containment actions
  • Legal/compliance- Advises on breach notification obligations and regulatory requirements
  • Communications/PR- Manages internal and external messaging about the incident
Pro Tip

Never power off a compromised machine as your first action — it destroys volatile evidence in memory (running processes, network connections, encryption keys); isolate it from the network first, then image memory before shutdown.

Was this cheat sheet helpful?

Explore Topics

#SecurityIncidentResponse#SecurityIncidentResponseCheatSheet#Cybersecurity#Intermediate#Incident#Response#Lifecycle#NIST#Security#CheatSheet#SkillVeris