Remediating a cybersecurity incident, also referred to as responding to an incident, entails containment and eradication of the incident.

Once the incident has been successfully identified, the incident handler can move to the next phase of the process—containment. Containment involves determining if the incident can be isolated, and working with system owners and network administrators to help contain the problem.

Incident handlers working with other security teams can help back up the system, as well as save forensic copies for evidence. To do this, a response team and a plan must be created. The plan must specify the roles of the team members. The team should include a representative from the legal department, a business manager, a representative to communicate with the stakeholders and the public about the incident, and technical staff to contain the incident. There should be also be strategy in place for the board and the executive leadership.

Response times that are within a short-term range, depending on the business and industry, generally take hours, days, or weeks. Response times in the intermediate range take weeks to months. Finally, response times that take more than a few months or a year are considered long-term (Deloitte, 2016).


Deloitte. (2016). Cyber crisis management: Readiness, response, and recovery.