Skip to main content

Learning from a Security Incident: A Post-Mortem Checklist

by Tim Bandos on Wednesday December 28, 2022

Contact Us
Free Demo

Our Field Guide to Incident Response series concludes with a post-incident checklist you can use to make sure you’re learning from every incident and improving your defenses against future attacks.

Never let a good incident go to waste! Once you’ve made it through the containment and neutralization phase, there are still post-incident tasks to complete to make sure that you are learning from the incident and implementing measures to prevent similar incidents from happening again. Following a checklist for this post-incident activity will help you take a structured approach to understanding key details such as how the adversary got into your environment and what the attack motivation was. More importantly, these post-mortem activities will help determine the right preventative measures to stop similar incidents from happening in the future. At the highest level, the checklist should include:

  1. Complete an incident report: Documenting and disseminating the incident will help to improve the incident response plan and augment additional security measures to avoid such security incidents in the future.
  2. Monitor post-incident: Closely monitor for activities post-incident since threat actors will re-appear again. We recommend a security log hawk analyzing SIEM data for any sign of indicators tripping that may have been associated with the prior incident.
  3. Update Threat Intelligence: Update the organization’s threat intelligence feeds.
  4. Identify preventative measures: Identify new security initiatives to prevent future incidents.
  5. Gain cross-functional buy-in: Coordination across the organization is critical in order to implement new security initiatives.

Developing and tracking scorecards will also help you assess your incident response posture and identify new security initiatives that should be put in place. Develop scorecards to assess areas such as vulnerability assessments/remediation, SIEM event collection, continuous visibility, security configurations, etc. A scorecard that appears to have been dipped in red paint, indicating serious control gaps, will undoubtedly get the attention that it deserves. Here are some sample scorecard metrics I have used in the past:

Security Assessment

  • Percentage of Unpatched Vulnerabilities
  • Percentage of Fixed Vulnerabilities from Prior Month
  • Number of Network Leaks Found
  • Metrics on Security Tools Fully Deployed & Operational
  • Metrics on Security Detections/Blocks by Tool

Threat Intelligence

  • Percentage of High Fidelity IOCs configured for alerting
  • Number of alerts received from IOCs
  • APT campaigns discovered from IOCs configured for alerting

Incident Analysis

  • Percentage of Alerts triaged
  • Number of incident tickets opened and closed
  • Days from incident detection to closure
  • Actual average incident cycle time to target
  • Average Dwell Time (Initial Infection to Detection/Quarantine)

Security Operations

  • Percentage of Systems reporting into SIEM
  • Percentage of SIEM operational uptime


  • Enhanced Security Initiatives Implemented as a result of Incidents
  • These include projects identified as gaps in security posture for detecting / preventing threats

In addition, keep track of all cybersecurity controls the organization has in place and continuously monitor level of compliance to each of those controls. Example controls would be:

  • Application Software Security
  • Secure Technical Configurations
  • Disaster Recovery
  • Administrator Privileges
  • Monitoring & Analysis of Logs
  • Account Monitoring & Control
  • Incident Response
  • Data Protection
  • Malware Protection
  • Continuous Vulnerability Assessments
  • Inventory of Authorized & Unauthorized Software
  • Inventory of Authorized & Unauthorized Devices
  • Security Awareness
  • Network Defense

This concludes our Field Guide to Incident Response series – I hope you learned something and are more ready for your next security incident as a result. For more incident response guidance:

Download the Incident Responder's Field Guide

Read more in our Field Guide to Incident Response Series

  1. 5 Key Criteria for Creating an Incident Response Plan that is Practical for YOUR Organization
  2. The Do’s and Don’ts of Incident Response
  3. Building Your Incident Response Team: Key Roles and Responsibilities
  4. Creating an Incident Response Classification Framework
  5. The Five Steps of Incident Response
  6. 3 Tips to Make Incident Response More Effective
  7. Using Existing Tools to Facilitate Incident Response
  8. Learning From a Security Incident: A Post-Mortem Checklist

Tags:  Incident Response

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.