5 critical gaps in incident response planning — and how to fix them

While no organization is ever perfectly prepared for a cybersecurity crisis, there’s a big difference between a calculated response — and a frantic fumble.

A lack of preparedness can lead to internal confusion and a lack of organizational clarity when a crisis hits. If you have to guess who has the authority to isolate a server while an attacker moves laterally inside your network, your response will be hampered by indecision and procedural delays — and when it comes to responding to an incident, there’s very little time to sort out those questions.

Median dwell time for ransomware-related intrusions was six days overall, five days for adversary notified events, and five days for compromises discovered by external entities, according to our M-Trends 2025 report.

The path to resilience is operational discipline. At Mandiant, we’ve taken expertise learned from thousands of investigations and built it into our Incident Response Preparedness Service (IRPS) and our recently-released Guide to IR planning. These resources are designed to help you move from reactive to proactive by addressing the operational gaps that can often hinder a successful recovery.

To help organizations avoid those frantic fumbles and build smarter, more resilient calculated responses, here are our top five recommendations for bridging common preparedness gaps that we often find when evaluating IR readiness.

1. Treat log health like a vital sign: Regularly check ingestion

Think of log health like a home security camera: It’s useless if the "record" button stopped working months ago. Log ingestion must be treated as a vital sign so you aren't surprised during a crisis.

We have seen cases where investigators needed VPN logs only to find the connection to the SIEM broke months prior. We recommend setting up automated health reports rather than relying on manual dashboard checks, and ensure you’re collecting the data that matters most.

For example, ensuring PowerShell Module and Script Block logging are enabled and actually reaching your SIEM, as these are often the first things an attacker tries to "unhook." The robust log capabilities of tools like Google Security Operations can help a lot here.

2. Establish a kill switch: Containment escalation and a RACI matrix

Time is the enemy during a breach. Moving quickly can contain an incident, but security teams often hesitate because they don't want to accidentally take a critical business system offline.

We recommend that you develop a containment-escalation matrix, a RACI (Responsible, Accountable, Consulted, and Informed) model for your response. By defining individual responsibilities — such as who is accountable for the final decision to flip the kill switch — and getting these roles pre-approved by leadership, you eliminate confusion when every second counts.

3. Move your secrets off-grid: Out-of-band communication

In a network compromise, communicating using corporate email is like discussing a surprise party while the guest of honor is standing right behind you. Attackers who have compromised your accounts can monitor your investigation in real-time.

We recommend that you establish a dedicated, tested, out-of-band (OOB) communication channel approved for incidents only, such as a pre-configured war room link on a platform independent of your primary communication channel.

When selecting an OOB solution, ensure it meets both functional requirements — such as support for encrypted voice, real-time chat, secure file sharing, and the ability to send broadcast communications to the entire response team — and strict security requirements. These should include end-to-end encryption and mandatory multi-factor authentication (MFA) that is decoupled from your potentially compromised corporate identity provider.

This approach ensures your tactical discussions remain private and creates a clear, secure lane for stakeholders like Legal and Executives to operate.

4. Practice your fire drills: Written forensic processes

Many organizations choose to partner with third parties, such as Mandiant, to lead their forensic investigations. If that is your model, ensure your third-party integration goes beyond a signed contract to include practical onboarding playbooks and pre-approved procedures for emergency account creation. Doing so can help ensure external responders can begin their work without administrative delays.

However, if you maintain internal forensic processes, we recommend practicing those procedures repeatedly. Operating systems and forensic tools change so frequently that a tool used today may be blocked by a security update months later.

We recommend practicing forensic acquisition at least every six months across workstations, servers, and cloud assets. This training should include testing your chain of custody and evidence preservation workflows. Determining where to store memory images before they are needed ensures that regardless of the analyst working the incident, the proper procedures are followed and the evidence remains admissible and sound.

5. Socialize and exercise the plan: Cross-functional maturity

The ultimate mark of incident response maturity is the ability to maintain a repeatable, predictable process under pressure. This requires more than a document on a shelf; it requires rehearsing the plan with cross-functional stakeholders in legal, public relations, and executive leadership. Regular tabletop exercises (TTXs) are a smart way to stress-test your plan, ensuring everyone understands their role and identifying friction points before a real incident occurs.

What to do next

Incident response strategies and tactics grow and evolve over time, and there is a wealth of information available on what works best today. Mandiant experts are offering a deeper look at how organizations can respond to changes in the threat landscape by updating their incident response plans in our new Beyond Cyberattacks: Evolution of Incident Response in 2026 webinar.

You can also contact Mandiant to learn more about our Incident Response Preparedness Service (IRPS), and to schedule a standalone Incident Response Plan Review.