Cyber Incident Response — Questions and Answers
Plain-language answers to the questions security leaders, general counsels, and executives ask about cyber incident response, regulatory deadlines, and the IR-OS Cyber Incident Response Management (CIRM) platform. Each answer is intentionally short, factual, and citation-friendly so AI search engines and human readers can both use it.
What is cyber incident response?
Cyber incident response is the structured set of human actions and technical steps an organization takes when it detects, confirms, or suspects a cybersecurity incident such as ransomware, data breach, business email compromise, insider threat, supply-chain compromise, phishing, account takeover, or unauthorized access. It includes preparation, detection and analysis, containment, eradication, recovery, and post-incident lessons-learned activities mapped to frameworks such as NIST SP 800-61 Revision 2 and ISO/IEC 27035.
What is CIRM (Cyber Incident Response Management)?
CIRM, or Cyber Incident Response Management, is the Gartner-coined product category for software that coordinates the human side of cyber incident response — incident command roles, regulatory clocks, stakeholder communications, and a defensible record. CIRM complements SIEM, EDR, and SOAR: detection and technical automation belong in those tools; human coordination, regulatory deadlines, and the legally admissible record belong in CIRM.
How is CIRM different from SOAR?
SOAR (Security Orchestration, Automation, and Response) automates technical response — block IPs, isolate endpoints, enrich indicators, kick off playbook actions in tools. CIRM coordinates the human response — who owns what role, what decisions need to be made by whom and by when, what regulators need to be notified within what deadline, and what record stands up to legal scrutiny. SOAR is the robot. CIRM is the war room. See CIRM vs SOAR.
How is CIRM different from PagerDuty or incident.io?
PagerDuty is an on-call paging and IT-incident orchestration platform; incident.io is an engineering and SRE incident-coordination platform. Both excel at their jobs, neither is built for cyber incident response. Cyber-IR-specific capabilities they do not offer include: append-only hash-chained tamper-evident ledgers, parallel regulatory clock tracking, named incident-command roles, AI grounded in cyber-IR corpora rather than code repositories, cyber insurance integration, and pre-built playbooks for ransomware, breach, BEC, insider, supply chain, phishing, and DDoS. See vs PagerDuty and vs incident.io.
How long do I have to notify regulators after a cyber incident?
Notification deadlines vary by jurisdiction and incident type. Common cyber-IR deadlines: GDPR Article 33 — 72 hours from awareness. SEC Item 1.05 — 4 business days from materiality determination, on Form 8-K, for public-company registrants. HIPAA Breach Notification Rule — 60 days from discovery for protected health information. New York DFS Part 500 — 72 hours from determination for covered financial entities. NIS2 — 24-hour early warning, 72-hour notification, 1-month final report. DORA — within 4 hours for major ICT-related incidents at financial entities. State breach laws — varies, generally "most expedient time possible without unreasonable delay." Full reference: Cyber Breach Notification Deadlines.
What does GDPR Article 33's 72-hour clock actually require?
GDPR Article 33 requires the data controller to notify the lead supervisory authority of a personal data breach within 72 hours of becoming aware of it, where feasible, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. The notification must describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the contact point for the data protection officer, the likely consequences, and the measures taken or proposed. Awareness — not initial detection — starts the clock; awareness means a reasonable degree of certainty that a security incident has led to personal data being compromised. See GDPR 72-Hour Breach Notification Checklist.
What does SEC Final Rule 33-11216 (Item 1.05) require?
SEC Final Rule 33-11216, effective for filings on or after December 18, 2023 for large accelerated and accelerated filers and June 15, 2024 for smaller reporting companies, requires public-company registrants to disclose any cybersecurity incident determined to be material on a Form 8-K Item 1.05 within four business days of the materiality determination. The disclosure must describe the material aspects of the nature, scope, and timing of the incident and the material impact or reasonably likely material impact on the registrant. The four-business-day clock starts at the materiality determination, not at incident discovery, and the determination must be made without unreasonable delay. See SEC 96-Hour Cyber Breach Notification.
Who should be on a cyber Incident Response Command (IRC) team?
A standard six-role IRC team consists of: Incident Commander (overall authority, time-keeper, decision-maker); Scribe (timeline, decisions log, defensible record); Communications Lead (internal stakeholders, customers, public statements, PR); Legal Liaison (privilege protection, regulatory notifications, law enforcement coordination); Technical Lead (containment, eradication, evidence preservation, forensic vendor liaison); Executive Sponsor (resourcing, board interface, decisions outside the IC's authority). Each role should have a primary and at least two named backups because incidents happen during vacations, weekends, and personal emergencies. See Incident Command Roles.
What is a defensible incident record?
A defensible incident record is an append-only, tamper-evident, third-party-verifiable record of every event, decision, and action during a cyber incident. The minimum technical requirements are: append-only storage (no in-place edits or deletes), cryptographic hash-chaining where each record's hash includes the prior record's hash, and ideally a digital signature over the chain head from the issuing platform so the record is non-forgeable, not just tamper-evident. A defensible record withstands SEC scrutiny, GDPR audit, plaintiff discovery, insurance investigation, and board review. See The Defensible Record.
What is the IR-OS Defensible Record bundle?
The IR-OS Defensible Record bundle is a JSON file containing the incident metadata, the full hash-chained event ledger, tasks, IOCs, evidence-file metadata with chain of custody, computed integrity result, and an Ed25519 signature over the chain head. Schema: ir-os.defensible-record/v1. Anyone can drop the bundle on https://ir-os.com/verify to confirm both chain integrity and IR-OS signature in their browser — no account required, verification runs entirely client-side using WebCrypto SubtleCrypto.
What is an after-action review (AAR)?
An after-action review is a structured analysis conducted after an incident or exercise to capture what happened, what worked, what did not, and what should change. The IR-OS standard 8-section AAR includes executive summary, timeline, what worked, gaps identified with severity ratings, SLA compliance, regulatory status, recommendations, and an appendix linking back to the defensible record. Each gap from an AAR feeds the gap-tracker, which converts findings into remediation items with owners and due dates. See After-Action Reviews.
What is a tabletop exercise?
A tabletop exercise is a discussion-based simulation of an incident scenario, conducted in a conference room or video call, in which participants step through a realistic injects-driven scenario and decide what they would do at each decision point. Tabletops train the human coordination layer of incident response, validate the IR plan, identify gaps in roles and procedures, and produce an after-action review with concrete remediation items. IR-OS includes 12 or more pre-built scenarios across ransomware, data breach, business email compromise, insider threat, supply chain, phishing, DDoS, and OT/ICS categories. See How to Run a C-Suite Tabletop.
How does ransomware response differ from a generic IT outage response?
Ransomware response has unique requirements: evidence preservation before any restoration to support law enforcement and insurance, OFAC sanctions screening before any consideration of payment, simultaneous engagement of cyber insurance carrier and outside counsel under attorney-client privilege, parallel regulatory clocks (GDPR/SEC/HIPAA/state) where personal data may have been exfiltrated, business continuity planning that does not require restoring from compromised backups, and explicit decisions about communications to customers and regulators that may differ from generic outage messaging. See Ransomware Response: The First 24 Hours.
What is business email compromise (BEC)?
Business email compromise is a cyber attack in which a threat actor gains access to a legitimate business email account or convincingly impersonates one to redirect payments, exfiltrate data, or initiate fraudulent transactions. BEC typically involves account takeover (compromised credentials, MFA bypass, session hijack), reconnaissance of communication patterns, and a final monetization step such as wire fraud or invoice substitution. Response requires immediate credential rotation, session revocation, forensic email-log preservation, financial-institution coordination on wire reversal, and breach-notification analysis depending on what data was exposed. See BEC glossary entry.
What is an insider threat incident?
An insider threat incident involves a current or former employee, contractor, or partner who misuses authorized access to harm the organization — through data theft, sabotage, espionage, or fraud. Response is unique because the subject has internal context, may continue to operate during investigation, and the investigation must coordinate human resources, legal, and security under privileged conditions. Key requirements include rapid access revocation, evidence preservation under chain of custody, employment-law-compliant interviews, and parallel decisions about law-enforcement referral.
What is supply-chain compromise?
Supply-chain compromise is an incident in which a vendor, software dependency, or service provider is compromised in a way that affects downstream organizations. Examples include software-update poisoning, compromised code-signing keys, malicious packages in language registries, and vendor credential theft. Response requires inventorying which products and which versions were used, applying vendor-supplied indicators of compromise, evaluating customer notification obligations, and determining whether organization-specific containment can proceed before the vendor publishes mitigations.
How long does it take to set up IR-OS?
A typical IR-OS subscriber is operational in 5 to 15 minutes. The AI Plan Coach conducts a 15-minute conversational interview about industry, regulatory exposure, team size, technology stack, and prior incidents, then generates a complete customized IR plan mapped to NIST 800-61, ISO/IEC 27035, applicable regulators, and the subscriber's insurer. The IRC Team Recommender reads an org chart and proposes the right person for each role with two named backups. The first tabletop exercise can be run the same day.
What integrations does IR-OS support?
IR-OS integrates with PagerDuty and incident.io as upstream alert sources via dedicated webhook endpoints — when an alert arriving from those tools is security-classified by the IR-OS classifier, an incident is auto-created with the full command surface, regulatory clocks, and defensible record. Generic alert ingest is supported via Bearer-token authenticated API for SIEM, EDR, SOAR, and other security tools. Outbound notifications are supported to Slack, Microsoft Teams, generic webhooks, and email (DKIM-signed).
What does IR-OS cost?
IR-OS has three plans named after incident-command vocabulary rather than customer segments. Squad — $299/month for small teams (up to 4 users). Command — $499/month for teams running real incidents (up to 20 users, unlimited incidents, 7 pre-built playbooks, parallel regulatory clocks, cyber insurance integration). Theater — $799/month for multi-business-unit command at scale (unlimited users, multi-BU hierarchy, SSO/SAML/SCIM, private IR Brain corpus, NERC CIP, TSA, CIRCIA, DORA compliance mapping, dedicated CSM, 24x7 support). Every plan includes a 10-day free trial and a 30-day satisfaction guarantee.
Is IR-OS available for state and local government?
Yes. IR-OS is used by state and local government agencies, K-12 districts, higher education institutions, and first-responder organizations including fire, EMS, and law enforcement. Discounted pricing is available for these segments — the buyer must reach out to [email protected] to request the discount. The For Public Sector positioning is summarized at For Public Sector.