Incident Command Platform
All articles

The Cyber Incident Response Field Manual 2026

IR-OS Editorial TeamPublished May 18, 202622 min readFree and ungated

A complete operator's reference for cyber incident response in 2026. Seven phases, organized around what a CISO and an incident commander actually do during a real incident, not the four-phase abstraction in the federal framework. Each phase links to the templates, runbooks, regulatory clocks, holding statements, AAR formats, and defensible record practices the IR-OS team has curated. Everything here is free and ungated. The paid IR-OS platform implements the same lifecycle in software.

The seven phases
  1. Plan
  2. Exercise
  3. Respond
  4. Notify
  5. Communicate
  6. Document
  7. Review
How to use this manual. Read the phase that matches the work in front of you. Each phase opens with the operator intent, lists the artifacts and runbooks IR-OS publishes for that phase, and links to the deeper article or template where the full detail lives. The phases are designed to be navigated independently; the manual does not need to be read end to end.

The canonical reviewer's guide

An independent reviewer spent 12 hours inside IR-OS. The 25-page result is the most thorough analyst walkthrough.

The IR-OS team commissioned an independent reviewer to evaluate the platform across command, execution, and proof. The reviewer's guide is the canonical third-party reference and is cited from every phase of this manual where it provides primary-source detail on the platform implementation.

Read the IR-OS Reviewer's Guide 2026 ›

Who this manual is for

CISOPhases 1, 2, 7. Plan ownership, exercise commissioning, board-facing review.
Incident CommanderPhases 3, 6. Live IRC operation, defensible record, decision authority.
Communications LeadPhase 5. Holding statements, sequencing, privilege chain.
Counsel of RecordPhases 4, 6. Regulatory clocks, structural privilege, evidentiary chain.
Executive SponsorPhases 4, 5, 7. Approval authority, board reporting, AAR distribution.
Board Cyber SubcommitteePhases 1, 7. Plan adequacy, AAR review, gap tracking.
1 Phase 1

Plan

Operator intent: every named role, every decision authority, every escalation path, every runbook is written down, approved, and current.

The plan is the source of truth the IRC reaches for at 03:00 on a Sunday. A real plan extends a recognized framework with the named roles, the runbooks for the incident types the organization actually faces, the regulatory clocks the organization is subject to, and the integrations with the cyber insurance carrier and counsel of record. Update at least annually and after every material incident.

Frameworks IR-OS provides as starting templates

What an IR-OS plan contains

Plan artifacts and references

ArticleIncident response playbook (operator structure)The seven-phase operator workflow and the six IRC functions explained.
ArticleIRC role recommender and the six functionsCommander, Operations, Planning, Communications, Legal, Executive Sponsor.
LandingIR plan software (platform surface)How IR-OS stores the plan as a computable entity that drives task generation.
ArticleWhat is Cyber Incident Response Management (CIRM)?The Gartner-recognized category IR-OS operates in and why plan-driven is different from runbook-driven.
2 Phase 2

Exercise

Operator intent: the plan has been pressure-tested against realistic scenarios with full C-suite participation before an actual incident arrives.

A plan that has never been exercised is a document, not an operating system. The minimum cadence is one full tabletop per year. Mid-market and enterprise programs typically run two to four exercises per year covering different scenarios. The 30-minute self-run tabletop the IR-OS Field Manual links to is designed for quarterly cadence between annual full exercises.

Exercise types

Exercise artifacts and references

ArticleTabletop exercise guide (full format)How to design, facilitate, and capture gaps in a full C-suite tabletop.
LandingFree 30-minute self-run tabletopScenario plus facilitator script plus gap capture template, ungated.
LandingTabletop exercise software (platform surface)How the IR-OS Tabletop Facilitator agent runs scenarios, captures decisions, and writes gaps back to the plan.
ResourceTabletop exercise scenarios libraryRansomware, BEC, supply chain, insider, regulatory scenarios.
3 Phase 3

Respond

Operator intent: from declaration to containment, the IRC operates as a single team with named owners, time-bound tasks, and a hashed timeline.

Respond is the technical and operational workstream of the live incident. The IRC assembles, the six functions activate, the runbook for the incident type opens, the timeline begins. Single owner per task. Time-bound. Hashed events. The Command Center surface in IR-OS is the screen the Commander runs from.

Time to Command

Time to Command is the elapsed time from incident declaration to the IRC being assembled, the six functions assigned, the timeline open, and the runbook started. Best-in-class programs measure Time to Command in minutes, not hours. The IR-OS Command Center surface is designed to compress Time to Command by automating role assignment, runbook selection, and timeline opening from the declaration event.

Runbooks IR-OS publishes

Respond artifacts and references

ArticleRansomware response runbookThe full ransomware runbook including OFAC screening before any payment.
ArticleIRC role assignment and decision authorityWho declares, who approves payment, who issues statements.
ArticleCoordination gap analysis (why response fails)The structural reasons mid-market IR fails and how IRC structure prevents them.
LandingCyber incident response platform (Command Center)The platform surface the Commander runs the live incident from.
LandingRansomware response playbook softwareRansomware runbook as a computable workflow inside IR-OS.
LandingCyber crisis management platformHow IR-OS treats incident response as crisis management, not engineering coordination.
4 Phase 4

Notify

Operator intent: every regulatory clock the incident triggers is running, owned, and on track. Missing first-notice voids insurance. Missing SEC voids defense. Missing GDPR voids penalty mitigation.

Six to nine clocks running in parallel is common for a mid-market US-incorporated organization with EU customers, payment-card data, or healthcare records. Most plans track one clock. Real cyber-IR teams run all of them from a single incident record. The Field Manual links to all eight major clocks with the source paragraph each one cites.

The eight major regulatory clocks

Notify artifacts and references

HubAll 8 regulatory clocks in one referenceSource paragraphs, triggers, penalties, parallel-clock scenarios. The canonical reference for this phase.
ToolRegulatory clock cost calculatorEstimate the financial exposure of missing each clock for your incident profile.
LandingCyber breach reporting softwareHow IR-OS runs the eight clocks in parallel from a single incident record.
LandingCyber incident reporting platformCounsel-reviewed drafts, submissions captured back in the hash-chained ledger.
5 Phase 5

Communicate

Operator intent: the right audience hears the right message at the right time, every release approved through the privilege chain, every outbound logged.

Crisis communications is a peer workstream to Respond and Notify, not a sub-task. The IR-OS Crisis Communications surface treats stakeholder messaging as a first-class part of the incident lifecycle. A holding statement in hours, regulator notifications as clocks fire, customer notices once material facts are confirmed, employee updates daily, public messaging coordinated with counsel and PR.

Communication sequencing

Privilege chain

Every release is approved through the Legal-Communications-Executive Sponsor chain. In IR-OS the signoff is captured at SHA-256 granularity in the hash-chained event ledger so privilege is structural in the data model and the approval trail is defensible in subsequent regulatory or litigation review. Privilege is not asserted by the responder after the fact; it is structural in the record.

Communicate artifacts and references

Library5 holding statement templates (CC BY 4.0)Initial public, SEC 8-K disclosure outline, GDPR Article 33, HIPAA notification, internal employee update. Free and ungated.
LandingCrisis Communications surfaceThe peer-pillar workstream inside IR-OS for stakeholder mapping, holding statements, approvals, outbound log.
ResourceGDPR Article 33 notification templateTemplate starting point for the supervisory-authority notification.
ResourceHIPAA breach notification guideIndividual, HHS, media, and Business Associate notification timing.
6 Phase 6

Document

Operator intent: every decision, action, escalation, approval, and outbound message is in the record, append-only, hashed in a chain a third party can re-prove.

A defensible incident record is the substrate that lets every other phase be trusted later. Counsel reviews drafts knowing the chain is intact. Regulators receive submissions knowing the underlying record is verifiable. Insurance carriers receive first-notice knowing the timeline is the actual timeline. The append-only ledger and the public verifier are the architectural commitments that make this possible.

How the record is structured

Document artifacts and references

ArticleDefensible record and the hash chain (architecture)The full explanation of the append-only ledger, the SHA-256 chain, and the verifier protocol.
VerifierPublic hash-chain verifierExternal, anyone-can-run verification of an IR-OS incident record chain.
ResourceDefensible incident record guideThe legal and regulatory reasoning for why append-only beats edit-history.
GlossaryChain of custodyThe evidentiary concept the IR-OS architecture instantiates.
7 Phase 7

Review

Operator intent: within 30 days the AAR is written, distributed, and the gaps are tracked back into the plan and the next exercise cycle.

After-action review (AAR) is the structured review process at the close of a cyber incident: scope, timeline, decisions, what worked, what failed, root causes, gaps closed, gaps tracked. AAR comes from the US military and government lineage and is the standard term in cyber-IR. The IR-OS auto-generated AAR composes the eight sections from the event ledger itself, then routes to the IRC for narrative additions and to the Executive Sponsor for sign-off.

The eight AAR sections

  1. Scope. What this incident was, what it was not, what data and systems were affected.
  2. Timeline. From first detection signal through containment and remediation, with the key decision points.
  3. Decisions. Every IRC decision with the decision-maker, the rationale, the outcome.
  4. What worked. Plan elements, runbook steps, and IRC behaviors that performed as designed.
  5. What failed. Plan elements, runbook steps, and IRC behaviors that did not perform as designed.
  6. Root causes. Why the failures happened (people, process, technology, third party).
  7. Gaps closed. Changes made during the incident that closed gaps in the plan or runbook.
  8. Gaps tracked. Open gaps with named owners and dates, written back into the plan and into the next exercise cycle.

Plan writeback

The AAR feeds back into the Plan phase. Gaps tracked in Phase 7 become items on the next quarterly tabletop in Phase 2 and updates to the plan itself in Phase 1. The loop is the operating system. A program that produces AARs but does not write them back to the plan is a program that learns the same lesson twice.

Review artifacts and references

ArticleAfter-action review template (8 sections)The full eight-section AAR format used inside IR-OS and reusable as a standalone template.
ResourceAfter-action review guideHow to facilitate the AAR review meeting and write the gaps back into the plan.
ArticleWhy security teams run cyber-IR, not engineeringThe structural reasoning for AAR as the closing step rather than SRE post-mortem.
LandingIR-OS annual report (program-level review)How program-level outcomes roll up across the year.

The lifecycle as a loop

The seven phases form a loop. Plan feeds Exercise, which feeds Plan updates. Plan feeds Respond when an incident declares. Respond runs in parallel with Notify, Communicate, and Document during the live incident. Review closes the incident and feeds back into Plan. A cyber-IR program is the loop, not any single phase.

Most mid-market programs run Phases 3 and 4 in spreadsheets, never get to Phase 6 in any defensible way, and write Phase 7 AARs that do not write back to Phase 1. The IR-OS Incident Command Platform implements all seven phases in software with the defensible record, the parallel clocks, the AI Plan Coach, the Tabletop Facilitator agent, and the auto-generated AAR built in.

Frequently Asked Questions

What is a cyber incident response field manual?

A cyber incident response field manual is a single operator-facing reference that covers every phase of the incident response lifecycle: plan authoring, tabletop exercising, live response, regulatory notification, stakeholder communication, defensible documentation, and post-incident review. The IR-OS Field Manual organizes seven phases around the actual workflow a CISO and an incident commander follow during a real cyber incident, with links to the templates, runbooks, regulatory clocks, holding statements, and AAR formats each phase requires.

How is the IR-OS Field Manual different from NIST SP 800-61?

NIST SP 800-61 is the federal framework. It defines the four-phase lifecycle (Preparation, Detection and Analysis, Containment Eradication and Recovery, Post-Incident Activity). The IR-OS Field Manual extends the framework into the practical seven-phase operator workflow: it splits the live-incident phase into four parallel workstreams (Respond, Notify, Communicate, Document) because those four workstreams have different owners, different SLAs, and different artifacts. The Field Manual is also a navigation hub linking to every relevant template, runbook, regulatory clock, and AAR format on ir-os.com.

What frameworks should an incident response plan be based on?

The two anchor frameworks are NIST SP 800-61 (the US federal reference) and ISO/IEC 27035-1 (the international standard). Both are starting points. A real plan extends the framework with named roles, named decision authorities, the runbooks for the incident types the organization actually faces, the regulatory clocks the organization is subject to, and the integration with the cyber insurance carrier and counsel of record. IR-OS provides all three as starting templates: NIST 800-61, ISO 27035-1, and the IR-OS Expert template developed by the team with Advisory Board input.

How often should a cyber tabletop exercise be run?

At minimum once per year, with full C-suite participation. Mid-market and enterprise programs typically run two to four exercises per year covering different scenarios (ransomware, business email compromise, supply chain compromise, insider threat, regulatory-driven scenarios for SEC or DORA subjects). The 30-minute self-run tabletop format the IR-OS Field Manual links to is designed for quarterly cadence between annual full exercises.

How many regulatory clocks can a single cyber incident trigger?

Six to nine clocks running in parallel is common for a mid-market US-incorporated organization with EU customers, payment-card data, or healthcare records. A ransomware incident at a US public retailer with EU customers can trigger SEC 8-K Item 1.05, GDPR Article 33, PCI DSS, OFAC ransomware advisory screening, state breach laws for every affected state, CIRCIA if in a covered critical infrastructure sector, and the cyber insurance first-notice obligation. The Field Manual links to all eight major regulatory clocks with the source paragraph each one cites.

What is a holding statement in cyber incident response?

A holding statement is a pre-drafted communication issued in the early hours of a cyber incident to acknowledge the event, communicate the organization's response posture, and bridge to a more complete disclosure once material facts are confirmed. The IR-OS holding statement library publishes five attorney-shape starting points under Creative Commons Attribution 4.0 International. The Field Manual links to all five from the Communicate phase.

What is a defensible incident record?

A defensible incident record is an append-only, cryptographically chained log of every decision, action, escalation, approval, and outbound message during a cyber incident, structured so that an external verifier can later re-prove the chain has not been altered. IR-OS uses SHA-256 chained event records. A public verifier is available at app.ir-os.com/verify. The Field Manual links to the architectural explanation from the Document phase.

What is the difference between an after-action review and a post-mortem?

In the IR-OS Field Manual, after-action review (AAR) is the structured, eight-section review process used at the close of a cyber incident: scope, timeline, decisions, what worked, what failed, root causes, gaps closed, gaps tracked. AAR comes from the US military and government lineage and is the standard term in cyber-IR. Post-mortem is the SRE-engineering term for the same idea but typically focused on availability incidents rather than security incidents and rarely structured for legal or regulatory defense.

Who should use a cyber incident response field manual?

CISOs, incident commanders, deputy CISOs, security operations managers, GRC leaders, breach counsel, communications leads, executive sponsors (CEO, CFO, General Counsel), and board cyber subcommittees. Each role can navigate to the phase and the artifacts they own. CISOs typically read Plan and Review most often. Incident commanders read Respond and Document. Communications leads read Communicate and the holding statement library. Counsel reads Notify and Document. Boards typically read Review.

Is the IR-OS Field Manual a paid resource?

No. The Field Manual itself and every reference document it links to are free and ungated on ir-os.com. The IR-OS Incident Command Platform is the paid product: it implements the seven-phase lifecycle in software with the defensible record, parallel clocks, AI Plan Coach, Tabletop Facilitator agent, and auto-generated AAR built in. A seven-day free trial is available.

What is the canonical analyst review of IR-OS?

The IR-OS team commissioned an independent reviewer to spend 12 hours inside the platform and write a 25-page analyst-style review. It is published as the IR-OS Reviewer's Guide 2026 and is the most thorough third-party walkthrough of the platform's command, execution, and proof surfaces.

How does IR-OS implement the seven phases?

IR-OS implements the lifecycle as a single computable entity. The plan drives task generation, SLA timers, and compliance flagging. The IRC role recommender assigns the six functions on incident declaration. The Command Center surface compresses Time to Command. The eight regulatory clocks run in parallel from a single incident record. The Crisis Communications surface is a peer-pillar workstream to Incidents and Plan. The hash-chained ledger captures every event, decision, approval, and outbound message. The auto-generated AAR composes the eight sections from the ledger itself. The seven phases are not seven products; they are one platform with the lifecycle built in.

Related IR-OS coverage

Run the full seven-phase lifecycle from one platform

IR-OS implements Plan, Exercise, Respond, Notify, Communicate, Document, and Review as a single computable workflow. Defensible record. Parallel regulatory clocks. Counsel-reviewed drafts. AI Plan Coach. Auto-generated AAR. Public verifier at app.ir-os.com/verify.

Start your 7-day free trial