AAR — After Action Review/Report

An After Action Review (AAR) is a structured post-incident document that captures the complete incident timeline, the decisions made, the actions taken, what worked well, what failed, root causes, and specific recommendations for improvement. The AAR is the primary deliverable from the Post-Incident Activity phase of the NIST 800-61 incident response lifecycle.

Why AARs Matter

Without a formal after-action process, organizations repeat the same mistakes across incidents. The AAR transforms a painful event into institutional knowledge by documenting exactly what happened, why it happened, and what needs to change. AARs also serve critical compliance and legal functions: regulators, auditors, cyber insurance carriers, and legal counsel all reference post-incident documentation to assess the organization's response adequacy.

The AAR is not a blame document. Its purpose is organizational learning, not individual accountability. Teams that treat AARs as blame exercises quickly stop producing honest ones, which defeats the entire purpose.

AAR Structure

• Incident summary: Type, severity, scope, and business impact
• Timeline: Chronological record of events from detection through recovery, with timestamps
• What worked: Processes, tools, and decisions that performed as intended
• What failed: Gaps, delays, miscommunications, and tool failures
• Root cause analysis: The underlying factors that enabled the incident and response failures
• Recommendations: Specific, actionable improvements with assigned owners and deadlines
• Metrics: MTTD, MTTC, MTTR, and other relevant measurements

Conducting an Effective AAR

Schedule the AAR meeting within one to two weeks of incident closure while memories are fresh. Include all participants from the response, not just the security team -- legal, communications, executives, and any external parties who were involved. Use the defensible record from the incident as the foundation rather than relying on individual recollections. Focus on systemic improvements rather than individual performance. Assign every recommendation to a specific owner with a concrete deadline, and track completion in the weeks that follow.