After-Action Review Template for Cybersecurity Incidents
An after-action review (AAR) in cybersecurity is a structured debrief conducted after an incident or exercise that documents what was planned, what actually happened, why the two differed, and what corrective actions will be taken. The format originates from the US Army's Center for Army Lessons Learned and has been adapted for cyber incident response because it forces specificity -- every finding must have an owner and a deadline, not just an observation. Organizations that skip the AAR or conduct it as an informal conversation lose the single best opportunity to improve their response capability before the next incident.
This guide presents the 8-section AAR template used across hundreds of tabletop exercises and real incidents. Each section serves a distinct purpose in the post-incident learning cycle. For the condensed version built into IR-OS, see the after-action review template article.
What are the eight sections of an effective cybersecurity AAR?
The template is deliberately structured to move from facts (what happened) through analysis (why) to action (what changes). Skipping sections or reordering them undermines the methodology because each section builds on the one before it.
| Section | Purpose | Typical Length | Primary Contributor |
|---|---|---|---|
| 1. Incident Summary | One-page executive overview of the event | 1 page | Incident Commander |
| 2. Timeline Reconstruction | Minute-by-minute record of actions, decisions, and communications | 2-5 pages | Scribe |
| 3. Root Cause Analysis | Technical and process root causes, contributing factors | 1-2 pages | Technical Lead |
| 4. What Worked | Controls, processes, and decisions that performed as intended | 1 page | All role holders |
| 5. What Did Not Work | Failures, gaps, and breakdowns in process, tooling, or communication | 1-2 pages | All role holders |
| 6. Notification and Compliance Review | Assessment of regulatory notification accuracy and timeliness | 1 page | Legal Liaison |
| 7. Corrective Actions | Specific changes with assigned owner, deadline, and success metric | 1-2 pages | IC + all role holders |
| 8. Executive Summary and Board Brief | Board-ready summary with risk impact and investment recommendations | 1 page | Executive Sponsor + IC |
How do you reconstruct an accurate incident timeline?
The timeline is the foundation of the entire AAR. Every subsequent section -- root cause, what worked, what failed -- depends on having an accurate, granular record of what happened and when. Timeline reconstruction is the Scribe's primary deliverable, but it requires input from every role holder.
The process works as follows:
- Start with the Scribe's log -- The real-time notes taken during the incident form the backbone. In IR-OS, this is the hash-chained event ledger that produces a tamper-evident timeline automatically. Outside IR-OS, this is typically a shared document or chat channel that must be reconstructed manually.
- Cross-reference system logs -- Correlate the Scribe's log with SIEM alerts, EDR detections, firewall logs, email timestamps, and communication platform records to fill gaps and correct inaccuracies.
- Interview role holders -- Each person who held a named role provides their recollection of key decision points, especially where the written record is incomplete.
- Normalize timestamps -- Ensure all entries use the same timezone and clock source. Inconsistent timestamps are the most common source of timeline disputes.
If you cannot reconstruct what happened with confidence, you cannot determine why it happened. The timeline is not optional paperwork -- it is the analytical foundation of the entire review.
What makes a root cause analysis actually useful?
Most root cause analyses in cybersecurity stop at the technical cause: the attacker exploited a vulnerability, or a user clicked a phishing link. A useful root cause analysis goes at least three levels deeper to identify the systemic conditions that allowed the technical cause to succeed.
The "Five Whys" technique, while simple, is effective when applied rigorously:
- Why did the attacker gain access? -- A VPN account lacked MFA.
- Why did the account lack MFA? -- The account was a service account excluded from the MFA rollout.
- Why was it excluded? -- The MFA project tracked user accounts but did not inventory service accounts.
- Why were service accounts not inventoried? -- No process existed for maintaining a service account inventory.
- Why was there no inventory process? -- Service account governance was not assigned to any team.
The root cause is not "attacker exploited a VPN account." The root cause is "no ownership of service account governance." The corrective action targets the root cause, not the symptom. NIST SP 800-61 recommends this layered approach to root cause identification, and the NIST Computer Security Incident Handling Guide provides additional frameworks for structured analysis.
How should corrective actions be structured to ensure follow-through?
The corrective actions section is where most AARs fail. Organizations produce well-written findings and then assign vague actions with no deadlines, no owners, and no success metrics. Six months later, the same gaps appear in the next incident.
Every corrective action must include five elements:
- Finding reference -- Which specific finding from sections 4 or 5 does this action address?
- Action description -- A specific, measurable action (not "improve MFA" but "enroll all service accounts in MFA by June 30").
- Owner -- A named individual, not a team or department.
- Deadline -- A calendar date, not "Q3" or "next quarter."
- Success metric -- How will completion be verified? What evidence demonstrates the action was effective?
What common mistakes make after-action reviews ineffective?
After facilitating hundreds of AARs across tabletop exercises and real incidents, the same failure patterns appear repeatedly:
- Conducting the AAR too late -- Memory degrades rapidly. An AAR conducted four weeks after incident closure produces significantly less accurate findings than one conducted within five to ten business days.
- Turning it into a blame session -- The AAR must focus on process and system failures, not individual mistakes. When participants fear personal consequences, they withhold information that is essential for accurate root cause analysis.
- Skipping "what worked" -- Organizations fixate on failures and ignore successes. Documenting what worked is equally important because it identifies controls and processes worth preserving and investing in.
- Vague corrective actions -- "Improve detection capabilities" is not a corrective action. It is a wish. Corrective actions must be specific enough that completion can be objectively verified.
- No follow-up mechanism -- Without a tracking system and a governance process that reviews corrective action progress, the AAR becomes shelf-ware.
- Excluding external participants -- The breach coach, forensics firm lead, and insurance coordinator all hold information that internal participants do not. Their perspective is essential for a complete picture.
The US Army's AAR methodology, which is the foundation of this template, emphasizes that the review must be conducted in a climate of professional candor. The US Army Center for Lessons Learned publications provide extensive guidance on facilitation techniques that maintain this standard.
Should the AAR be conducted under attorney-client privilege?
For any incident involving litigation risk, regulatory investigation, or insurance claims, the answer is almost always yes. An AAR that candidly documents failures, near-misses, and process breakdowns is exactly the kind of document that plaintiffs' attorneys and regulators will seek in discovery.
To establish and maintain privilege:
- Have legal counsel initiate the AAR process and direct its scope
- Mark every document as "Privileged and Confidential -- Prepared at the Direction of Counsel"
- Limit distribution to participants and those with a need-to-know
- Do not circulate the AAR broadly or post it on internal wikis
- Create a separate, non-privileged summary for operational teams that contains corrective actions without the candid findings
Consult with your legal team before distributing any AAR documents. The IR-OS defensible record is designed to maintain evidentiary integrity that supports privilege assertions.
Generate your AAR automatically from the incident record
IR-OS produces a structured after-action review from the hash-chained event ledger, pre-populated with timeline, role-specific findings, and corrective action templates.
Start free