Why most plans fail

The classic incident response plan is a binder written for an auditor, not a responder. When a real incident hits at 2 a.m., nobody opens a 40-page PDF. They need to know three things instantly: who to call, what to do first, and how to not make it worse.

The six phases (NIST 800-61)

  1. Preparation — tooling, contacts, and access ready before anything happens.
  2. Detection & analysis — confirm it's real and scope the blast radius.
  3. Containment — stop the bleeding (isolate, not annihilate).
  4. Eradication — remove the root cause.
  5. Recovery — restore and verify clean.
  6. Lessons learned — the step everyone skips and shouldn't.

The one-page runbook

For each likely scenario (ransomware, account takeover, data exposure), keep a single page:

  • Trigger: how you know it's happening.
  • First five minutes: the exact first actions, in order.
  • Roles: incident commander, communications lead, scribe.
  • Escalation: names, phone numbers, and the threshold to call legal/leadership.

Decide containment trade-offs in advance

The hardest call mid-incident is "do we pull the server offline and lose forensic data, or keep it up and risk spread?" Decide your default posture before the adrenaline hits.

Practice or it isn't real

Run a tabletop exercise quarterly. Thirty minutes of "what would we do if..." surfaces more gaps than any document review. The plan you've rehearsed is worth ten you've only written.