TD Website

Incident Lifecycle

The Incident Response Lifecycle defines the phases for managing a security incident from preparation through to post-incident review. It provides a consistent, repeatable process to ensure incidents are contained, eradicated, and recovered from effectively, while also capturing lessons to improve future response capability.

1. Preparation

Preparation establishes the readiness of both ThreatDefence and the Customer to respond effectively to incidents.

Customer Responsibilities:

  • Deploy the required ThreatDefence tools to provide visibility across the environment.

  • Ensure all contact details (phone numbers, email addresses, roles) are accurate and up to date.

  • Ensure nominated personnel are familiar with their responsibilities during an escalation.

  • Provide ThreatDefence with explicit authorization to perform endpoint and/or user isolation if required.

2. Detection and Analysis

ThreatDefence continuously analyzes telemetry from multiple sources, including anomalous behavior, suspicious activity, endpoint detections, threat hunting findings, automated alerts, and customer-reported issues.

Triage Process:

  • Automated Analysis: AI Assistant applies correlation, pattern recognition, and reasoning to reduce noise.

  • Contextual Review: SOC analysts validate detections, checking whether the activity is expected or suspicious.

  • Correlation: Detections are compared against related telemetry and threat intelligence to determine scope.

  • Severity Confirmation: Initial severity may be adjusted. Critical detections are escalated immediately.

  • Decision: SOC determines whether the detection should be closed, noted, or escalated.

Possible Outcomes:

  • Alert Closure – benign activity, false positive, or expected behavior.

  • SOC Notification – informational, low-severity notification sent to the customer.

  • Incident Declaration – malicious or credible threat requiring immediate response.

3. Incident Declaration and Escalation

An Incident Declaration is made when activity is assessed as a credible threat requiring immediate response.

  • If confirmed as malicious, a major incident is declared, and all stakeholders from ThreatDefence and the Customer are notified per the escalation matrix.

  • ThreatDefence declares an incident if there is reasonable suspicion of compromise.

  • Customers can also trigger Incident Response directly by contacting the SOC phone line or requesting escalation during an investigation.

4. Threat Containment

The SOC team acts to minimize impact and stop the threat.

ThreatDefence Actions:

  • Isolate affected endpoints (via agent).

  • Disable compromised accounts in Entra ID (Microsoft 365).

Customer IT Actions (with SOC guidance):

  • Rotate credentials for affected accounts.

  • Block identified indicators of compromise (files, processes, registry keys).

  • Shut down affected systems to prevent further spread.

  • Block or restrict specific network traffic.

5. Eradication and Recovery

Once contained, the SOC and Customer teams focus on removing malicious artifacts and restoring systems.

  • Root Cause Analysis: Confirm the attack vector and identify persistence mechanisms.

  • Artifact Removal: Eliminate malware, scripts, or unauthorized accounts.

  • Credential Actions: Reset or disable compromised accounts.

  • System Rebuilds: Re-image affected systems if required.

Recovery Phase:

  • Verify endpoints and services are clean.

  • Validate security controls are functioning.

  • Reconnect systems to the production network under SOC supervision.

6. Post-Incident Activities

After resolution, a structured post-incident review may be conducted to capture lessons and strengthen processes.

Lessons Learned:

  • Review attack vector, detection timelines, and response effectiveness.

  • Identify weaknesses in processes, tools, or communications.

  • Ensure all parties contribute to a complete picture of the incident.

Improvements:

  • Provide recommendations to improve endpoint protection, policies, or access controls.

  • Update incident response playbooks with findings.

  • Strengthen security posture to improve efficiency in future incidents.

The Incident Response Lifecycle ensures that both ThreatDefence and Customers have a repeatable, well-defined process for managing incidents, minimizing risk, and continuously improving operational resilience.

PreviousTD SecOpsNextThreat Containment

Last updated