An official website of the United States government US flag signifying that this is a United States federal government website

Security Incident Response checklist

Security Incident Response checklist

This is a short, actionable checklist for the Incident Commander (IC) to follow during incident response. It’s a companion to the IR guide, where you can find the full details of each step.

You’re the first team member to notice a non-team-member’s report of a possible security incident regarding, or you’ve noticed an unreported possible security incident yourself. Congratulations, you’re now the Incident Commander (IC)! Follow these steps:



  • Confirm the incident — was it a real incident?
    • If it’s expected behavior, go to False Alarm.
    • If it’s unexpected behavior, it is a real incident even if it may not be’s responsibility.
  • Assess the severity, using the rubric in the IR guide.
  • Update the GitHub issue:
    • Status → “confirmed”
    • Severity → high/medium/low
    • List of responders
  • Assess whether to also activate the contingency plan.
  • Send an initial situation report (“sitrep”) (example sitrep) to:
    • Post in #incident-response
    • Email to and
    • Email/Slack other stakeholders, if applicable


  • You may not be able to “walk backwards” from the observed behavior to the root cause.
    • Consider the things that must be true for the behavior to occur, and test those hypothesis against the information that is available to you.
  • Keep the ticket/docs updated as people work, tracking:
    • Leads, and who’s following them
    • Remediation items, and who’s working on them, including customer notification (if appropriate to the situation)
  • Send out sitreps on a regular cadence (high: hourly; medium: 2x daily; low: daily).
  • Go into work shifts if the incident lasts longer then 3 hours.
  • Hand off IC if the incident lasts longer than 3 hours.

Once the incident is resolved:

  • Update the ticket, set status → “resolved”.
  • Send a final sitrep to stakeholders.
  • Schedule a retrospective.
  • Thank everyone involved for their service!

Special situations

Extra checklists for special situations that don’t always occur during incidents:

False Alarm

Follow this checklist if an event turns out not to be a security incident:

  • Update the GitHub issue, setting status to false alarm.
  • Close the GitHub issue.
  • Notify of the false alarm.
  • If any sitreps have been sent out, send a final sitrep to all previous recipients, noting the false alarm.

Handing off IC

Follow this checklist if you need to hand over IC duties:

  • Old IC: brief New IC on the situation.
  • New IC: confirm that you’re taking over.
  • New IC: update GitHub issue, noting that you’re now the IC.
  • New IC: send out a sitrep, noting that you’re taking over IC.
  • Old IC: stick around for 15-20 minutes to ensure a smooth handoff, then log off!