Preparation Before the Incident

Incident response succeeds or fails before the first alert. Preparation means the organization has already decided who responds, how they communicate, what tools they use, what evidence they preserve, and who has authority to take disruptive actions. A beginner analyst may not write the whole plan, but they must understand why the plan exists and how to follow it.

Preparation includes contact lists, on-call schedules, logging coverage, asset inventories, backup procedures, legal and privacy contacts, and basic response tools. It also includes training. A plan that nobody has practiced is only a document. Tabletop exercises help teams walk through a scenario, such as a compromised payroll account, without waiting for a real emergency.

Playbooks

A playbook is a step-by-step guide for a common incident type. It does not replace judgment, but it gives responders a known starting point. For example, a phishing playbook might say to preserve the original email, identify recipients, block malicious URLs, search for similar messages, reset credentials if the user entered them, and warn affected users through approved channels.

Escalation

Escalation is not failure. It is how a team routes decisions to people with the correct authority and skill. A help desk technician may be allowed to disable an account but not approve taking a revenue system offline. A security analyst may gather logs but need legal approval before contacting law enforcement. A communications manager may handle public statements because inaccurate messages can increase harm.

Escalation usually depends on severity. A low-severity event might be a blocked malware file on one endpoint with no evidence of execution. A high-severity event might be active ransomware spreading across file servers. Severity may consider business impact, data sensitivity, number of systems, attacker activity, regulatory obligations, and public visibility.

Scenario: Suspicious Email to Finance

A finance clerk reports an email that appears to come from the CFO requesting an urgent wire transfer. The message includes an attachment and an external reply-to address. A prepared team follows the phishing playbook. The analyst preserves headers, checks whether other users received the message, searches email security logs, blocks the sender or domain if appropriate, and asks finance whether any transfer occurred.

Escalation happens if money moved, credentials were entered, sensitive data was sent, executives are impersonated, or many users received the message. The analyst should not independently email the whole company with dramatic wording. The approved communication path matters because users need accurate instructions, not rumors.

What Beginners Should Do

An entry-level responder should know the boundary of their role. Follow the playbook. Record what you observed, when you observed it, and what action you took. Preserve evidence before making changes when practical. Escalate when the incident affects sensitive data, critical systems, many users, legal obligations, physical safety, or actions outside your authority.

For exam scenarios, look for the answer that uses a prepared process. Good preparation turns a stressful event into a manageable workflow: identify, document, contain, coordinate, and communicate through the correct channels.