Incident Response Plan Template 2026: A Step-by-Step IR Playbook

Why You Need a Tested IR Plan

The $2.66 Million Statistic: IBM's 2025 Cost of a Data Breach Report found that organizations with an incident response team AND regularly tested IR plan experienced breaches that cost $2.66 million less on average ($3.26M vs $5.92M).

Factor	Cost Impact	Source
Having an IR team + tested plan	-$2.66M (saves)	IBM 2025
DevSecOps practices	-$1.68M	IBM 2025
Extensive use of AI/automation	-$2.22M	IBM 2025
Not having an IR plan	+$3.35M (costs more)	IBM 2025
Mean time to identify (with IR plan)	168 days	IBM 2025
Mean time to identify (without)	259 days	IBM 2025

The 6-Phase IR Framework

Based on NIST SP 800-61r3 (Computer Security Incident Handling Guide):

Phase 1: Preparation

Element	Details
IR Team Roster	Names, roles, contact info (including personal phones)
Escalation Matrix	Who to call at what severity level
Communication Templates	Pre-written messages for customers, media, regulators
Tool Kit	Forensic tools, evidence bags, write blockers, clean laptops
Legal Ready	External counsel on retainer, breach notification templates
Insurance	Cyber insurance policy details and claims process
War Room	Dedicated physical/virtual space for incident coordination

Phase 2: Detection & Analysis

Severity Classification:

Severity	Definition	Example	Response Time
SEV-1 (Critical)	Active breach, data exfiltration, ransomware	Customer data actively being stolen	< 15 minutes
SEV-2 (High)	Confirmed compromise, no active exfiltration	Unauthorized access to production server	< 1 hour
SEV-3 (Medium)	Suspicious activity, unconfirmed	Anomalous login patterns	< 4 hours
SEV-4 (Low)	Policy violation, minor security event	Failed penetration test finding	Next business day

Phase 3: Containment

Short-Term Containment (Stop the Bleeding):

Isolate affected systems from network (don't power off)
Block attacker IPs at firewall/WAF
Disable compromised accounts
Revoke compromised API keys and tokens
Activate pre-defined containment playbooks

Long-Term Containment (Stabilize):

Apply emergency patches
Rebuild compromised systems from clean images
Reset all potentially compromised credentials
Deploy additional monitoring on affected segments
Establish clean communication channel for IR team

Phase 4: Eradication

Remove all traces of attacker access (backdoors, persistence mechanisms)
Scan environment for indicators of compromise (IoCs)
Verify attackers are fully evicted before restoration
Update all security tools with new IoCs

Phase 5: Recovery

Restore systems from verified clean backups
Monitor restored systems intensively for 30 days
Gradually return to normal operations
Verify data integrity
Re-enable user access in stages

Phase 6: Post-Incident Review

Blameless Post-Mortem Template:

Section	Content
Incident summary	What happened, when, impact
Timeline	Minute-by-minute chronology
Root cause	Technical and process root causes
What went well	Effective responses and detections
What could improve	Gaps, delays, communication failures
Action items	Specific improvements with owners and deadlines
Metrics	Time to detect, time to contain, time to recover

Communication Templates

Internal Notification (SEV-1)

SUBJECT: [CONFIDENTIAL] Security Incident - SEV-1 - [Date/Time]

SITUATION: A potential security incident has been detected involving 
[brief description]. The IR team has been activated.

IMPACT: [Affected systems/data]. [Number of users potentially affected].

CURRENT STATUS: Containment in progress. [What's being done right now].

ACTIONS REQUIRED:
- Do NOT discuss this incident outside the IR team
- Do NOT contact the media
- Direct all inquiries to [IR Lead name]

NEXT UPDATE: [Time] or sooner if situation changes.

IR Lead: [Name] - [Phone]

Customer Notification

Subject: Important Security Notice from [Company]

Dear [Customer],

We are writing to inform you of a security incident that may have 
affected your information. 

What happened: [Brief, factual description]
When: [Date discovered, estimated date of incident]
What information was involved: [Specific data types]
What we're doing: [Actions taken and ongoing]
What you can do: [Password reset link, monitoring suggestions]

We sincerely apologize for this incident. We are committed to 
protecting your data and have taken steps including [specific measures]
to prevent future incidents.

For questions: [Dedicated support line] | [Support email]

Legal and Regulatory Notification Requirements

Regulation	Notification Deadline	Who Is Notified
GDPR	72 hours	Data Protection Authority + affected individuals
CCPA/CPRA	"Without unreasonable delay"	California AG + affected consumers
HIPAA	60 days	HHS + affected individuals + media (if > 500)
PCI DSS	Immediately	Card brands (Visa, MC) + acquiring bank
SEC (public companies)	4 business days	SEC filing (8-K)
State breach notification laws	Varies (30-90 days)	State AG + affected residents

IR Tabletop Exercise

Run quarterly tabletop exercises using these scenarios:

Ransomware attack — All systems encrypted, ransom demanded
Insider data theft — Employee downloaded customer database before resignation
Supply chain compromise — Vendor SDK compromised, customer data potentially exposed
Cloud breach — Misconfigured S3 bucket found by researcher, unknown exposure duration
Account takeover wave — Credential stuffing attack compromising thousands of user accounts