What Happens During a Cyber Incident (Step-by-Step)

Introduction

Most organizations do not have a cyber incident problem. They have a response problem. The damage caused by an incident often comes down to how quickly it is detected, how fast it is contained, and whether anyone takes ownership early enough to stop it from spreading.

Step 1: Detection

Every incident starts with a signal. That signal might be a suspicious login, a phishing report, malware detected on an endpoint, a user reporting unusual account activity, or alerts from identity, endpoint, or cloud security tools. The faster this is validated, the faster the response can begin.

Step 2: Triage and Investigation

Once suspicious activity is identified, the next step is triage. This means understanding what happened, when it started, which user or system is involved, whether the attacker still has access, and whether the activity is isolated or spreading. During this phase, responders review sign-in logs, endpoint activity, email rules, MFA changes, token usage, and device behavior.

Step 3: Containment

Containment is where response becomes action. If an attacker is active, responders move immediately to limit or remove access. This may include disabling a compromised account, revoking active sessions, isolating an endpoint, blocking malicious IP addresses, removing forwarding rules, and restricting access through Conditional Access or policy changes.

Containment is time-sensitive. Delays allow attackers to establish persistence, move laterally, or exfiltrate data. This is often the difference between a contained incident and a full breach.

Step 4: Eradication

Once the threat is contained, responders focus on removing the attacker's foothold. This may involve deleting malicious inbox rules, removing unauthorized devices, revoking attacker-granted permissions, rotating credentials, re-securing MFA methods, and removing persistence mechanisms. The goal is to ensure the attacker cannot regain access through the same path.

Step 5: Recovery

After the environment is stabilized, recovery begins. This phase focuses on restoring normal operations safely, including re-enabling accounts, reconnecting isolated devices, validating systems before returning them to production, and monitoring for re-entry attempts. Recovery should never be rushed. If the environment is brought back too early, attackers may still have a path in.

Step 6: Root Cause Analysis

Containment and recovery are not enough if no one identifies how the incident happened in the first place. Root cause analysis answers questions like: Did the attacker get in through phishing? Was MFA bypassed? Was there a weak Conditional Access policy? Did a privileged account have too much access? Was a session token stolen?

Step 7: Hardening and Remediation

Once the root cause is clear, the environment must be hardened. This may include tightening Conditional Access policies, enforcing stronger MFA controls, reducing privileged access, locking down email forwarding, improving monitoring rules, and training users based on what actually happened. Without remediation, the same weaknesses remain open.

Step 8: Post-Incident Review

Every incident should end with a review that documents what happened, what was impacted, how the attacker gained access, what actions were taken, what gaps were identified, and what changes were made afterward. Organizations that treat every incident as a chance to improve become harder to compromise over time.

Final Thoughts

A cyber incident is not just a technical problem. It is a time-sensitive operational problem. The organizations that recover best are the ones that can detect quickly, respond decisively, and take ownership before the incident grows.