Framework Category
Incident Analysis
Incident Analysis focuses on investigating and understanding cybersecurity incidents by identifying root causes, estimating impact, and categorizing events according to response plans.
It ensures proper handling of disclosed vulnerabilities, maintains detailed records with integrity, and supports informed response through structured analysis.
Implementation Questions
RS.AN-01
Notifications from detection systems are investigated
RS.AN-03
Analysis is performed to establish what has taken place during an incident and the root cause of the incident
Does your organization have a documented process for reconstructing the chronological sequence of security incidents, including all affected assets and resources?
Reconstructing what happened and when is the concern here, specifically whether you have a documented process to rebuild the chronological sequence of an incident across all affected assets. Proper incident timeline reconstruction helps identify which systems were compromised first, how the attack propagated through your environment, and what data or resources may have been accessed or modified during each phase of the incident.
Does your incident response process include identification and analysis of vulnerabilities, threats, and threat actors involved in security incidents?
Root-cause analysis during incident response is the focus, namely whether your process identifies and analyzes the vulnerabilities, threats, and threat actors involved in security incidents. A comprehensive incident analysis helps prevent similar incidents in the future by addressing specific weaknesses and understanding attack patterns and motivations.
Does your organization conduct root cause analysis to identify systemic issues when investigating security incidents?
Root cause analysis goes beyond addressing the immediate symptoms of a security incident to identify the fundamental, systemic issues that allowed the incident to occur.
Does your organization utilize cyber deception technologies to gather intelligence on attacker behavior and tactics?
Cyber deception technologies (such as honeypots, honeyfiles, or decoy systems) can provide valuable insights into attacker methodologies, tools, and objectives by monitoring how adversaries interact with fake assets. These technologies act as early warning systems and can reveal attacker patterns that might otherwise go undetected in your actual production environment.
RS.AN-04
Incidents are categorized consistent with response plans
RS.AN-05
Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers)
RS.AN-06
Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved
Does your organization require incident responders and other relevant personnel to maintain immutable records of all actions taken during incident response activities?
Maintaining immutable records of incident response actions creates an audit trail that cannot be altered after the fact, ensuring accountability and providing crucial forensic evidence. These records should capture all actions taken by incident responders, system administrators, and cybersecurity engineers during an incident, including system changes, communication logs, and investigative steps.
Does your organization require incident leads to document security incidents in detail and maintain the integrity of all incident documentation and information sources?
Defensible incident records are the focus here, covering whether incident leads are required to document events in detail and preserve the integrity of all documentation and sources.
RS.AN-07
Incident data and metadata are collected, and their integrity and provenance are preserved
RS.AN-08
An incident's magnitude is estimated and validated
When responding to a security incident, does your organization have a process to identify and examine other potential targets for indicators of compromise and evidence of attacker persistence?
During a security incident, attackers often compromise multiple systems or accounts to maintain access even if the initial entry point is discovered.
Does your organization employ automated tools to detect indicators of compromise and evidence of persistence across your systems?
Automated tools like endpoint detection and response (EDR), security information and event management (SIEM) systems, or threat hunting platforms should continuously monitor your environment for signs of malicious activity. These tools can identify unusual behaviors, known malware signatures, unauthorized access attempts, and persistent threats that may have established a foothold in your systems.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

