wwc2025 /Cyber for Beginners

Incident Response Fundamentals

Incident response lifecycle

Big idea

Incidents happen. The difference between a small problem and a disaster is how you respond.

Simple incident response phases

  1. Prepare
  2. Detect
  3. Contain
  4. Eradicate
  5. Recover
  6. Learn (improve)

First steps (beginner-friendly)

When something suspicious happens:

  • Write down what you know (facts)
  • Preserve evidence (logs, timestamps, screenshots if appropriate)
  • Limit spread (containment)
  • Communicate using the right channels

Scenario (10 minutes)

A user reports repeated MFA prompts they did not initiate.

Answer:

  • What is the most likely risk?
  • What would you do in the first 15 minutes?
  • What evidence would you collect?
  • What would “containment” look like?
← Logging & Detection Basics Day 1 Wrap-Up →