Eventually most people in IT Security will face that dreaded day when they discover the organization has been breached and an attacker has established a foothold. This could be in the form of a hacked web server, a desktop beaconing with “APT” malware, a point-of-sale terminal harvesting credit card data, or countless other scenarios. Until you’ve gone through that a few times – and especially if you don’t have solid, useful, well-documented processes – you may be uncertain of what to do. As every incident is a bit – and sometimes a lot – different even well intentioned processes may fail you. What you do to respond will determine how quickly and effectively the incident is contained, as well as potentially limiting the damages.