Incident Response and Recovery Glossary

A systematic process that identifies critical business functions, their dependencies, and the quantified impact of disruption to establish recovery priorities.

The documented chronological record tracking the handling, transfer, and storage of evidence from collection to presentation, ensuring its integrity and admissibility.

The scientific process of collecting, preserving, analyzing, and presenting digital evidence in a legally defensible manner to support incident investigation and legal proceedings.

The period between initial compromise by an attacker and detection by the organization. Shorter dwell time reduces the potential impact of a breach.

The organized approach to addressing and managing the aftermath of a security breach or cyberattack, aiming to limit damage, reduce recovery time, and prevent recurrence.

An observable artifact (IP address, file hash, domain, registry key) that provides evidence of a potential or confirmed security breach.

A knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations, used for threat detection, assessment, and defense planning.

The NIST Computer Security Incident Handling Guide, which defines the four-phase incident response lifecycle: Preparation, Detection and Analysis, Containment/Eradication/Recovery, and Post-Incident Activity.

The maximum acceptable amount of data loss measured in time, defining how frequently backups or replication must occur to limit data loss.

The maximum acceptable duration of downtime for a system or business process after a disruption, defining how quickly operations must be restored.

A platform that automates incident response workflows, orchestrates security tools, and provides playbook-driven response to reduce human error and response time.

A centralized facility staffed by security analysts who continuously monitor, detect, analyze, and respond to cybersecurity events using SIEM, EDR, and other tools.

A discussion-based simulation where incident response team members walk through hypothetical scenarios to test plans, identify gaps, and practice decision-making.

A forensic tool that prevents write operations to a storage device, ensuring the original evidence is not modified during examination or imaging.