Complete Guide

Incident Response — The Complete Guide

Since 2006. CISSP, ISSAP and ISSMP certified. Everything your organization needs to prepare for, detect and recover from a cyber incident.

Incident response is the structured process of detecting, containing and recovering from a cybersecurity breach. This guide covers the first 72 hours after detection, ransomware recovery frameworks, minute-by-minute checklists, tabletop exercises, IR retainer plans, cyber insurance coordination and industry-specific threat intelligence for 2026.

Foundation

What Is Incident Response

Incident response is the organized approach to addressing and managing the aftermath of a security breach or cyberattack. The objective is to limit damage, reduce recovery time and cost, and preserve forensic evidence for legal proceedings or regulatory reporting.

The NIST SP 800-61 Rev 2 framework defines four phases: preparation, detection and analysis, containment/eradication/recovery and post-incident activity. Every effective IR program follows this lifecycle regardless of organization size. The difference between a controlled recovery and a catastrophic loss is whether these phases were planned before the attacker arrived.

Modern incident response in 2026 must account for threats that did not exist five years ago. AI-generated deepfake voice calls that impersonate executives. Ransomware groups that exfiltrate data before encryption and threaten public release. Business email compromise schemes that use legitimate compromised accounts rather than spoofed domains. Supply chain attacks that enter through trusted vendor software updates. The principles remain the same. The attack surface has expanded.

Sherlock Forensics has provided incident response services to Canadian organizations since 2006. Our IR methodology combines forensic evidence preservation with business continuity so that your organization can resume operations while maintaining the evidentiary chain required for insurance claims, regulatory reporting and potential litigation.

Incident Response Services

Critical Window

The First 72 Hours

The first 72 hours after breach detection determine the trajectory of the entire incident. Decisions made under pressure in this window affect forensic evidence integrity, regulatory compliance deadlines, insurance claim viability and total recovery cost. Organizations without a rehearsed plan consistently make the same mistakes: they power off servers (destroying volatile memory), they notify too many people too early (tipping off the attacker) or they begin remediation before the scope is understood (allowing the attacker to re-enter through a second access point).

Hour 0-1: Detection and Triage
Confirm the incident is real. Activate the IR team. Engage your retainer provider. Do not power off affected systems. Begin documenting every action with timestamps.
Hour 1-4: Containment
Isolate compromised systems at the network level. Preserve volatile memory through forensic imaging. Identify the initial access vector if possible. Restrict privileged account access across the domain.
Hour 4-24: Scope Assessment
Determine which systems are affected. Identify data that may have been accessed or exfiltrated. Notify cyber insurance carrier. Engage legal counsel for breach notification obligations under PIPEDA or provincial legislation.
Hour 24-72: Eradication and Recovery Planning
Remove attacker persistence mechanisms. Validate backup integrity before restoration. Develop a phased recovery plan. Prepare regulatory notifications if personal information was compromised. Brief executive leadership on scope, impact and timeline.

Canadian organizations must comply with PIPEDA's mandatory breach notification requirements. The Office of the Privacy Commissioner requires notification "as soon as feasible" when a breach creates a "real risk of significant harm." In practice, that means within 72 hours of confirming personal information was compromised. Failing to notify triggers regulatory penalties that compound the financial damage of the breach itself.

Read: The First 72 Hours After a Data Breach

Ransomware

Ransomware Recovery

Ransomware incidents in 2026 are double-extortion by default. The attacker encrypts your data and exfiltrates a copy. Even if you restore from backups, they threaten to publish sensitive files on leak sites. This changes the calculus of every recovery decision.

The pay-or-not framework requires structured analysis, not a panic decision at 2 AM:

FactorPay ConsiderationDo Not Pay Consideration
Backup StatusBackups destroyed or encryptedClean backups verified and tested
Data ExfiltrationConfirmed sensitive data stolenNo evidence of exfiltration
Business ImpactRevenue loss exceeds ransom demandOperations can survive downtime
Decryptor AvailableNo known free decryptorFree decryptor exists (check No More Ransom)
OFAC SanctionsThreat actor not sanctionedThreat actor is a sanctioned entity
Insurance CoveragePolicy covers ransom with prior approvalPolicy excludes ransom payments

Payment should never be the first option. Verify backup integrity. Check for known decryptors. Assess the actual business impact of extended downtime versus the risks of payment. Engage legal counsel before any payment to evaluate sanctions exposure under OFAC and Canadian sanctions law. If payment becomes necessary, use a professional negotiator. Threat actors expect negotiation. Initial demands are rarely final.

Recovery without payment requires forensic verification that the attacker has been fully eradicated before reconnecting restored systems. Rebuilding on a compromised network is the most expensive mistake organizations make during ransomware recovery. The attacker watches you rebuild and encrypts everything again 48 hours later.

Read: Ransomware Recovery Process

Checklist

Your IR Checklist

A written incident response plan that nobody has rehearsed is a liability, not an asset. The checklist must be actionable at 3 AM by the on-call engineer who just received an alert. It must name specific people, specific phone numbers and specific technical steps. Generic plans fail because they require decision-making during a crisis when cognitive function is compromised by stress.

Your checklist should cover these operational phases minute-by-minute:

Minute 0-5: Confirm and Classify
Validate the alert is a true positive. Classify severity (P1 through P4). Open the incident channel. Page the IR lead.
Minute 5-15: Isolate and Preserve
Network-isolate affected systems. Capture volatile memory. Screenshot active sessions. Begin the incident log with timestamps for every action taken.
Minute 15-60: Escalate and Engage
Notify the IR retainer provider. Contact cyber insurance carrier. Brief the CISO or equivalent. Restrict privileged credentials across the environment.
Hour 1-4: Scope and Communicate
Determine affected systems, accounts and data. Draft internal communications. Identify regulatory notification obligations. Establish a cadence for status updates.

The CISA Incident Response Playbook provides a solid foundation for building organization-specific checklists. Adapt it to your environment, test it quarterly and update it after every real incident.

Full Incident Response Checklist

Retainer

IR Retainer Plans

Calling a forensic firm for the first time during an active breach is the most expensive way to engage incident response services. Emergency rates are 30-50% higher than retainer rates. Response times are measured in days instead of hours. The firm has no familiarity with your environment, your technology stack or your business priorities.

An IR retainer pre-negotiates all of this before an incident occurs. The retainer agreement establishes guaranteed response time SLAs (typically 2-4 hours for P1 incidents), fixed hourly rates that are locked regardless of demand and a dedicated team that has already reviewed your network architecture and critical assets. Some retainers include proactive services like quarterly threat assessments or tabletop exercise facilitation that reduce the likelihood of an incident occurring in the first place.

Cyber insurance carriers increasingly require an IR retainer as a condition of coverage. Having a named forensic firm on retainer demonstrates preparation that underwriters reward with lower premiums and broader coverage terms. The retainer pays for itself before a single incident occurs through insurance savings alone.

IR Retainer Plans

Preparedness

Tabletop Exercises

A tabletop exercise is a facilitated walkthrough of a simulated cyber incident. Participants include IT leadership, legal counsel, communications, executive management and any third party that would be involved in a real incident. The exercise tests decision-making processes, communication flows and plan gaps without the pressure of a live attack.

Effective tabletop scenarios in 2026 should test the threats that are actually hitting Canadian organizations:

  • Ransomware with data exfiltration and a 48-hour payment deadline
  • Business email compromise targeting a wire transfer during a real estate closing
  • AI-generated deepfake voice call impersonating the CEO requesting an emergency fund transfer
  • Supply chain compromise through a managed service provider
  • Insider threat involving unauthorized data exfiltration to a personal cloud account

The value of a tabletop is not the scenario itself. It is the gaps that surface when participants realize they do not know who to call, what authority they have to shut down a system or how to communicate with customers during a breach. Those gaps get documented and fixed before they become real-world failures.

The CISA Tabletop Exercise Packages provide free scenario templates that organizations can adapt. For facilitated exercises with forensic realism, engage a firm that has handled actual incidents matching the scenario being tested.

Tabletop Exercise Services

Case Study

BEC and Wire Fraud

Business email compromise remains the highest-dollar cybercrime category in 2026. The FBI IC3 reports BEC losses exceeding $2.9 billion annually in the United States alone. Canadian losses follow the same trajectory. BEC does not require malware, does not trigger endpoint detection and does not leave the forensic artifacts that ransomware produces. The attacker compromises a legitimate email account, monitors communication patterns and inserts themselves into a financial transaction at the exact moment payment instructions are exchanged.

The forensic investigation of a BEC incident is fundamentally different from a network intrusion. Evidence lives in email headers, authentication logs, mail flow rules and OAuth token grants rather than in disk images and memory dumps. The attacker often creates mail forwarding rules that persist even after the password is changed. Incomplete remediation means the attacker continues reading every email while the victim believes the incident is resolved.

Wire fraud recovery has a narrow window. If the transfer was sent within the last 72 hours, contact the sending bank immediately and request a recall through the SWIFT network. File an IC3 complaint referencing the Recovery Asset Team. After 72 hours, recovery rates drop below 10%. Speed is everything.

Read: BEC Wire Fraud Case Study

Insurance

Cyber Insurance

Cyber insurance is no longer optional for organizations that handle sensitive data or depend on digital operations. It is a financial backstop that covers forensic investigation costs, legal fees, regulatory fines, notification expenses, credit monitoring for affected individuals and business interruption losses. Without coverage, a single ransomware incident can produce six-figure costs that come directly from operating capital.

Insurance carriers in 2026 have tightened underwriting requirements significantly. Expect your renewal application to require evidence of:

  • Multi-factor authentication on all remote access and privileged accounts
  • Endpoint detection and response (EDR) deployed across all endpoints
  • Offline or immutable backup infrastructure tested within the last 90 days
  • A written incident response plan tested through tabletop exercise within the last 12 months
  • An IR retainer agreement with a named forensic provider
  • Privileged access management for domain administrator accounts

Sherlock Forensics is listed as an approved vendor by multiple Canadian cyber insurance carriers. When your carrier requires a pre-approved forensic firm for claims eligibility, having Sherlock on your retainer satisfies that requirement without the delays of post-incident vendor approval.

Approved Vendor Status 2026 Renewal Checklist

By Industry

Industry-Specific Threat Intelligence

Construction Companies

Construction firms are disproportionately targeted by BEC because of high-value wire transfers, multiple subcontractor relationships and fast-moving payment schedules. Attackers monitor email threads for payment milestones and submit fraudulent change-of-bank-details requests timed to coincide with legitimate draw requests. The average BEC loss in construction exceeds $250,000 per incident because the transaction amounts are large and the payment culture prioritizes speed over verification.

Read: Why Construction Companies Are BEC Targets

Law Firms

Law firms hold privileged client communications, trust account funds and sensitive case materials that make them high-value targets. A breach at a law firm compromises not only the firm but every client whose data was stored on the compromised systems. Trust account theft through BEC is particularly devastating because the funds belong to clients. Regulatory obligations under law society rules compound the breach response requirements beyond what other industries face.

Read: Law Firm Cyber Security

Questions

Incident Response FAQ

What are the first steps in incident response?
Isolate affected systems from the network immediately. Do not power off machines as volatile memory contains critical forensic evidence. Activate your incident response plan, contact your IR retainer provider and notify your cyber insurance carrier. Document every action with timestamps. The first 60 minutes determine whether evidence is preserved or destroyed. For the full sequence, see our IR checklist.
Should you pay a ransomware demand?
Payment should be a last resort after exhausting all recovery options. Verify backup integrity first. Determine whether the ransomware variant has a known decryptor available through resources like No More Ransom. Consult legal counsel regarding OFAC sanctions compliance before any payment. Engage a professional negotiator if payment becomes necessary. Organizations that pay receive working decryptors roughly 65% of the time. Read our full ransomware recovery guide for the complete decision framework.
How much does incident response cost?
Emergency IR engagements typically cost $25,000 to $75,000 for small-to-mid-size organizations. Ransomware incidents involving network-wide encryption often exceed $100,000 in forensic and recovery costs alone. An IR retainer pre-negotiates rates at 30-50% below emergency pricing and guarantees response time SLAs. Cyber insurance covers most IR costs when the policy is active before the incident occurs.
What is the difference between an IR plan and an IR retainer?
An IR plan is a written document that defines roles, communication procedures, escalation paths and technical playbooks for responding to a security incident. An IR retainer is a contractual agreement with a forensic firm that guarantees priority response within a defined SLA, pre-negotiated hourly rates and a dedicated team familiar with your environment. The plan tells your people what to do. The retainer ensures you have outside experts available when the plan is activated.

Active Incident?

If You Are in an Active Incident: 604.229.1994

Do not power off your systems. Do not attempt remediation before forensic evidence is preserved. Call us now. Our IR team is available 24/7 with guaranteed response times for retainer clients. For non-emergency inquiries, start with our incident response services page to understand how we work.

Since 2006CISSP, ISSAP, ISSMP certified24/7 IR Hotline
Call 604.229.1994 Incident Response Services

Prepare Before the Breach

The best time to engage an IR firm is before you need one. Call us to discuss retainer options, tabletop exercise scheduling or a review of your current incident response plan. Five minutes on the phone now saves five figures during a crisis.

Call 604.229.1994
Phone
604.229.1994
Email
info@sherlockforensics.com