A Step-by-Step Guide to Creating a Cyber Security Incident Report

Cybersecurity is becoming an important topic in most major organizations. The escalating incidences of cyberattacks cost businesses money, time, and reputation. According to Gartner, the financial costs of cyber-physical system (CPS) attacks on organizations will exceed $50 billion in 2023.

Cybersecurity is equally about responding to incidences as it is setting up defenses against cybercriminals. And that’s where a cybersecurity incident report comes in. It outlines the actions that should be taken when a cyber threat or attack has been detected.

To create a cybersecurity incident report, you can follow either the NIST or SANS framework, with both generally requiring you to outline the steps for “preparation,” “detection and analysis,” “containment, eradication, and recovery,” and “post-incident activities.”

What is a Cybersecurity Incident Report?

A cybersecurity incident response report is a document that details a cyberattack and the steps the IT and cybersecurity professionals should take to mitigate it. This report is filed under a cybersecurity incident response plan. The latter defines all the possible cybersecurity threats a business might face and how a business and cybersecurity professionals should respond to them.

With a cybersecurity incident report, IT and cybersecurity professionals can quickly and efficiently detect attacks, isolate affected networks and systems, and perform a swift recovery of lost or compromised data.

Swiftly responding to cyber security incidences is essential in a landscape where, according to research from IBM, it takes organizations 207 days on average to detect a breach in their systems, with catastrophic consequences.

Therefore, having a cybersecurity incident report reduces the damages incurred from an attack by outlining quick steps to contain and arrest the situation.

But what typical incidences will it cover?

The Different Types of Cyber Incidents

A cyber security incident report typically covers five major cyber security incidents that are the most prevalent in organizations:

  • Phishing attacks
  • Malware
  • Password attacks
  • Drive-by attacks
  • Man-in-the-middle attacks

Phishing Attacks

Phishing is using deceptive websites and emails to gather information about a person or organization unlawfully. Phishing attacks target private and confidential information such as banking details and passwords.

Cybercriminals orchestrating phishing attacks will use clever tactics such as social engineering to appear as reputable individuals or organizations contacting you for your personal information.


Malware is software that infiltrates machines through unauthorized installations and causes harm to them. It includes worms, trojans, file injectors, adware, and ransomware. Users may also be misled to unknowingly install malware when installing other “legitimate” software, such as antiviruses and freeware.

Password Attacks

Cybercriminals can manipulate accounts to steal passwords that they can use to access a user’s account unlawfully. These criminals use tricks such as brute force attacks, sniffing, password cracking software, dictionary attacks, and password guessing to gain access.

Drive-by Attacks

Drive-by attacks redirect victims to other malicious websites when they click on a link on a “trusted” site. These links often have enticing messages such as “dating tips” and “win the lottery.”

Man-in-the-Middle Attacks

A man-in-the-middle attack involves an intruder accessing private communications on a network. The cybercriminal orchestrates this attack by secretly gaining access to a communication network. It is one of the most difficult attacks to detect.

How to Create a Cyber Security Incident Report

Bundling one of these five major cyber security incidents into a cyber security incident report is a rather straightforward procedure. Typically, you’ll use either the NIST or SANS framework.

NIST Framework

This is the most popular framework that cybersecurity and IT professionals use to draft a cyber security incident report. The NIST framework outlines four steps in a cyber security incident report:

  • Preparation
  • Detection and analysis
  • Containment, eradication, and recovery
  • Post-incident activity

SANS Framework

The SANS framework is essentially an extension of NIST. It outlines six steps to writing a cyber security incident report:

  • Preparation
  • Identification
  • Containment
  • Eradication
  • Recovery
  • Lessons learned

The SANS framework expands NIST’s step 3, “containment, eradication, and recovery,” creating six distinct steps.

The General Methodology

Since SANS and NIST share similar methodologies, here’s the general breakdown of what each step requires.


The first step to creating an effective cybersecurity incident report is planning for a security incident before it happens.

The preparation stage involves two phases. The first details who is on the incident response team, their role, and when they need to be contacted if an incident occurs.

The second phase outlines incident prevention. Incident prevention involves activities such as regular risk assessments, malware prevention, and host security checks.

Detection and Analysis

The detection and analysis stage gets triggered when a cybersecurity incident occurs. It outlines how your organization should respond to the incident, specifically verifying the occurrence of an attack.

Therefore, it will outline a general incidence and the general detection and analysis procedures that should be taken to validate the cyberattack.

Most of the incidents covered are in a general scope since it’s infeasible to cover every type of attack in detail.

NIST outlines how to analyze and validate an incident to ensure you respond to the right triggers.

The final step of detection and analysis is often notification of relevant parties, such as law enforcement and affected customers, after the incident has been confirmed.

Notification is a legal requirement in most industries. Therefore, the cybersecurity and compliance teams must work together to ensure it’s done correctly.

Containment, Eradication, and Recovery

This is the heart of a cybersecurity incident report. You must enforce effective containment, eradication, and recovery steps to stop a cyberattack.

NIST outlines several criteria you can use to determine a containment strategy:

  • The degree of damage or theft of resources
  • Need for evidence preservation
  • Time and resources needed to implement the strategy
  • Service availability
  • Duration of each solution
  • Effectiveness of the strategy in terms of full or partial containment

Evidence gathering is very important at this stage as it facilitates the next step, post-incident activities. Depending on the size of the breach, this step can take days, weeks, or months.

Post-Incident Activities

This step involves debriefs that inform the cybersecurity team, IT team, and organization of what happened, what caused the incident, and how it can be prevented in the future. Therefore, you will:

  • Reflect on what has happened
  • Assess the extent of the attack and damages
  • Revisit the cyber security incident report and assess if there’s anything you can do to make it more effective
  • Begin the notification process

Outsource Cybersecurity Services for Better Incidence Response

Creating a well-detailed and effective cyber security incident report requires the input of experienced cyber security professionals. Instead of banking on expensive in-house talent, contact a cybersecurity expert today and have better cyber security incident response plans for your organization.