Post-Incident Review and Lessons Learned
Conduct a blameless post-mortem to capture what worked, what failed, and what process improvements will reduce dwell time in future incidents.
Why Lessons Learned Matter
The final phase of the NIST incident response lifecycle is Post-Incident Activity, centered on the lessons learned review. Organizations that skip this phase are statistically more likely to experience the same type of incident again. The lessons learned process captures institutional knowledge, identifies systemic weaknesses that contributed to the incident, and drives concrete improvements to controls, processes, and training. Without this feedback loop, incident response costs remain high and dwell times remain long.
The Post-Incident Review (PIR)
The Post-Incident Review (PIR) — also called a post-mortem or after-action report — is a structured meeting and documentation process conducted after the incident is fully closed. The PIR should occur within 1-2 weeks while memories are fresh. Key inputs include: the incident timeline, all evidence collected, actions taken and their outcomes, communication records, and the initial incident report. PIRs should involve all stakeholders: security analysts, system owners, management, legal, and communications teams.
# Post-incident review agenda template
# 1. Timeline walkthrough (what happened, when)
# 2. Detection: how was the incident discovered?
# - How long before detection? (dwell time)
# - Why did it take that long?
# 3. Response effectiveness
# - What went well?
# - What slowed us down?
# 4. Root cause analysis
# 5. Action items (owner, due date, success metric)
# 6. Metrics: MTTD, MTTR, financial/data impactAll lessons in this course
- Preparation: IR Plans, Playbooks, and Teams
- Detection and Analysis: Identifying Real Incidents
- Containment, Eradication, and Recovery
- Post-Incident Review and Lessons Learned