How to Write Good Incident Response Reports

Creating an informative and readable report is among the many challenges of responding to cybersecurity incidents. A good report not only answers its reader's questions but also instills confidence in the response and enables the organization to learn from the incident. This blog highlights my advice on writing such incident reports. It's based on the presentation I delivered at the RSA Conference, which offers more details and is available to you on YouTube.

What Do Incident Report Readers Want to Know

Though you probably have your own objective for the incident report, write it with your readers in mind, addressing the questions they want the report to answer in a way that's easy to absorb. In general, people want to know the following about a cybersecurity incident:

  • What happened and when? Include the date, time, and affected resources.
  • What was the root cause? Explain what caused the incident and how you know this.
  • What was and remains to be done? Detail the steps taken and what remains to be done.
  • What lessons can be learned? Highlight opportunities for improvement.

Each of these high-level questions conceals other questions--too many to list in this blog post. For more details, see the Report Template for Incident Response, which I created with input from colleagues. This template not only helps you capture the right information in the report but also provides a convenient way for structuring it so the readers can easily find the details they need.

To demonstrate how you can use the template, I created a simplistic report based on a fictional cybersecurity incident. Download it and take a look.

Sometimes, your reports might be as brief as this example. Sometimes, depending on the expectations of your readers, they'll be longer and offer more details.

Key Elements of Writing

Having the right information in the report is important, but that's not the only consideration for good writing. As I discuss in the short course I teach at SANS on this topic, good writing incorporates all five of the elements below:

  • Information: Ensure your report contains all the necessary details your readers need to understand the incident.
  • Tone: Maintain a professional yet approachable tone. Avoid blaming individuals or teams; focus on the situation and how it can be improved.
  • Words: Use clear and concise language. Avoid jargon unless your audience is familiar with it.
  • Structure: Organize your report to make it easy to read and navigate. Use headings, lists, and whitespace effectively.
  • Look: Ensure your report looks inviting. A well-formatted report is more likely to be read and taken seriously.

When you combine these elements, your writing benefits your readers and lets you shine as the author of valuable content.

Additional Considerations for Good Reports

Watch the video of my presentation on this topic to discover additional details, including the following key considerations for good reports:

  • Effective incident response reports require empathy with readers' needs and expectations.
  • Succinct writing demands extra effort but significantly enhances communication effectiveness.
  • Incident reports should balance technical details with business impact explanations.
  • Templates and checklists are invaluable tools for maintaining clarity under stress.
  • The tone of a report can influence cooperation and perception within an organization.
  • Structuring reports with key takeaways first respects readers' time and attention.
  • The visual appeal of reports affects reader engagement and willingness to read.
  • Lessons learned sections should be actionable, assigning responsibilities and timelines.

Learning Resources for Better Cybersecurity Writing

Here are more free resources I created to help people improve their cybersecurity writing skills:


About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more