# Incident Response Brief Template

*[Use this template to create a brief on a security incident for leaders and decision-makers who need to understand what happened, what's at stake, and what decisions they need to make. Use the brief as a companion to the full technical report or on its own if the incident is small enough that you don't need a full report.*

*If you're working from a report produced with the [companion IR report template](https://zeltser.com/incident-response-report-template), pull the Bottom Line from its "What Happened and When?" synthesis, Quick Facts from the same section's fields, What's at Stake? from the business impact and data exposure findings, Response Actions from "What Was and Remains to Be Done?" and "What Are the Remaining Action Items?", and What We Don't Know from the root-cause confidence assessment.*

*The text in square brackets is meant to guide you; remove it before finalizing the brief. The title above is generic; rename to match your specific incident.*

*This template was [created by Lenny Zeltser](https://zeltser.com/incident-response-report-template) and distributed under the [Creative Commons Attribution 4.0 International License](https://creativecommons.org/licenses/by/4.0/) (CC BY 4.0). The license covers the template; any brief you produce with it is yours.]*

*[Date · Classification · Significance]*

## Bottom Line

*[One paragraph (3-5 sentences) stating what happened, how the organization is affected, and the current status. Explain what decisions must be made, if any, and what response actions are being planned. If requesting a decision from the reader, name the specific question or tradeoff explicitly, so they know whether they're being informed or being asked to weigh a choice.]*

## Quick Facts

|  |  |
|---|---|
| **Incident** | *[Internal case ID and a short descriptor (e.g., "ransomware in the finance group").]* |
| **Response Coordinator** | *[Name and role of the person coordinating this response (e.g., Jane Doe, Senior SOC Analyst).]* |
| **Significance** | *[The significance level (e.g., SEV1, P1, or High) according to your organization's IR policy. Add a one-phrase descriptor of why (e.g., "SEV1 because the attacker exfiltrated about 1,000 customer records"). Anchor the rating in business impact and scope rather than technical complexity.]* |
| **Status** | *[e.g., Active, Contained, or Resolved.]* |
| **Type** | *[Ransomware, BEC, data breach, insider, supply chain, or other. The Root Cause row covers the underlying mechanism.]* |
| **Detected** | *[Date, time, and timezone of detection. Include the estimated time the attacker first got access if known.]* |
| **Affected Resources** | *[Count and identifiers of affected systems (e.g., 3 systems including FS01).]* |
| **Data Exposure** | *[Confirmed, potential, or none. If confirmed, name the data type and classification (e.g., 1,247 employee records including national IDs and salary).]* |
| **Root Cause** | *[One phrase naming the underlying weakness, decision, or condition that made the incident possible (e.g., an unpatched VPN appliance, or compromised vendor credentials). Distinguish facts from theories. Add a Linked to entry naming related case IDs, or None.]* |
| **Notification** | *[The notification status as determined by legal or compliance counsel (e.g., "no notification required", "GDPR notification in progress with the 72-hour clock started Jan 19 18:30", "customer notice planned for Jan 23").]* |
| **Confidence** | *[Preliminary or Final, with a high, moderate, or low confidence rating. Pair this row with What We Don't Know by naming the specific evidence you're still gathering.]* |

## What's at Stake?

*[One or two sentences translating the technical findings into business consequences the reader cares about. Take your organization's context into account to accurately represent the impact.*

*Cover the operational disruption you can observe, and capture what your finance, legal, and communications teams have determined about financial exposure, regulatory obligations, and customer or partner notifications.]*

## Response Actions

*[Top three to five response actions ordered by priority. Each row starts with a phase label (Identification, Containment, Eradication, or Recovery) followed by the specific action. Mix completed, in-progress, and pending work. In the When column, pair a status word with a date, comma-separated. Pending rows that require a decision-maker's input should name the decision explicitly.]*

| What | Why | When | Who |
|---|---|---|---|
| *[Phase: action (e.g., Containment: Isolate the affected systems from the network).]* | *[Why this matters for the business, in the reader's terms.]* | *[Such as "Completed, Jan 19 14:00" or "Pending, CFO decision by Jan 22".]* | *[The internal owner. Use the function, not the individual.]* |
|  |  |  |  |
|  |  |  |  |

## What We Don't Know

*[One or two sentences naming what you're still investigating. Examples include outstanding forensic work, scope still under analysis, attribution uncertainty, and exfiltration confirmation pending. Pair this with the Confidence row by naming the specific evidence you're still gathering.]*

## More Information

|  |  |
|---|---|
| **Primary Source** | *[Link to your full IR report if your team is producing one. Otherwise link to the incident ticket or case ID. Lessons Learned belong in the full report, not here.]* |
| **Additional Details** | *[Forensic findings, vendor or law-enforcement engagement reports, third-party advisories, and other sources you drew from.]* |
| **Follow-Up Contact** | *[Name and channel for follow-up questions on this brief.]* |