Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

Incident Response Plan

Cyber security incidents can be high-pressure situations with serious consequences for both businesses and people alike. That stress can compromise decision making (especially when tired!) and a good cyber incident response plan helps organisations to get their response right.

This project contains a template cyber IR plan for you to pick up and tailor to your organisation.

Details of our other open projects can be found at


While working with a client on improving their blue team and incident response capability they mentioned that they hadn’t been able to find an example of a good cyber incident response plan.

That came as a bit of a surprise, but they weren’t wrong. There are ‘how-tos,’ some thinly veiled vendor pitches, and plenty of other marketing materials. Some of it is old. Lots talk at a high level about the ‘phases’ of response. Many more are just ‘plans for a plan.’

There were a few notable exceptions - for example, the NCSC incident management collection - though we struck out looking for a structured document to use as a base.

Given how critical responding to security incidents is we were surprised to not find a decent template to start from. So we set about researching, distilling and compiling all the best practice, augmented from our experience responding to some of the highest-profile cyber events in recent years.

It's now available for you to pick up and make your own.


Make a copy of the IR Plan Template, or a copy of the Google Docs version and then spend some time on...

  • Who your key contacts are, and who deputises for them
  • Tailoring the severity levels and escalation criteria
  • Choosing the categories that you’ll assign to incidents

Then discuss it with your team and senior management, agree this is how you'll operate, and then try running a few exercises to test everyone knows how it works!

There is also a PDF version of the template available.


We welcome contributions and especially want to thank Exercise3, Phil Huggins, and a few other contributors from leading cyber security firms and government agencies that wish to remain nameless for their work on v1.0 of these resources.

If you have a suggestion or improvement then please submit an issue or new pull request.


This resource is freely available under the Creative Commons Attribution 4.0 International (CC-BY-4.0), so please use, share, modify and improve it!


Free incident cyber response plan template







No packages published