* [Blog](https://www2.paloaltonetworks.com/blog)
* [Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/)
* [Use-Cases](https://www2.paloaltonetworks.com/blog/security-operations/category/use-cases/)
* The Top Seven Steps for C...

# The Top Seven Steps for Conducting a Post-Mortem Following a Security Incident

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fthe-top-seven-steps-for-conducting-a-post-mortem-following-a-security-incident%2F)  
[](https://twitter.com/share?text=The+Top+Seven+Steps+for+Conducting+a+Post-Mortem+Following+a+Security+Incident&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fthe-top-seven-steps-for-conducting-a-post-mortem-following-a-security-incident%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fthe-top-seven-steps-for-conducting-a-post-mortem-following-a-security-incident%2F&title=The+Top+Seven+Steps+for+Conducting+a+Post-Mortem+Following+a+Security+Incident&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/security-operations/the-top-seven-steps-for-conducting-a-post-mortem-following-a-security-incident/&ts=markdown)  
\[\](mailto:?subject=The Top Seven Steps for Conducting a Post-Mortem Following a Security Incident)  
Link copied  
By [Jane Goh](https://www.paloaltonetworks.com/blog/author/jane-goh/?ts=markdown "Posts by Jane Goh")  
Feb 27, 2017  
5 minutes  
[Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)  
[Cortex XSOAR](https://www.paloaltonetworks.com/blog/tag/cortex-xsoar/?ts=markdown)  
[Incident Response](https://www.paloaltonetworks.com/blog/tag/incident-response/?ts=markdown)  
[post mortem](https://www.paloaltonetworks.com/blog/tag/post-mortem/?ts=markdown)  
[SOAR](https://www.paloaltonetworks.com/blog/tag/soar/?lang=ja&ts=markdown)

For most employees, the incident is over. The threat has been contained and neutralized, the technical staff has gone home, and management has handled the damage control as best they can. If you are a CISO, however, your work is far from over. To prevent the incident from happening again, you have to understand how it happened, and to understand how it happened, the best method is to launch a post-mortem review. In fact, a post-mortem analysis should be part of your incident response plan. An effective post-mortem will delve into the how, what, who, when and why to give you insight into ways you can improve your tools, training and processes. Here are the top seven tips for conducting a post-mortem after an incident occurs.

## Completing an Incident Report Should Be Your First Step

Document any information that you can use to prevent similar incidents in the future. Although not all of the information applies to all organizations or all incidents, a good incident report typically includes much of the following information.

* The date and time of the incident
* Location of the compromised system or device
* Function of the compromised system or device, such as web server or desktop computer
* How the incident was identified
* Steps taken to neutralize and contain the incident
* The impact of the incident
* Team that was involved in solving the incident and all the evidence collected.

## Schedule a Meeting

Schedule a post-mortem meeting as soon as possible. You may have to allow people a little time for recovery, especially those who sacrificed their sleep to respond to the incident. Ideally, you can have everyone at the meeting who was involved in responding to the incident, but try to at least get a representative from each department or work group involved.

Ensure participants bring any notes they made during the incident response. Make copies of any trouble tickets or timelines and distribute them to participants, but warn them that these documents are confidential and must be returned at the end of the meeting or secured in a locked drawer. Shred any returned documents to keep them safe from "dumpster divers."

## Evaluate Your Incident Response

Between what you learned in your meeting and other documentation such as logs, you can begin to analyze your response. Look for answers to the following questions.

How much time passed between recognizing a security incident and its resolution?

Could the identification of the incident have occurred sooner?

Were your resources sufficient to handle the type of incident?

How could the response have been handled better, faster or more effectively?

Are there processes that you could automate that would provide greater protection or more efficient responses?

## Monitor Activities After the Incident

Additional threats are often launched soon after the initial threat has been contained. Continue to monitor activities closely. Pay particular attention to indicators associated with the previous incident that may appear in a security log.

## Determine Whether the Incident Was Random or Targeted

The method of attack can often reveal whether you were targeted or suffered a random attack. For example, if the incident was the result of an employee responding to a phishing attempt, it was probably random. If your website was targeted, it was likely a company-specific attack. Once you know the most likely cause of the incident, update your company's threat intelligence feeds. Make sure that everyone with a "need to know" is informed about potential triggers, system vulnerabilities and policies that need improvement.

## Identify Preventive Initiatives

Scorecards can help you assess your security, identify new initiatives and secure buy-in across departmental lines. The metrics you select will vary, but here are some you might want to consider.

* Percentage or number of vulnerabilities that are unpatched
* Volume of alerts
* Number of false alarms
* Volume of incident tickets that were opened and closed
* Time elapsed between the detection of incidents and closure
* Average time between initial infection and detection or quarantine
* Inventory of unauthorized devices and software
* Metrics from fully deployed security tools, including threats detected or blocked

## Follow Up

Based on your findings, you may need to plan on some additional activities. For example, if your post-mortem revealed that your response team needs additional training, you will need to make sure that they receive it. If an employee who was circumventing security contributed to the incident, you may need to decide the best way to convey the importance of following company cybersecurity policies. If an excessive period passed between the discovery of the threat and the time it was reported to the incident response team, you may need an initiative to educate employees on how to identify a suspicious activity and to whom they should report their concerns. If your team members were so overwhelmed by false positives that they overlooked a real threat, you may need to automate some of your response processes.

A security incident is no one's idea of a pleasant experience. However, every incident is a learning opportunity. By analyzing what happened and how it happened, you are in a much better position to prevent another incident by shoring up your defenses. Although the improvements you make may not prevent every possible future attack, you will be better prepared when the next incident occurs. A security incident can be a galvanizing event that provides the momentum to improve incident response plans, fix flaws in your processes and harden your defenses against a community of cybercriminals who are constantly refining their skills and techniques.

[Download our Top Security Orchestration Use Cases Whitepaper](https://start.paloaltonetworks.com/whitepaper-top-security-orchestration-use-cases)

To see Cortex XSOAR in action, sign up for our free [Community Edition](https://start.paloaltonetworks.com/sign-up-for-community-edition.html).

*** ** * ** ***

## Related Blogs

### [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Ten Security Orchestration Myths and Clarifications](https://www2.paloaltonetworks.com/blog/security-operations/ten-security-orchestration-myths-and-clarifications/)

### [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Automation: The Best Way to Fix a Breach](https://www2.paloaltonetworks.com/blog/security-operations/automation-the-best-way-to-fix-a-breach/)

### [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Security Orchestration Use Case: Automating Threat Hunting](https://www2.paloaltonetworks.com/blog/security-operations/security-orchestration-use-case-automating-threat-hunting/)

### [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Security Orchestration Use Case: Automating VPN Checks](https://www2.paloaltonetworks.com/blog/security-operations/security-orchestration-use-case-automating-vpn-checks/)

### [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Security Orchestration Use Case: Automating Malware Analysis](https://www2.paloaltonetworks.com/blog/security-operations/security-orchestration-use-case-automating-malware-analysis/)

### [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Security Orchestration Use Case: Automating IOC Enrichment](https://www2.paloaltonetworks.com/blog/security-operations/security-orchestration-use-case-automating-ioc-enrichment/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language