Incident Response Timeline Builder
Incident Type
Severity
$
$
Add Custom Phase
Total Estimated Incident Cost$5,285,832.00
Response Time67.5 hours
FTE-Days Required8.6
Response Labor Cost$10,125.00
Cost Breakdown
Response Timeline
Detection & Triage
SOC | 1.5h (T+0h to T+1.5h)- ● Identify encrypted systems
- ● Determine ransomware variant
- ● Assess blast radius
- ● Capture IOCs and ransom note
Containment
IR Team | 3h (T+1.5h to T+4.5h)- ● Isolate affected systems from network
- ● Disable compromised accounts
- ● Block C2 communication
- ● Preserve forensic evidence
Investigation
Forensics | 18h (T+4.5h to T+22.5h)- ● Determine initial access vector
- ● Map lateral movement
- ● Identify data exfiltration
- ● Timeline reconstruction
Eradication
IT Ops | 6h (T+22.5h to T+28.5h)- ● Remove malware artifacts
- ● Patch exploited vulnerabilities
- ● Reset compromised credentials
- ● Verify clean system images
Recovery
IT Ops | 36h (T+28.5h to T+64.5h)- ● Restore from verified backups
- ● Validate system integrity
- ● Monitor for reinfection
- ● Gradual service restoration
Post-Incident Review
IR Lead | 3h (T+64.5h to T+67.5h)- ● Document lessons learned
- ● Update playbooks
- ● Report to stakeholders
- ● Implement preventive controls
Resource Allocation per Phase
| Phase | Hours↕ | FTE-Days↕ | Cost↕ |
|---|---|---|---|
| Detection & Triage | 1.5 | 0.2 | $225.00 |
| Containment | 3.0 | 0.4 | $450.00 |
| Investigation | 18.0 | 2.3 | $2,700.00 |
| Eradication | 6.0 | 0.8 | $900.00 |
| Recovery | 36.0 | 4.5 | $5,400.00 |
| Post-Incident Review | 3.0 | 0.4 | $450.00 |
Communication Plan
| Stakeholder | Message Type | Timing | Template |
|---|---|---|---|
| CISO | Incident Alert | Within 15 minutes | Critical ransomware incident detected. Systems affected: [list]. Immediate containment initiated. War room activated. |
| CEO / Executive Team | Executive Briefing | Within 1 hour | Ransomware attack confirmed. Severity: Critical. Business impact: [describe]. Response team engaged. Next update in [time]. |
| Affected Customers | Customer Notification | Within 24 hours | We are experiencing a security incident that may affect your data. We are actively investigating and will provide updates. |
| Regulators | Regulatory Notification | Within 72 hours | Formal notification of ransomware incident per [regulation]. Scope: [describe]. Remediation actions: [list]. |
| Media | Holding Statement | When public | We are aware of a cybersecurity incident and are working with law enforcement. Customer safety is our priority. |
Communication Triggers
Ransomware confirmed
CISO, CTO, CEO — Within 1 hour
Data exfiltration confirmed
Legal, Board — Within 4 hours
Recovery complete
All stakeholders — Upon completion
Escalation Points
Containment not achieved in 2 hours
Engage external IR firm — CISO
Business impact exceeding threshold
Activate business continuity plan — CTO
Legal/regulatory implications
Engage outside counsel — General Counsel