Incident Response Timeline Builder
Incident Type
Severity
$
$
Add Custom Phase
Total Estimated Incident Cost$5,285,832.00
Response Time67.5 hours
FTE-Days Required8.6
Response Labor Cost$10,125.00
Cost Breakdown
Response Timeline
Detection & Triage
SOC | 1.5h (T+0h to T+1.5h)- ● Identify encrypted systems
- ● Determine ransomware variant
- ● Assess blast radius
- ● Capture IOCs and ransom note
Containment
IR Team | 3h (T+1.5h to T+4.5h)- ● Isolate affected systems from network
- ● Disable compromised accounts
- ● Block C2 communication
- ● Preserve forensic evidence
Investigation
Forensics | 18h (T+4.5h to T+22.5h)- ● Determine initial access vector
- ● Map lateral movement
- ● Identify data exfiltration
- ● Timeline reconstruction
Eradication
IT Ops | 6h (T+22.5h to T+28.5h)- ● Remove malware artifacts
- ● Patch exploited vulnerabilities
- ● Reset compromised credentials
- ● Verify clean system images
Recovery
IT Ops | 36h (T+28.5h to T+64.5h)- ● Restore from verified backups
- ● Validate system integrity
- ● Monitor for reinfection
- ● Gradual service restoration
Post-Incident Review
IR Lead | 3h (T+64.5h to T+67.5h)- ● Document lessons learned
- ● Update playbooks
- ● Report to stakeholders
- ● Implement preventive controls
Resource Allocation per Phase
| Phase | Hours↕ | FTE-Days↕ | Cost↕ |
|---|---|---|---|
| Detection & Triage | 1.5 | 0.2 | $225.00 |
| Containment | 3.0 | 0.4 | $450.00 |
| Investigation | 18.0 | 2.3 | $2,700.00 |
| Eradication | 6.0 | 0.8 | $900.00 |
| Recovery | 36.0 | 4.5 | $5,400.00 |
| Post-Incident Review | 3.0 | 0.4 | $450.00 |
Communication Plan
| Stakeholder | Message Type | Timing | Template |
|---|---|---|---|
| CISO | Incident Alert | Within 15 minutes | Critical ransomware incident detected. Systems affected: [list]. Immediate containment initiated. War room activated. |
| CEO / Executive Team | Executive Briefing | Within 1 hour | Ransomware attack confirmed. Severity: Critical. Business impact: [describe]. Response team engaged. Next update in [time]. |
| Affected Customers | Customer Notification | Within 24 hours | We are experiencing a security incident that may affect your data. We are actively investigating and will provide updates. |
| Regulators | Regulatory Notification | Within 72 hours | Formal notification of ransomware incident per [regulation]. Scope: [describe]. Remediation actions: [list]. |
| Media | Holding Statement | When public | We are aware of a cybersecurity incident and are working with law enforcement. Customer safety is our priority. |
Communication Triggers
Ransomware confirmed
CISO, CTO, CEO — Within 1 hour
Data exfiltration confirmed
Legal, Board — Within 4 hours
Recovery complete
All stakeholders — Upon completion
Escalation Points
Containment not achieved in 2 hours
Engage external IR firm — CISO
Business impact exceeding threshold
Activate business continuity plan — CTO
Legal/regulatory implications
Engage outside counsel — General Counsel
When an incident hits, ad-hoc improvisation costs hours you do not have. This builder generates a phase-by-phase incident response timeline from battle-tested playbook templates for ransomware, phishing, data breach, DDoS, and insider-threat scenarios, scaling each phase by severity and producing communication triggers and escalation points tied to your priority level.
How it works
- Choose an incident type (ransomware, phishing, data breach, DDoS, or insider threat) and a severity level from P1 (critical) to P4 (low), then set your detection time and any custom phases.
- The matching playbook lays out ordered phases — detection & triage, containment, investigation, eradication/notification, recovery, and post-incident review — each with a base duration, a responsible team, and concrete steps.
- Phase durations scale by a severity multiplier (P1 ×0.75 for faster response, P4 ×2.0), the phases are laid out on a timeline from your detection hour, and the tool attaches communication triggers and severity-specific escalation points.
Worked example
A P1 (critical) ransomware incident detected one hour after compromise.
- Apply the P1 multiplier of 0.75 to each ransomware phase: Detection & Triage 1.5h, Containment 3h, Investigation 18h, Eradication 6h, Recovery 36h, Post-Incident Review 3h.
- Lay the phases sequentially starting at hour 1 (the detection time): containment runs from hour 2.5 to 5.5, recovery from 29.5 to 65.5, and so on.
- Sum the detection offset and all phase durations: 1 + 1.5 + 3 + 18 + 6 + 36 + 3 = 68.5 hours.
A total response timeline of 68.5 hours, with executive notification triggered within 1 hour and escalation to an external IR firm if containment is not achieved within 2 hours.
Frequently asked questions
- What incident types does the builder support?
- Five common scenarios, each with its own playbook: ransomware, phishing, data breach, DDoS, and insider threat. Each has tailored phases, responsible teams, and step-level guidance reflecting how that incident type actually unfolds.
- How does severity change the timeline?
- Severity applies a multiplier to every phase duration. P1 uses 0.75 (compressed for an all-hands critical response), P2 uses 1.0, P3 uses 1.5, and P4 uses 2.0, since lower-severity incidents are worked at a more measured pace.
- When should regulators and affected individuals be notified?
- For data breaches involving personal data, GDPR requires regulator notification within 72 hours of becoming aware. The builder includes these triggers in its communication plan, but always confirm timelines with legal counsel for your specific jurisdictions.
- Can I add my own response phases?
- Yes. You can append custom phases with a name, duration in hours, and a responsible team. They are added to the end of the generated timeline so you can model organization-specific steps the standard playbook does not cover.