Incident Response Timeline Builder

Incident Type
Severity
$
$

Add Custom Phase

Total Estimated Incident Cost$5,285,832.00
Response Time67.5 hours
FTE-Days Required8.6
Response Labor Cost$10,125.00

Cost Breakdown

DowntimeRecoveryReputation Loss$0k$1500k$3000k$4500k$6000k

Response Timeline

Detection & Triage

SOC | 1.5h (T+0h to T+1.5h)
  • Identify encrypted systems
  • Determine ransomware variant
  • Assess blast radius
  • Capture IOCs and ransom note

Containment

IR Team | 3h (T+1.5h to T+4.5h)
  • Isolate affected systems from network
  • Disable compromised accounts
  • Block C2 communication
  • Preserve forensic evidence

Investigation

Forensics | 18h (T+4.5h to T+22.5h)
  • Determine initial access vector
  • Map lateral movement
  • Identify data exfiltration
  • Timeline reconstruction

Eradication

IT Ops | 6h (T+22.5h to T+28.5h)
  • Remove malware artifacts
  • Patch exploited vulnerabilities
  • Reset compromised credentials
  • Verify clean system images

Recovery

IT Ops | 36h (T+28.5h to T+64.5h)
  • Restore from verified backups
  • Validate system integrity
  • Monitor for reinfection
  • Gradual service restoration

Post-Incident Review

IR Lead | 3h (T+64.5h to T+67.5h)
  • Document lessons learned
  • Update playbooks
  • Report to stakeholders
  • Implement preventive controls

Resource Allocation per Phase

PhaseHoursFTE-DaysCost
Detection & Triage1.50.2$225.00
Containment3.00.4$450.00
Investigation18.02.3$2,700.00
Eradication6.00.8$900.00
Recovery36.04.5$5,400.00
Post-Incident Review3.00.4$450.00

Communication Plan

StakeholderMessage TypeTimingTemplate
CISOIncident AlertWithin 15 minutesCritical ransomware incident detected. Systems affected: [list]. Immediate containment initiated. War room activated.
CEO / Executive TeamExecutive BriefingWithin 1 hourRansomware attack confirmed. Severity: Critical. Business impact: [describe]. Response team engaged. Next update in [time].
Affected CustomersCustomer NotificationWithin 24 hoursWe are experiencing a security incident that may affect your data. We are actively investigating and will provide updates.
RegulatorsRegulatory NotificationWithin 72 hoursFormal notification of ransomware incident per [regulation]. Scope: [describe]. Remediation actions: [list].
MediaHolding StatementWhen publicWe are aware of a cybersecurity incident and are working with law enforcement. Customer safety is our priority.

Communication Triggers

Ransomware confirmed
CISO, CTO, CEO — Within 1 hour
Data exfiltration confirmed
Legal, Board — Within 4 hours
Recovery complete
All stakeholders — Upon completion

Escalation Points

Containment not achieved in 2 hours
Engage external IR firm — CISO
Business impact exceeding threshold
Activate business continuity plan — CTO
Legal/regulatory implications
Engage outside counsel — General Counsel

When an incident hits, ad-hoc improvisation costs hours you do not have. This builder generates a phase-by-phase incident response timeline from battle-tested playbook templates for ransomware, phishing, data breach, DDoS, and insider-threat scenarios, scaling each phase by severity and producing communication triggers and escalation points tied to your priority level.

How it works

  1. Choose an incident type (ransomware, phishing, data breach, DDoS, or insider threat) and a severity level from P1 (critical) to P4 (low), then set your detection time and any custom phases.
  2. The matching playbook lays out ordered phases — detection & triage, containment, investigation, eradication/notification, recovery, and post-incident review — each with a base duration, a responsible team, and concrete steps.
  3. Phase durations scale by a severity multiplier (P1 ×0.75 for faster response, P4 ×2.0), the phases are laid out on a timeline from your detection hour, and the tool attaches communication triggers and severity-specific escalation points.

Worked example

A P1 (critical) ransomware incident detected one hour after compromise.

  1. Apply the P1 multiplier of 0.75 to each ransomware phase: Detection & Triage 1.5h, Containment 3h, Investigation 18h, Eradication 6h, Recovery 36h, Post-Incident Review 3h.
  2. Lay the phases sequentially starting at hour 1 (the detection time): containment runs from hour 2.5 to 5.5, recovery from 29.5 to 65.5, and so on.
  3. Sum the detection offset and all phase durations: 1 + 1.5 + 3 + 18 + 6 + 36 + 3 = 68.5 hours.

A total response timeline of 68.5 hours, with executive notification triggered within 1 hour and escalation to an external IR firm if containment is not achieved within 2 hours.

Frequently asked questions

What incident types does the builder support?
Five common scenarios, each with its own playbook: ransomware, phishing, data breach, DDoS, and insider threat. Each has tailored phases, responsible teams, and step-level guidance reflecting how that incident type actually unfolds.
How does severity change the timeline?
Severity applies a multiplier to every phase duration. P1 uses 0.75 (compressed for an all-hands critical response), P2 uses 1.0, P3 uses 1.5, and P4 uses 2.0, since lower-severity incidents are worked at a more measured pace.
When should regulators and affected individuals be notified?
For data breaches involving personal data, GDPR requires regulator notification within 72 hours of becoming aware. The builder includes these triggers in its communication plan, but always confirm timelines with legal counsel for your specific jurisdictions.
Can I add my own response phases?
Yes. You can append custom phases with a name, duration in hours, and a responsible team. They are added to the end of the generated timeline so you can model organization-specific steps the standard playbook does not cover.