How to Run a Post-Incident Review That Actually Improves Your Security Posture
The post-incident review is one of the most valuable activities available to a security team, and also one of the most commonly wasted. In many organisations, the review becomes either a blame exercise that damages team relationships and drives people to under-report future incidents, or a documentation exercise that produces a polished report nobody acts on. Neither outcome improves security.
A genuinely useful post-incident review does something different. It identifies the specific conditions that allowed the incident to occur and escalate, not just the immediate cause. It produces concrete, assigned, time-bound actions. And it is run in a way that encourages honest participation rather than defensive positioning. Getting this right requires deliberate design of both the process and the environment.
Timing and Framing Matter More Than Most Teams Realise
The review should happen close enough to the incident that people remember the details, but far enough that the immediate stress has subsided and the forensic record is reasonably complete. Two to three weeks after containment is usually the right window. Reviews held too early, while the team is still exhausted and some facts are still uncertain, tend to be less honest and less thorough. Reviews held too late lose the detail and urgency that make them productive.
Framing the review as a learning exercise rather than an audit is not a soft suggestion; it changes what people say. When participants believe the output will be used to assign blame, they protect themselves. When they believe the output will be used to improve systems and processes, they contribute more openly. We recommend opening every post-incident review with an explicit statement that the goal is systemic improvement, that individual errors are expected in complex systems, and that the review is not a disciplinary process. This framing is most credible when leadership actually behaves consistently with it.
The Timeline Reconstruction Phase
The most useful structure for a post-incident review starts with a shared timeline of the incident, reconstructed from the actual evidence. This is not a narrative from memory; it is a fact-based sequence built from log records, ticket histories, communications, and forensic findings. Building this timeline together, in the room, with everyone contributing corrections and additions, is itself valuable because it surfaces differences in how the incident was perceived by different teams.
The timeline should capture what happened, when, who knew what and when, and what decisions were made and on what basis. We structure timelines in the post-incident reviews we facilitate into three tracks: attacker activity, defender response activity, and communication and decision-making. This separation makes it clear whether response delays were caused by detection gaps, by information flow failures, or by decision authority gaps. Each of those root causes points to a different class of improvement.
Finding Root Causes, Not Just Proximate Causes
The proximate cause of most incidents is something obvious: a phishing email was clicked, a vulnerability was unpatched, credentials were reused. Stopping at the proximate cause produces a recommendation like "do not click phishing emails," which is not useful. The root cause analysis asks why the conditions that allowed the proximate cause to matter existed in the first place.
Useful questions at this stage include:
- Why was this vulnerability unpatched? What did the patching process fail to capture?
- Why did the attacker maintain access for as long as they did before detection?
- Why was the response time as long as it was? Was it a detection gap, a staffing gap, or an authority gap?
- Were there signals in the data that were not acted on? Why not?
- Did any compensating controls that should have limited impact fail to operate as expected?
- Was the incident response plan followed? If not, why not? If yes, did it prove adequate?
A good post-incident review will typically surface three to five genuine systemic findings, not twenty superficial ones. If the output is a long list of small recommendations, the analysis probably did not go deep enough on the things that actually mattered.
Producing Actions That Actually Get Done
The post-incident review fails if the recommended actions are not implemented. This sounds obvious, but it is the most common failure mode. Actions that are assigned to "the team" rather than to a named individual, that have no deadline, or that require budget or resource decisions that were not made in the room, tend not to happen.
We recommend keeping the action list short, assigning each item to a specific person, setting a completion date, and scheduling a follow-up review 30 to 60 days later to confirm implementation. Actions that require significant investment should be escalated to a decision-maker in the review itself, not after it. The review output should include a brief executive summary that makes the case for resource allocation where it is needed, in terms of risk rather than technical detail.
Cyberlinx facilitates post-incident reviews as part of our incident response service and as standalone engagements. If you want an independent facilitator to run a review that produces genuine improvement rather than documentation, contact us at info@cyberlinx.com.au.
Related Articles







