Post-incident review
Blameless review for week one or two. The point is to learn, not to assign. The artefact is a small number of actions that will measurably reduce time-to-detect, time-to-contain, or time-to-decide next time.
A post-incident review is not a performance review. It is the team’s chance to understand what happened with the time and distance the incident did not allow.
Three rules. No hindsight as evidence. No individual as cause. Every action has an owner and a date.
Most reviews fail one of three ways. Blame leaks in through “they should have” language and the facilitator does not catch it. The action list grows to twelve items, none of them owned by a person, and quietly becomes a wishlist. Or the executives who actually made the hard calls during the incident are not in the room, so the review draws lessons that cannot land where the decisions were made.
If the review ends with twelve actions and no clear owner, you have written a wish list. Cut it to three, assign them, and protect time to do the work. If every incident review ends by adding controls, somewhere the team is losing the argument. At least one of the lessons should be that something can stop, not just that something new should start.
Checklist
Prepare
- Review scheduled 7 to 14 days after containmentCriticalFar enough for adrenaline to fade. Close enough to remember.
- Blameless framing stated in writing before the meetingCritical
- Facilitator is not the person who led the incidentCritical
- Timeline shared as pre-read so the meeting can discuss, not narrateCritical
- Detection times, response times, and decision points pulled from the logsCritical
- Quiet check with each responder beforehand. Anyone who would be hurt by attendance can opt out.
The conversation
- Walked through what actually happened, not what should have happenedCritical
- Captured what was known at each decision point, not what is known nowCritical
- Hindsight observations flagged as hindsight, not as failures of foresightCritical
- Identified where detection should have fired but did not
- Identified where containment was slower than it could have been
- Identified where communications added friction or risk
- Identified where the identity or cloud plane was the weak path
- Named the moments of hesitation honestly. Where did the team wait for permission they had?Critical
- Captured what worked. Not as a courtesy. As a baseline.Critical
Actions
- Every action has a named owner and a dateCritical
- Actions are specific, not "improve X"Critical
- Each action targets structure (process, tooling) not individualsCritical
- Top three actions named and prioritisedCritical
- Cadence set to review progress on actions (30 / 60 / 90 days)Critical
- At least one action is "do less of this", not only "add another control"CriticalIf every incident adds work, the team breaks before the system does.
What actually breaks
- Blame did not leak in through phrases like "the person who" or "they should have"Critical
- Executives who made decisions during the incident are in the room. Not represented.Critical
- The review is not deflected onto the vendor, the tool, or "user error"Critical
- The action list is three to five items, not twelve. A wishlist is not a plan.Critical
- No action has "the team" as its owner. Owner means one named person.Critical
- Lessons are shared upward honestly, including the ones that make leadership uncomfortableCritical
- The review was not cancelled because the team was busy or it felt over
Share what is shareable
- Internal narrative published with the facts and the lessons
- Industry sharing considered (ISAC, peer group, anonymised write-up)Maturity
- Customer-facing update sent if relevant to their trust in you