Glossary

Incident Response (IR)

Incident response (IR) is the structured process of preparing for, detecting, containing, eradicating, recovering from, and learning from security incidents. The widely-cited NIST 800-61 framework describes the lifecycle in four phases: preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity. Mature IR programs operate from documented runbooks.

In depth

Incident response is broader than alert triage. It encompasses everything from tabletop exercises and runbook authoring (preparation) through the in-the-moment containment of an active breach to the post-incident review that feeds back into the detection program. The discipline overlaps heavily with SOC operations but extends to roles that don't sit in the SOC — legal counsel, communications, executive leadership during major incidents.

Incident Response and PocketSOC

PocketSOC focuses on a narrow slice of the IR lifecycle: the responder's in-the-moment containment workflow on mobile. Triage an alert, isolate a host, update an alert status. It is not a full IR platform — see about PocketSOC for the scope statement.

SOC →

A Security Operations Center (SOC) is the team and facility responsible for continuously monitoring an organization's security posture.

EDR →

Endpoint Detection and Response (EDR) is a category of security software that continuously monitors endpoints — laptops, servers, and workstations — for malicious activity.

MTTR →

Mean Time to Respond (MTTR) is the average elapsed time between when a security alert is generated and when the SOC takes a meaningful response action.

Host Isolation →

Host isolation is the practice of cutting a compromised endpoint off from the network — typically by blocking all outbound and inbound traffic except a control channel to the EDR platform — so the threat cannot spread, exfiltrate data, or beacon out while the investigation continues.