Lessons Learned

Conducting a post-incident review and identifying lessons learned will improve your project's incident response capabilities. By analyzing what went well and what could be improved, you can enhance your readiness for future incidents.

Best Practices

1. Review the incident together with everybody involved in handling it shortly after the incident is resolved.
2. Record details about the incident, including the timeline, root cause, impact, and response efforts.
3. Assess the effectiveness of the incident response, highlighting areas where the team performed well and areas needing improvement.
4. Create action plans to address identified weaknesses and enhance strengths. Assign responsibilities and deadlines for implementing improvements.
5. Share the lessons learned with the ecosystem to promote awareness and improve overall security practices.
6. Revise incident response policies and procedures based on the lessons learned to ensure continuous improvement.

Questions worth asking

• Was the incident detected as quickly as it should have been?
• Did the severity level reflect actual impact?
• Were the right people involved early enough?
• Did the team have an appropriate runbook or was too much invented during the response?
• Was the external communication cadence appropriate?
• Did logs, dashboards, and evidence collection support investigation effectively?
• What should change in monitoring, alerting, staffing, or access controls?

Outputs beyond the write-up

A good retrospective often drives updates to:

• playbooks and runbooks
• alert thresholds and monitoring coverage
• access control or break-glass procedures
• communication templates
• training and tabletop exercises

The review should end with tangible changes, not just a document.

For a concrete post-mortem structure and example write-up, see Incident Response Template: Post-Mortem Template and Incident Response Template: Example Post-Mortem.