In the current threat landscape, security incidents are not a matter of “if” but “when.” For senior security leaders, the true measure of a program is not just how many threats are detected, but how effectively the organization navigates the chaos after a breach is identified. Achieving this requires moving beyond static documents to a dynamic, battle-tested response culture.
We sat down with Giorgio Perticone, Senior Detection and Response Consultant at Vectra AI, to discuss the tactical and strategic nuances of incident handling. Giorgio brings over a decade of system administration experience and a “real-world” education in forensics to the conversation.
You can read the complete transcript of the epiosde here >
What are the essential components of a robust Incident Response (IR) plan?
A response plan is the foundation of the IR process, and it must address both technical and procedural elements. Giorgio identifies two critical pillars for preparation:
- A Defined Process: Many organizations treat every incident as if it were their first. You must know exactly who to call and who to involve before the crisis hits. Without this, teams struggle to reach decision-makers who might be on vacation or simply unaware of their role in the response.
- Environmental Awareness and Visibility: The most difficult cases are those where the organization doesn’t understand its own environment. You must know what your hosts are supposed to do, who has access to them, and how to pull data from them without working on the host while an attacker is still present.
How should organizations validate their IR plans?
Having a plan written by a consultant is not enough; it must be exercised to be effective. Giorgio recommends simulating full-scale incidents rather than just technical pen tests.
- Involve Non-Technical Departments: A true test includes legal, PR, C-level executives, and finance. You need to see if they reply quickly and if they understand the technical implications enough to make business decisions.
- Stress-Test Decision Making: Can the CEO be reached to approve shutting down a domain controller for 12 hours? Do they know the person calling them? If you don’t test these interactions, you will waste critical time during a real breach.
- Accept Improvisation: No plan survives contact with the enemy 100%. However, it is much better to have a standard process for 50% of the incident and improvise the rest than to have to improvise everything from scratch.
What is an “Incident Commander,” and why is the role critical?
Giorgio advocates for a role often missing in industry practice: the Incident Commander (or Project Manager of the incident).
- Centralized Communication: This person manages non-technical departments while shielding the technical analysts so they can focus on the data without being interrupted every 30 minutes for updates.
- Technical Translation: They act as a bridge, translating complex technical findings into language that executives can use to make informed business decisions.
Why is the industry shifting its focus from Detection to Containment?
For years, the industry has focused heavily on visibility and detection. However, visibility without the authority to act is a major bottleneck.
- The Responsibility Gap: Giorgio notes that many organizations see an incident but no one takes the responsibility to stop a device, user, or network segment to prevent the spread. This hesitation often leads to ransomware infections spreading across the entire network.
- Repeat Compromise: Failing to contain can lead to immediate re-infection. In one case, a company delayed patching an internet-facing system because they didn’t want to shut down a customer-facing service; a week later, the same attacker compromised the entire network again.
- Human vs. Tool Authority: While many tools have automated containment features, few companies enable them because they are hesitant to give that responsibility to a tool instead of a human.
How can leaders balance business continuity with necessary containment actions?
Containment decisions are often business decisions, not just technical ones.
- Pre-Determine Criticality: Leaders must understand the business importance of every device before an incident. If a server has a low business criticality (rated 1 or 2 out of 5), the team should be empowered to stop it immediately for investigation, knowing the revenue loss will be minimal compared to the risk of a larger breach.
- Grant Emergency Authority: Organizations should entrust specific roles to take difficult containment decisions in an emergency, rather than waiting for consensus while an attack is in progress. It is often better to justify a proactive decision later than to wait until the damage is irreversible.
What is the most humane way to support a client during a breach?
Working as a consultant, Giorgio emphasizes the importance of managing the “emotional status” of a compromised client.
- Establish Communication Early: Even if there are no updates, provide constant, scheduled meetings (e.g., twice a day). “No news” is not “good news” during a breach; silence only increases panic.
- Provide a Roadmap: Calm stakeholders by showing what has been tried, what didn’t work, and what the planned next steps are.
- Verify the Incident: In some cases, such as “fake ransomware” attacks where notes are left but no data is exfiltrated, thorough analysis can prevent unnecessary panic and stress.
How does Automation and AI impact the role of the Human Analyst?
Automation and AI are tools meant to ease the burden of data analysis, but they do not replace the human element.
- Reducing Operational Load: Automation should handle “easy” and repetitive tasks. This ensures that when a critical, manually perpetrated attack occurs, the team has 100% of its focus available for the complex investigation.
- The Human Decision Point: A human must still decide when it is safe to apply automation and when to revert to a previous status based on investigation findings.
- Enlarged Attack Surface: While giving technology high privileges for automated containment can be an attack vector, Giorgio argues this is often a “drop in the ocean” compared to existing admin and service accounts already present in large corporate networks.
What is the best way to manage stress and prevent IR team burnout?
Incident response can take weeks of non-stop work. Giorgio offers two primary suggestions for managers:
- Simulation as a Safety Net: Testing plans when it is “safe” builds muscle memory and knowledge. When people know what they need to do, their stress level during a real incident is significantly lower.
- Reject the 48-Hour Shift: Managers cannot expect analysts to work 48 hours straight. After eight hours, an analyst is likely to miss critical details in logs due to fatigue. Managers must budget for 24/7 coverage or external partners to ensure team members get rest.
Should every organization build an internal Detection Engineering team?
Giorgio offers a controversial take: not every company needs one.
- The Maturity Requirement: Building a team to define internal rules and create technology from scratch is something only very mature organizations should do.
- Buy vs. Build: Unless an organization can genuinely do better than third-party providers who have hundreds of people working 24/7, the budget is often better spent elsewhere.
Conclusion: Preparation is the Antidote to Panic
Giorgio Perticone’s insights reiterate a core truth of modern security: technical excellence is secondary to organizational preparedness. A robust program requires clear communication channels, a designated Incident Commander, and the courage to prioritize containment over business-as-usual during a crisis. By simulating incidents, empowering decision-makers, and acknowledging the human limits of the analyst team, security leaders can transform their response from a reactive panic into a controlled, strategic operation. Ultimately, the best defense is to learn from every “fake” and “real” note left behind, ensuring the organization is better prepared for the next battle.
