Incident Response

Incident response is the operational discipline of detecting, containing, investigating, and recovering from a security compromise. Standard practice in enterprise security (the SANS Institute incident-handling framework, the NIST SP 800-61 incident-handling guide), increasingly relevant for individuals facing account takeover, device compromise, or stalkerware infection. The shift from “did something happen” to “what do I do now” depends on having a plan before the event.

What it means in practice

The structural model has six phases: preparation, identification, containment, eradication, recovery, and lessons learned. For individuals, the phases compress but the logic holds. Preparation: write down the steps before the incident (who do you call, what do you change first, what evidence do you preserve before wiping). Identification: recognize the symptoms (unexpected logins, missing emails, unfamiliar device sessions, the cascade of “your password was changed” messages). Containment: stop the compromise from spreading (sign out of all sessions, revoke OAuth tokens, change keystone passwords on hardened-authentication accounts). Eradication: remove the access (rotate every reachable credential, revoke device authorization, factory reset if device-level compromise is suspected). Recovery: restore normal operation with new credentials and verified-clean devices. Lessons learned: write a field note documenting the incident and the structural change you made to prevent recurrence.

Where it shows up

Most consequential for: account-takeover victims (the cascade is often 30-90 minutes; recognizing it within that window changes the outcome), suspected stalkerware victims (the response sequence determines whether forensic evidence is preserved for legal proceedings), journalists and activists facing targeted-spyware suspicion (the response runs through Citizen Lab or Amnesty Security Lab rather than a self-directed wipe), and corporate-context insiders facing suspected breach of a workplace account (where the corporate IR team has authority but the individual’s actions in the first hour matter). The Predaxia editorial frame: the incident response that works is the one rehearsed before the incident; the incident response that fails is the one improvised in the moment.

What you can change today

Build your one-page incident-response plan today. Sheet of paper, six sections: who to call (lawyer, security professional, family member who can help), what to change first (passwords on email, password manager, financial), what to preserve as evidence (screenshots before wiping, log copies, dates and times), what to wipe (only after evidence preservation), what to verify clean (devices, accounts, recovery contacts), and what structural change closes the gap. Store the plan with your other operational documents (encrypted vault, paper safe, the same place you keep recovery codes). Revisit annually. The minutes of preparation buy hours of clarity in the actual incident.

Related articles