Incident Response Plan Template: A Practical Guide for Mid-Size Companies

Every company will experience a security incident. The question is not whether, but when — and whether your team will respond with a tested plan or with chaos. A 2025 IBM study found that organizations with a tested incident response plan reduced breach costs by an average of $2.66 million compared to those without one. For mid-size companies, that difference can be existential.

Yet most mid-size companies either have no incident response plan, or have a dusty document written three years ago that no one has tested. This guide provides a practical, actionable framework based on NIST 800-61 (Computer Security Incident Handling Guide) that you can implement in your organization this quarter.

The 6 Phases of Incident Response

Phase 1: Preparation

Preparation is everything you do before an incident occurs. It is the phase that determines whether your response will be measured or frantic.

Incident response team: Identify specific individuals (not roles) who will respond. Include IT/security, legal, communications, and executive leadership. Document their contact information, including personal cell phones and non-corporate email addresses (your corporate email may be compromised during an incident).
Tooling: Ensure your team has access to forensic tools, log aggregation, network monitoring, and endpoint detection and response (EDR) before an incident. Purchasing tools during an active breach is like buying a fire extinguisher while your house is burning.
Playbooks: Create specific playbooks for your most likely incident types: ransomware, phishing compromise, data exfiltration, insider threat, DDoS, and supply chain compromise. Each playbook should include step-by-step procedures, not just general guidance.
External contacts: Pre-engage an incident response retainer with a forensics firm. Negotiate rates and SLAs before you need them. Also document contacts for your cyber insurance carrier, outside legal counsel, law enforcement (FBI IC3, local field office), and regulatory bodies.

Phase 2: Detection and Analysis

The average time to detect a breach is still 194 days (IBM 2025). Reducing this window is the highest-leverage investment in incident response.

Detection sources: SIEM alerts, EDR detections, user reports, threat intelligence feeds, dark web monitoring, and vendor notifications. Ensure all sources feed into a single triage workflow.
Initial triage: When a potential incident is detected, determine severity within 30 minutes using predefined criteria. Is this a false positive, a low-severity event, or a confirmed breach requiring full team activation?
Severity classification: Define three or four severity levels with clear criteria. For example: SEV-1 (confirmed data exfiltration or ransomware, executive team activated), SEV-2 (confirmed compromise, no data loss confirmed yet, IR team activated), SEV-3 (suspicious activity, investigation needed, on-call analyst handles).

Phase 3: Containment

The goal is to stop the bleeding without destroying evidence or causing additional damage.

Short-term containment: Isolate affected systems from the network. Disable compromised accounts. Block malicious IPs and domains at the firewall. These actions should happen within hours of detection, not days.
Evidence preservation: Before wiping or reimaging any system, capture a forensic image. Memory dumps, disk images, and network traffic captures are critical for understanding scope and attribution. Once destroyed, this evidence cannot be recreated.
Long-term containment: Implement temporary controls while you plan eradication. This might include additional monitoring on suspected lateral movement paths, temporary network segmentation, or forced password resets for potentially compromised groups.

Phase 4: Eradication

Remove the threat actor's access and eliminate the root cause:

Identify and remove all malware, backdoors, and persistence mechanisms
Patch the vulnerability that enabled initial access
Reset all potentially compromised credentials (not just confirmed ones)
Rebuild compromised systems from known-good images rather than attempting to "clean" them
Verify eradication through scanning and monitoring before proceeding to recovery

Phase 5: Recovery

Restore systems to normal operation with confidence that the threat is eliminated:

Restore from clean backups (verify backup integrity before restoration)
Bring systems back online in a controlled sequence, starting with the most critical
Implement enhanced monitoring for 30-90 days post-recovery — threat actors frequently attempt to regain access after initial eradication
Validate that all business functions are operational before closing the incident

Phase 6: Post-Incident Review

This is the phase most organizations skip, and it is arguably the most valuable:

Conduct a blameless post-mortem within 5-10 business days of incident closure
Document the complete timeline: initial compromise, detection, containment, eradication, recovery
Identify what worked well and what broke down
Create specific, assigned, time-bound action items for improvements
Update playbooks and procedures based on lessons learned
Brief executive leadership on findings and recommended investments

Roles and Responsibilities

Role	Responsibility	Activated At
Incident Commander	Overall coordination, decision authority, resource allocation	SEV-1 and SEV-2
Technical Lead	Forensic investigation, containment execution, eradication	All severities
Communications Lead	Internal comms, customer notification, media relations	SEV-1
Legal Counsel	Regulatory notification requirements, privilege, liability	SEV-1 and SEV-2
Executive Sponsor	Business decisions, budget approval, board communication	SEV-1

Communication Templates

Prepare these templates in advance so you are not drafting critical communications during a crisis:

Internal notification: "A security incident has been detected and the incident response team has been activated. The incident is classified as [SEVERITY]. [BRIEF DESCRIPTION]. The following actions are required from your team: [SPECIFIC ACTIONS]. Do not discuss this incident outside of authorized channels. Next update will be provided at [TIME]."
Customer notification: Draft a template that complies with your regulatory notification requirements (GDPR: 72 hours, HIPAA: 60 days, state breach notification laws: varies). Have legal review the template before an incident occurs.
Board briefing: One-page template covering incident summary, business impact, response actions taken, current status, and recommended next steps.

Tabletop Exercise Guide

An untested plan is not a plan — it is a wish. Run tabletop exercises quarterly to validate your IR capability:

Select a realistic scenario (ransomware is the most common first exercise)
Gather the full IR team in a room (or video call) for 2-3 hours
Present the scenario in stages, introducing new information every 20-30 minutes
At each stage, ask: What do we do next? Who makes this decision? What information do we need?
Document gaps discovered — missing contact information, unclear decision authority, untested tools, communication breakdowns
Create action items and track them to completion before the next exercise

Tabletop truth: The first tabletop exercise always reveals significant gaps. That is the point. It is far better to discover that your backup restoration process has never been tested during a tabletop than during an active ransomware incident.

TechCloudPro's cybersecurity practice builds incident response programs for mid-size companies — from plan development and playbook creation to tabletop exercises and IR retainer management. We have responded to over 50 security incidents and know what works under pressure. Schedule an IR readiness assessment and we will evaluate your current plan, identify gaps, and build a program that protects your business when the inevitable incident occurs.