Dynamic Incident Response
Dynamic Incident Response: A Framework for Security Teams — book cover showing the title over a mountain landscape

Dynamic Incident Response

A Framework for Security Teams

A practical guide to building and running incident response programs that adapt to modern threats. From preparation through recovery, this book gives security teams, SOC analysts, and DFIR practitioners the framework they need to detect, contain, and eradicate threats effectively. Read the complete book online for free.

Read Online Download PDF

About the Book

Incident response is not a checklist. It is a dynamic process that demands adaptability, sound judgment, and a deep understanding of both the technical and organizational dimensions of security events.

Dynamic Incident Response introduces the Dynamic Approach to Incident Response (DAIR), a framework that covers the full incident response lifecycle: preparation, detection and identification, verification and triage, scoping, containment, eradication, recovery, and post-incident debrief. Each chapter pairs foundational concepts with practical techniques drawn from real-world incidents, giving analysts and response teams the tools to act decisively under pressure.

Topics include ransomware response and recovery, cloud incident response for AWS and Azure, OT/ICS incident handling, cyber threat intelligence integration, digital forensics and memory analysis, incident response playbook development, and the emerging role of AI in security operations. Foreword by John Strand.

What's Inside

Incident Response Framework

Adapt to evolving threats with the Dynamic Approach to Incident Response (DAIR), a structured yet flexible model that moves beyond rigid, linear processes. Built on the OODA loop and aligned with NIST CSF 2.0.

Detection and Threat Hunting

Identify threats early with signature-based, behavioral, and AI-driven detection methods. Master Sigma rules, SIEM correlation, endpoint detection and response (EDR), and network traffic analysis.

Incident Response Playbooks

Execute confidently with step-by-step checklists for every phase of the incident response lifecycle, from initial detection through recovery. Designed as practical references for active incidents.

Ransomware Response

Contain and recover from ransomware incidents with containment strategies, negotiation considerations, recovery planning, decryption options, and lessons from real-world attacks including NotPetya, LockBit, and Scattered Spider.

Cloud Incident Response

Investigate cloud environments across AWS, Azure, and GCP. Preserve evidence with EBS snapshots, analyze CloudTrail and Azure Monitor logs, trace IAM activity, and respond to Kubernetes security events.

Digital Forensics and Investigation

Uncover attacker activity through memory forensics with Volatility and MemProcFS, Windows event log analysis with Hayabusa, disk forensics, malware analysis, lateral movement detection, and root cause analysis.

OT/ICS Security

Protect critical infrastructure with incident response techniques for operational technology and industrial control systems. Learn Purdue model segmentation, safety instrumented systems, and how to bridge the IT-OT gap during incidents.

AI in Incident Response

Accelerate your investigations with AI-driven log analysis, threat detection, playbook generation, report writing, and agentic investigation workflows using large language models.

NIST CSF 2.0 Integration

Satisfy compliance requirements by mapping DAIR activities to all six CSF 2.0 functions — Govern, Identify, Protect, Detect, Respond, and Recover. Build compliance artifacts naturally from your incident response operations and demonstrate control effectiveness to auditors.

Resources

Read by Chapter

Browse and read individual chapters online. Jump directly to the topic you need.

Browse Chapters

Read Complete Book

Read the entire book as a single page in your browser, with full-resolution figures and diagrams.

Open Book

Download PDF

Download the book as a PDF for offline reading or printing.

Download

Step-by-Step Checklists

Standalone incident response checklists for each phase of the lifecycle, available in PDF and Markdown.

View Checklists

About the Author

Joshua Wright

Joshua Wright is a senior instructor and author at the SANS Institute, where he teaches courses on incident response, threat hunting, and penetration testing. He is a senior technical director at Counter Hack, and the author of multiple SANS courses and industry publications.

Frequently Asked Questions

What is the Dynamic Approach to Incident Response (DAIR)?
DAIR is an adaptive incident response framework introduced in this book. It organizes the response lifecycle into iterative activities — prepare, detect, verify and triage, scope, contain, eradicate, recover, and debrief — using feedback loops and parallel workstreams rather than a rigid sequential process. DAIR is built on Boyd's OODA loop and aligns with NIST CSF 2.0.
Is this book free to read?
Yes. The complete book is available to read online and to download as a PDF at no cost. A print edition is also available through Amazon.
What topics does the book cover?
The book covers the full incident response lifecycle including preparation, detection and threat hunting, containment, eradication, and recovery. It also includes dedicated chapters on ransomware response, cloud incident response for AWS and Azure, OT/ICS security, digital forensics and memory analysis, cyber threat intelligence, incident response playbook development, AI in security operations, and NIST CSF 2.0 compliance mapping.
What are the step-by-step checklists?
Each chapter includes a step-by-step checklist that condenses the chapter's guidance into an actionable reference. They cover preparation, detection, verification and triage, scoping, the response actions loop, containment, eradication, recovery, and debrief. All nine checklists are available as free downloads in PDF and Markdown formats from the resources page.
How does DAIR differ from traditional incident response models?
Traditional IR models like NIST SP 800-61 present incident response as a linear sequence of phases. DAIR introduces a response actions loop where scoping, containment, eradication, and recovery iterate as new evidence emerges. It emphasizes continuous reassessment, parallel workstreams, and feedback loops, treating IR as a dynamic process that adapts to the situation rather than a checklist to follow in order.
Who wrote this book?
Joshua Wright is a senior instructor and author at the SANS Institute, where he teaches courses on incident response, threat hunting, and penetration testing. The book includes a foreword by John Strand.