* [Blog](https://www.paloaltonetworks.com/blog)
* [Security Operations](https://www.paloaltonetworks.com/blog/security-operations/)
* [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/)
* How to Conduct an Agile S...

# How to Conduct an Agile Security Incident Postmortem

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fhow-to-conduct-an-agile-security-incident-postmortem%2F)  
[](https://twitter.com/share?text=How+to+Conduct+an+Agile+Security+Incident+Postmortem&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fhow-to-conduct-an-agile-security-incident-postmortem%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fhow-to-conduct-an-agile-security-incident-postmortem%2F&title=How+to+Conduct+an+Agile+Security+Incident+Postmortem&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/security-operations/how-to-conduct-an-agile-security-incident-postmortem/&ts=markdown)  
\[\](mailto:?subject=How to Conduct an Agile Security Incident Postmortem)  
Link copied  
By [Mark Brozek](https://www.paloaltonetworks.com/blog/author/mark-brozek/?ts=markdown "Posts by Mark Brozek")  
Mar 20, 2018  
2 minutes  
[Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)  
[agile](https://www.paloaltonetworks.com/blog/tag/agile/?ts=markdown)  
[Incident Response](https://www.paloaltonetworks.com/blog/tag/incident-response/?ts=markdown)  
[incident response plan](https://www.paloaltonetworks.com/blog/tag/incident-response-plan/?ts=markdown)  
[postmortem](https://www.paloaltonetworks.com/blog/tag/postmortem/?ts=markdown)  
[template](https://www.paloaltonetworks.com/blog/tag/template/?ts=markdown)

*This article was first published on [DevOps](https://devops.com/security-how-to-conduct-an-agile-incident-postmortem/).*

In a perfect world, every organization could block every attack, no employee would ever make a mistake, and there would be advance warning that an organization might be on some cybercriminal's list of targets. Since organizations operate in a world that is far from perfect, however, they are forced to accept that bad things will happen. History and headlines show they cannot erect enough barriers to stop criminals from trying to penetrate defenses, they cannot hire perfect employees, and they will have to assume that their organization's name has been bandied about as a potential target.

About all they can do is use each incident as a learning opportunity by conducting a thorough postmortem. However, if organizations want to maximize the benefits of a post-incident analysis, they should remember two things --- agility and blamelessness.

## **Agility**

To a developer, agility is a development methodology that provides significant benefits over the traditional waterfall method. However, agility implies a system of thinking, processing information, and executing plans. As such, agility belongs in the realm of cybersecurity as much as it belongs in the realm of development.

Currently, the advantages offered by agility tend to be reaped more by cybercriminals than by cybersecurity professionals. The bad guys get to go first, and since they are not bound by compliance issues or regulations, have no concern for the rights of individuals, and do not have to answer to advocacy groups or government agencies. They have the advantage. Cybercriminals embrace agility to launch attacks that can change from one day to the next.

Unless cybersecurity professionals are as agile as the crooks, they will be limited to reacting to incidents instead of proactively preventing them. One way to help level the playing field is to build in the ability to move quickly when an incident occurs --- including a plan to conduct an effective, thorough, and efficient postmortem.

However, a postmortem implies that the incident is over and is now undergoing a final review. If organizations are truly agile, they will have conducted at least one retrospective prior to the postmortem. Agile retrospectives are conducted to assist the team in making immediate changes and are more about action than review.

**To get started on crafting your own tailored incident report, download our report template below.**

[DOWNLOAD TEMPLATE](https://www.paloaltonetworks.com/resources/whitepapers/incident-response-reporting-template.html?ts=markdown)

*** ** * ** ***

## Related Blogs

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)

[#### Think Like a Hacker --- What CISOs and Executives Should Know About Cyber Risk](https://www.paloaltonetworks.com/blog/security-operations/think-like-a-hacker-what-cisos-and-executives-should-know-about-cyber-risk/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)

[#### Top 10 Best Practices for Cyberbreach Post-Crisis Communication](https://www.paloaltonetworks.com/blog/security-operations/top-10-best-practices-for-cyberbreach-post-crisis-communication/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)

[#### 5 Steps to an Effective Data Incident Response Program](https://www.paloaltonetworks.com/blog/security-operations/5-steps-to-an-effective-data-incident-response-program/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### Stopping Cross-Domain Attacks with Cortex XDL + Cortex XSIAM](https://www.paloaltonetworks.com/blog/security-operations/stopping-cross-domain-attacks-with-cortex-xdl-cortex-xsiam/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### Think You Have Visibility? Think Again.](https://www.paloaltonetworks.com/blog/security-operations/think-you-have-visibility-think-again/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Exploring the Art and Science of Threat Hunting with Oded Awaskar](https://www.paloaltonetworks.com/blog/security-operations/exploring-the-art-and-science-of-threat-hunting-with-oded-awaskar/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language