[](https://www.paloaltonetworks.com/?ts=markdown) * Sign In * Customer * Partner * Employee * [Login to download](https://www.paloaltonetworks.com/login?ts=markdown) * [Join us to become a member](https://www.paloaltonetworks.com/login?screenToRender=traditionalRegistration&ts=markdown) * EN * [USA (ENGLISH)](https://www.paloaltonetworks.com) * [AUSTRALIA (ENGLISH)](https://www.paloaltonetworks.com.au) * [BRAZIL (PORTUGUÉS)](https://www.paloaltonetworks.com.br) * [CANADA (ENGLISH)](https://www.paloaltonetworks.ca) * [CHINA (简体中文)](https://www.paloaltonetworks.cn) * [FRANCE (FRANÇAIS)](https://www.paloaltonetworks.fr) * [GERMANY (DEUTSCH)](https://www.paloaltonetworks.de) * [INDIA (ENGLISH)](https://www.paloaltonetworks.in) * [ITALY (ITALIANO)](https://www.paloaltonetworks.it) * [JAPAN (日本語)](https://www.paloaltonetworks.jp) * [KOREA (한국어)](https://www.paloaltonetworks.co.kr) * [LATIN AMERICA (ESPAÑOL)](https://www.paloaltonetworks.lat) * [MEXICO (ESPAÑOL)](https://www.paloaltonetworks.com.mx) * [SINGAPORE (ENGLISH)](https://www.paloaltonetworks.sg) * [SPAIN (ESPAÑOL)](https://www.paloaltonetworks.es) * [TAIWAN (繁體中文)](https://www.paloaltonetworks.tw) * [UK (ENGLISH)](https://www.paloaltonetworks.co.uk) * ![magnifying glass search icon to open search field](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/search-black.svg) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [What's New](https://www.paloaltonetworks.com/resources?ts=markdown) * [Get Support](https://support.paloaltonetworks.com/SupportAccount/MyAccount) * [Under Attack?](https://start.paloaltonetworks.com/contact-unit42.html) ![x close icon to close mobile navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/x-black.svg) [![Palo Alto Networks logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)](https://www.paloaltonetworks.com/?ts=markdown) ![magnifying glass search icon to open search field](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/search-black.svg) * [](https://www.paloaltonetworks.com/?ts=markdown) * Products ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Products [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [AI Security](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise Device Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical Device Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [OT Device Security](https://www.paloaltonetworks.com/network-security/ot-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex AgentiX](https://www.paloaltonetworks.com/cortex/agentix?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Exposure Management](https://www.paloaltonetworks.com/cortex/exposure-management?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Cortex Advanced Email Security](https://www.paloaltonetworks.com/cortex/advanced-email-security?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Unit 42 Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * Solutions ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Solutions Secure AI by Design * [Secure AI Ecosystem](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [Secure GenAI Usage](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) Network Security * [Cloud Network Security](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Data Center Security](https://www.paloaltonetworks.com/network-security/data-center?ts=markdown) * [DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Intrusion Detection and Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Device Security](https://www.paloaltonetworks.com/network-security/device-security?ts=markdown) * [OT Security](https://www.paloaltonetworks.com/network-security/ot-device-security?ts=markdown) * [5G Security](https://www.paloaltonetworks.com/network-security/5g-security?ts=markdown) * [Secure All Apps, Users and Locations](https://www.paloaltonetworks.com/sase/secure-users-data-apps-devices?ts=markdown) * [Secure Branch Transformation](https://www.paloaltonetworks.com/sase/secure-branch-transformation?ts=markdown) * [Secure Work on Any Device](https://www.paloaltonetworks.com/sase/secure-work-on-any-device?ts=markdown) * [VPN Replacement](https://www.paloaltonetworks.com/sase/vpn-replacement-for-secure-remote-access?ts=markdown) * [Web \& Phishing Security](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) Cloud Security * [Application Security Posture Management (ASPM)](https://www.paloaltonetworks.com/cortex/cloud/application-security-posture-management?ts=markdown) * [Software Supply Chain Security](https://www.paloaltonetworks.com/cortex/cloud/software-supply-chain-security?ts=markdown) * [Code Security](https://www.paloaltonetworks.com/cortex/cloud/code-security?ts=markdown) * [Cloud Security Posture Management (CSPM)](https://www.paloaltonetworks.com/cortex/cloud/cloud-security-posture-management?ts=markdown) * [Cloud Infrastructure Entitlement Management (CIEM)](https://www.paloaltonetworks.com/cortex/cloud/cloud-infrastructure-entitlement-management?ts=markdown) * [Data Security Posture Management (DSPM)](https://www.paloaltonetworks.com/cortex/cloud/data-security-posture-management?ts=markdown) * [AI Security Posture Management (AI-SPM)](https://www.paloaltonetworks.com/cortex/cloud/ai-security-posture-management?ts=markdown) * [Cloud Detection \& Response](https://www.paloaltonetworks.com/cortex/cloud-detection-and-response?ts=markdown) * [Cloud Workload Protection (CWP)](https://www.paloaltonetworks.com/cortex/cloud/cloud-workload-protection?ts=markdown) * [Web Application \& API Security (WAAS)](https://www.paloaltonetworks.com/cortex/cloud/web-app-api-security?ts=markdown) Security Operations * [Cloud Detection \& Response](https://www.paloaltonetworks.com/cortex/cloud-detection-and-response?ts=markdown) * [Security Information and Event Management](https://www.paloaltonetworks.com/cortex/modernize-siem?ts=markdown) * [Network Security Automation](https://www.paloaltonetworks.com/cortex/network-security-automation?ts=markdown) * [Incident Case Management](https://www.paloaltonetworks.com/cortex/incident-case-management?ts=markdown) * [SOC Automation](https://www.paloaltonetworks.com/cortex/security-operations-automation?ts=markdown) * [Threat Intel Management](https://www.paloaltonetworks.com/cortex/threat-intel-management?ts=markdown) * [Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Attack Surface Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/attack-surface-management?ts=markdown) * [Compliance Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/compliance-management?ts=markdown) * [Internet Operations Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/internet-operations-management?ts=markdown) * [Extended Data Lake (XDL)](https://www.paloaltonetworks.com/cortex/cortex-xdl?ts=markdown) * [Agentic Assistant](https://www.paloaltonetworks.com/cortex/cortex-agentic-assistant?ts=markdown) Endpoint Security * [Endpoint Protection](https://www.paloaltonetworks.com/cortex/endpoint-protection?ts=markdown) * [Extended Detection \& Response](https://www.paloaltonetworks.com/cortex/detection-and-response?ts=markdown) * [Ransomware Protection](https://www.paloaltonetworks.com/cortex/ransomware-protection?ts=markdown) * [Digital Forensics](https://www.paloaltonetworks.com/cortex/digital-forensics?ts=markdown) [Industries](https://www.paloaltonetworks.com/industry?ts=markdown) * [Public Sector](https://www.paloaltonetworks.com/industry/public-sector?ts=markdown) * [Financial Services](https://www.paloaltonetworks.com/industry/financial-services?ts=markdown) * [Manufacturing](https://www.paloaltonetworks.com/industry/manufacturing?ts=markdown) * [Healthcare](https://www.paloaltonetworks.com/industry/healthcare?ts=markdown) * [Small \& Medium Business Solutions](https://www.paloaltonetworks.com/industry/small-medium-business-portfolio?ts=markdown) * Services ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Services [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Assess](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [AI Security Assessment](https://www.paloaltonetworks.com/unit42/assess/ai-security-assessment?ts=markdown) * [Attack Surface Assessment](https://www.paloaltonetworks.com/unit42/assess/attack-surface-assessment?ts=markdown) * [Breach Readiness Review](https://www.paloaltonetworks.com/unit42/assess/breach-readiness-review?ts=markdown) * [BEC Readiness Assessment](https://www.paloaltonetworks.com/bec-readiness-assessment?ts=markdown) * [Cloud Security Assessment](https://www.paloaltonetworks.com/unit42/assess/cloud-security-assessment?ts=markdown) * [Compromise Assessment](https://www.paloaltonetworks.com/unit42/assess/compromise-assessment?ts=markdown) * [Cyber Risk Assessment](https://www.paloaltonetworks.com/unit42/assess/cyber-risk-assessment?ts=markdown) * [M\&A Cyber Due Diligence](https://www.paloaltonetworks.com/unit42/assess/mergers-acquisitions-cyber-due-diligence?ts=markdown) * [Penetration Testing](https://www.paloaltonetworks.com/unit42/assess/penetration-testing?ts=markdown) * [Purple Team Exercises](https://www.paloaltonetworks.com/unit42/assess/purple-teaming?ts=markdown) * [Ransomware Readiness Assessment](https://www.paloaltonetworks.com/unit42/assess/ransomware-readiness-assessment?ts=markdown) * [SOC Assessment](https://www.paloaltonetworks.com/unit42/assess/soc-assessment?ts=markdown) * [Supply Chain Risk Assessment](https://www.paloaltonetworks.com/unit42/assess/supply-chain-risk-assessment?ts=markdown) * [Tabletop Exercises](https://www.paloaltonetworks.com/unit42/assess/tabletop-exercise?ts=markdown) * [Unit 42 Retainer](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown) * [Respond](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Cloud Incident Response](https://www.paloaltonetworks.com/unit42/respond/cloud-incident-response?ts=markdown) * [Digital Forensics](https://www.paloaltonetworks.com/unit42/respond/digital-forensics?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond/incident-response?ts=markdown) * [Managed Detection and Response](https://www.paloaltonetworks.com/unit42/respond/managed-detection-response?ts=markdown) * [Managed Threat Hunting](https://www.paloaltonetworks.com/unit42/respond/managed-threat-hunting?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Unit 42 Retainer](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown) * [Transform](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [IR Plan Development and Review](https://www.paloaltonetworks.com/unit42/transform/incident-response-plan-development-review?ts=markdown) * [Security Program Design](https://www.paloaltonetworks.com/unit42/transform/security-program-design?ts=markdown) * [Virtual CISO](https://www.paloaltonetworks.com/unit42/transform/vciso?ts=markdown) * [Zero Trust Advisory](https://www.paloaltonetworks.com/unit42/transform/zero-trust-advisory?ts=markdown) [Global Customer Services](https://www.paloaltonetworks.com/services?ts=markdown) * [Education \& Training](https://www.paloaltonetworks.com/services/education?ts=markdown) * [Professional Services](https://www.paloaltonetworks.com/services/consulting?ts=markdown) * [Success Tools](https://www.paloaltonetworks.com/services/customer-success-tools?ts=markdown) * [Support Services](https://www.paloaltonetworks.com/services/solution-assurance?ts=markdown) * [Customer Success](https://www.paloaltonetworks.com/services/customer-success?ts=markdown) [![](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/logo-unit-42.svg) UNIT 42 RETAINER Custom-built to fit your organization's needs, you can choose to allocate your retainer hours to any of our offerings, including proactive cyber risk management services. Learn how you can put the world-class Unit 42 Incident Response team on speed dial. Learn more](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown) * Partners ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Partners NextWave Partners * [NextWave Partner Community](https://www.paloaltonetworks.com/partners?ts=markdown) * [Cloud Service Providers](https://www.paloaltonetworks.com/partners/nextwave-for-csp?ts=markdown) * [Global Systems Integrators](https://www.paloaltonetworks.com/partners/nextwave-for-gsi?ts=markdown) * [Technology Partners](https://www.paloaltonetworks.com/partners/technology-partners?ts=markdown) * [Service Providers](https://www.paloaltonetworks.com/partners/service-providers?ts=markdown) * [Solution Providers](https://www.paloaltonetworks.com/partners/nextwave-solution-providers?ts=markdown) * [Managed Security Service Providers](https://www.paloaltonetworks.com/partners/managed-security-service-providers?ts=markdown) * [XMDR Partners](https://www.paloaltonetworks.com/partners/managed-security-service-providers/xmdr?ts=markdown) Take Action * [Portal Login](https://www.paloaltonetworks.com/partners/nextwave-partner-portal?ts=markdown) * [Managed Services Program](https://www.paloaltonetworks.com/partners/managed-security-services-provider-program?ts=markdown) * [Become a Partner](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerregistration?type=becomepartner) * [Request Access](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerregistration?type=requestaccess) * [Find a Partner](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerlocator) [CYBERFORCE CYBERFORCE represents the top 1% of partner engineers trusted for their security expertise. Learn more](https://www.paloaltonetworks.com/cyberforce?ts=markdown) * Company ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Company Palo Alto Networks * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Management Team](https://www.paloaltonetworks.com/about-us/management?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com) * [Locations](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Ethics \& Compliance](https://www.paloaltonetworks.com/company/ethics-and-compliance?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Military \& Veterans](https://jobs.paloaltonetworks.com/military) [Why Palo Alto Networks?](https://www.paloaltonetworks.com/why-paloaltonetworks?ts=markdown) * [Precision AI Security](https://www.paloaltonetworks.com/precision-ai-security?ts=markdown) * [Our Platform Approach](https://www.paloaltonetworks.com/why-paloaltonetworks/platformization?ts=markdown) * [Accelerate Your Cybersecurity Transformation](https://www.paloaltonetworks.com/why-paloaltonetworks/nam-cxo-portfolio?ts=markdown) * [Awards \& Recognition](https://www.paloaltonetworks.com/about-us/awards?ts=markdown) * [Customer Stories](https://www.paloaltonetworks.com/customers?ts=markdown) * [Global Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Trust 360 Program](https://www.paloaltonetworks.com/resources/whitepapers/trust-360?ts=markdown) Careers * [Overview](https://jobs.paloaltonetworks.com/) * [Culture \& Benefits](https://jobs.paloaltonetworks.com/en/culture/) [A Newsweek Most Loved Workplace "Businesses that do right by their employees" Read more](https://www.paloaltonetworks.com/company/press/2021/palo-alto-networks-secures-top-ranking-on-newsweek-s-most-loved-workplaces-list-for-2021?ts=markdown) * More ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) More Resources * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Unit 42 Threat Research](https://unit42.paloaltonetworks.com/) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Tech Insider](https://techinsider.paloaltonetworks.com/) * [Knowledge Base](https://knowledgebase.paloaltonetworks.com/) * [Palo Alto Networks TV](https://tv.paloaltonetworks.com/) * [Perspectives of Leaders](https://www.paloaltonetworks.com/perspectives/?ts=markdown) * [Cyber Perspectives Magazine](https://www.paloaltonetworks.com/cybersecurity-perspectives/cyber-perspectives-magazine?ts=markdown) * [Regional Cloud Locations](https://www.paloaltonetworks.com/products/regional-cloud-locations?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Security Posture Assessment](https://www.paloaltonetworks.com/security-posture-assessment?ts=markdown) * [Threat Vector Podcast](https://unit42.paloaltonetworks.com/unit-42-threat-vector-podcast/) * [Packet Pushers Podcasts](https://www.paloaltonetworks.com/podcasts/packet-pusher?ts=markdown) Connect * [LIVE community](https://live.paloaltonetworks.com/) * [Events](https://events.paloaltonetworks.com/) * [Executive Briefing Center](https://www.paloaltonetworks.com/about-us/executive-briefing-program?ts=markdown) * [Demos](https://www.paloaltonetworks.com/demos?ts=markdown) * [Contact us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) [Blog Stay up-to-date on industry trends and the latest innovations from the world's largest cybersecurity Learn more](https://www.paloaltonetworks.com/blog/) * Sign In ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Sign In * Customer * Partner * Employee * [Login to download](https://www.paloaltonetworks.com/login?ts=markdown) * [Join us to become a member](https://www.paloaltonetworks.com/login?screenToRender=traditionalRegistration&ts=markdown) * EN ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Language * [USA (ENGLISH)](https://www.paloaltonetworks.com) * [AUSTRALIA (ENGLISH)](https://www.paloaltonetworks.com.au) * [BRAZIL (PORTUGUÉS)](https://www.paloaltonetworks.com.br) * [CANADA (ENGLISH)](https://www.paloaltonetworks.ca) * [CHINA (简体中文)](https://www.paloaltonetworks.cn) * [FRANCE (FRANÇAIS)](https://www.paloaltonetworks.fr) * [GERMANY (DEUTSCH)](https://www.paloaltonetworks.de) * [INDIA (ENGLISH)](https://www.paloaltonetworks.in) * [ITALY (ITALIANO)](https://www.paloaltonetworks.it) * [JAPAN (日本語)](https://www.paloaltonetworks.jp) * [KOREA (한국어)](https://www.paloaltonetworks.co.kr) * [LATIN AMERICA (ESPAÑOL)](https://www.paloaltonetworks.lat) * [MEXICO (ESPAÑOL)](https://www.paloaltonetworks.com.mx) * [SINGAPORE (ENGLISH)](https://www.paloaltonetworks.sg) * [SPAIN (ESPAÑOL)](https://www.paloaltonetworks.es) * [TAIWAN (繁體中文)](https://www.paloaltonetworks.tw) * [UK (ENGLISH)](https://www.paloaltonetworks.co.uk) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [What's New](https://www.paloaltonetworks.com/resources?ts=markdown) * [Get support](https://support.paloaltonetworks.com/SupportAccount/MyAccount) * [Under Attack?](https://start.paloaltonetworks.com/contact-unit42.html) * [Demos and Trials](https://www.paloaltonetworks.com/get-started?ts=markdown) Search All * [Tech Docs](https://docs.paloaltonetworks.com/search) Close search modal [Deploy Bravely --- Secure your AI transformation with Prisma AIRS](https://www.deploybravely.com) [](https://www.paloaltonetworks.com/?ts=markdown) 1. [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) 2. [Threats](https://www.paloaltonetworks.com/cyberpedia/threat?ts=markdown) 3. [Incident Response](https://www.paloaltonetworks.com/cyberpedia/what-is-incident-response?ts=markdown) 4. [What Is an Incident Response Plan (IRP)?](https://www.paloaltonetworks.com/cyberpedia/incident-response-plan?ts=markdown) Table of contents * [What Is Incident Response?](https://www.paloaltonetworks.com/cyberpedia/what-is-incident-response?ts=markdown) * [Why Is Incident Response Important?](https://www.paloaltonetworks.com/cyberpedia/what-is-incident-response#why?ts=markdown) * [Types of Cybersecurity Incidents](https://www.paloaltonetworks.com/cyberpedia/what-is-incident-response#types?ts=markdown) * [What Is the Incident Response Lifecycle?](https://www.paloaltonetworks.com/cyberpedia/what-is-incident-response#ir-lifecycle?ts=markdown) * [What Is an Incident Response Plan?](https://www.paloaltonetworks.com/cyberpedia/what-is-incident-response#ir-plan?ts=markdown) * [What Is Digital Forensics and Incident Response?](https://www.paloaltonetworks.com/cyberpedia/what-is-incident-response#forensics?ts=markdown) * [Incident Response Frameworks and Phases](https://www.paloaltonetworks.com/cyberpedia/what-is-incident-response#ir-phases?ts=markdown) * [Incident Response Teams](https://www.paloaltonetworks.com/cyberpedia/what-is-incident-response#ir-team?ts=markdown) * [Incident Response Tools and Technology](https://www.paloaltonetworks.com/cyberpedia/what-is-incident-response#ir-tools?ts=markdown) * [Incident Response Services](https://www.paloaltonetworks.com/cyberpedia/what-is-incident-response#ir-services?ts=markdown) * [Incident Response FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-incident-response#faq?ts=markdown) * [What is Cyber Incident Reporting?](https://www.paloaltonetworks.com/cyberpedia/what-is-cyber-incident-reporting?ts=markdown) * [An Overview of Cybersecurity Incident Management](https://www.paloaltonetworks.com/cyberpedia/what-is-cyber-incident-reporting#an?ts=markdown) * [Key Components of Cyber Incident Reporting](https://www.paloaltonetworks.com/cyberpedia/what-is-cyber-incident-reporting#key?ts=markdown) * [Steps to Establish a Cyber Incident Reporting Process](https://www.paloaltonetworks.com/cyberpedia/what-is-cyber-incident-reporting#steps?ts=markdown) * [The CISA Rule for Cyber Incident Reporting](https://www.paloaltonetworks.com/cyberpedia/what-is-cyber-incident-reporting#reporting?ts=markdown) * [Cyber Security Incident Case Study](https://www.paloaltonetworks.com/cyberpedia/what-is-cyber-incident-reporting#cyber?ts=markdown) * [Cyber Incident Reporting FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-cyber-incident-reporting#faqs?ts=markdown) * [What is Digital Forensics and Incident Response (DFIR)?](https://www.paloaltonetworks.com/cyberpedia/digital-forensics-and-incident-response?ts=markdown) * [DFIR: A Symbiotic Relationship](https://www.paloaltonetworks.com/cyberpedia/digital-forensics-and-incident-response#dfir?ts=markdown) * [The Role of Digital Forensics](https://www.paloaltonetworks.com/cyberpedia/digital-forensics-and-incident-response#role-of-digital-forensics?ts=markdown) * [The Role and Importance of Incident Response](https://www.paloaltonetworks.com/cyberpedia/digital-forensics-and-incident-response#roles?ts=markdown) * [What is the Difference Between DFIR and SOC?](https://www.paloaltonetworks.com/cyberpedia/digital-forensics-and-incident-response#difference?ts=markdown) * [The Role of EDR in DFIR](https://www.paloaltonetworks.com/cyberpedia/digital-forensics-and-incident-response#role-of-edr?ts=markdown) * [DFIR Challenges](https://www.paloaltonetworks.com/cyberpedia/digital-forensics-and-incident-response#challenges?ts=markdown) * [Digital Forensics and Incident Response Best Practices](https://www.paloaltonetworks.com/cyberpedia/digital-forensics-and-incident-response#best-practices?ts=markdown) * [Future Trends in DFIR](https://www.paloaltonetworks.com/cyberpedia/digital-forensics-and-incident-response#future-trends?ts=markdown) * [DFIR FAQs](https://www.paloaltonetworks.com/cyberpedia/digital-forensics-and-incident-response#faqs?ts=markdown) * [What is Cloud Incident Response?](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response?ts=markdown) * [Cloud Incident Response (IR) Explained](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#explained?ts=markdown) * [Why Cloud IR Differs from Traditional IR](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#why?ts=markdown) * [The Cloud Incident Response Lifecycle](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#lifecycle?ts=markdown) * [SOC IR vs. Cloud IR](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#vs?ts=markdown) * [Best Practices for Cloud Incident Response](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#best?ts=markdown) * [Cloud Incident Response Frameworks and Standards](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#standards?ts=markdown) * [The Role of Cloud-Native Security Tools](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#role?ts=markdown) * [Future Trends in Cloud Incident Response](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#future?ts=markdown) * [Key Challenges in Cloud Incident Response](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#key?ts=markdown) * [Solutions to Overcome Cloud IR Barriers](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#solutions?ts=markdown) * [Cloud Incident Response FAQs](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#faqs?ts=markdown) * [What is an Incident Response Playbook?](https://www.paloaltonetworks.com/cyberpedia/what-is-an-incident-response-playbook?ts=markdown) * [The Role of Incident Response Playbooks](https://www.paloaltonetworks.com/cyberpedia/what-is-an-incident-response-playbook#role?ts=markdown) * [Differences Between Playbooks, Plans, and Runbooks](https://www.paloaltonetworks.com/cyberpedia/what-is-an-incident-response-playbook#differences?ts=markdown) * [The Steps of Incident Response](https://www.paloaltonetworks.com/cyberpedia/what-is-an-incident-response-playbook#steps?ts=markdown) * [Key Components of an Incident Response Playbook](https://www.paloaltonetworks.com/cyberpedia/what-is-an-incident-response-playbook#key?ts=markdown) * [Building an Effective Incident Response Playbook](https://www.paloaltonetworks.com/cyberpedia/what-is-an-incident-response-playbook#building?ts=markdown) * [Incident Response Playbook FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-an-incident-response-playbook#faqs?ts=markdown) * [What is the Role of EDR in Digital Forensics and Incident Response (DFIR)?](https://www.paloaltonetworks.com/cyberpedia/what-is-the-role-of-edr-in-dfir-digital-forensics-and-incident-response?ts=markdown) * [Digital Forensics vs. Incident Response](https://www.paloaltonetworks.com/cyberpedia/what-is-the-role-of-edr-in-dfir-digital-forensics-and-incident-response#digital?ts=markdown) * [Exploring Fundamentals of EDR Incident Response and Forensics](https://www.paloaltonetworks.com/cyberpedia/what-is-the-role-of-edr-in-dfir-digital-forensics-and-incident-response#exploring?ts=markdown) * [The Core Features of EDR Solutions](https://www.paloaltonetworks.com/cyberpedia/what-is-the-role-of-edr-in-dfir-digital-forensics-and-incident-response#the?ts=markdown) * [The Intersection of EDR and Incident Response](https://www.paloaltonetworks.com/cyberpedia/what-is-the-role-of-edr-in-dfir-digital-forensics-and-incident-response#response?ts=markdown) * [Enhancing Forensic Capabilities with EDR](https://www.paloaltonetworks.com/cyberpedia/what-is-the-role-of-edr-in-dfir-digital-forensics-and-incident-response#enhancing?ts=markdown) * [Integrating EDR into Your Cybersecurity Strategy](https://www.paloaltonetworks.com/cyberpedia/what-is-the-role-of-edr-in-dfir-digital-forensics-and-incident-response#integrating?ts=markdown) * [DFIR vs. EDR](https://www.paloaltonetworks.com/cyberpedia/what-is-the-role-of-edr-in-dfir-digital-forensics-and-incident-response#vs?ts=markdown) * [CSIRT vs. Digital Forensics](https://www.paloaltonetworks.com/cyberpedia/what-is-the-role-of-edr-in-dfir-digital-forensics-and-incident-response#forensics?ts=markdown) * [Challenges with EDR in Incident Response and Forensics](https://www.paloaltonetworks.com/cyberpedia/what-is-the-role-of-edr-in-dfir-digital-forensics-and-incident-response#challenges?ts=markdown) * [Case Study: Impact of EDR in Real-World Scenarios](https://www.paloaltonetworks.com/cyberpedia/what-is-the-role-of-edr-in-dfir-digital-forensics-and-incident-response#case?ts=markdown) * [The Role of EDR in Incident Response and Forensics FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-the-role-of-edr-in-dfir-digital-forensics-and-incident-response#faqs?ts=markdown) * [What Is an Incident Response Team?](https://www.paloaltonetworks.com/cyberpedia/what-is-an-incident-response-team?ts=markdown) * [What is an Incident Response Team?](https://www.paloaltonetworks.com/cyberpedia/what-is-an-incident-response-team#what?ts=markdown) * [Types of Incident Response Teams](https://www.paloaltonetworks.com/cyberpedia/what-is-an-incident-response-team#types?ts=markdown) * [Key Functions and Responsibilities](https://www.paloaltonetworks.com/cyberpedia/what-is-an-incident-response-team#key?ts=markdown) * [Building an Effective Incident Response Team](https://www.paloaltonetworks.com/cyberpedia/what-is-an-incident-response-team#building?ts=markdown) * [Incident Response Team Structure](https://www.paloaltonetworks.com/cyberpedia/what-is-an-incident-response-team#incident?ts=markdown) * [Benefits and Best Practices for IRTs](https://www.paloaltonetworks.com/cyberpedia/what-is-an-incident-response-team#benefits?ts=markdown) * [What is an EDR Team?](https://www.paloaltonetworks.com/cyberpedia/what-is-an-incident-response-team#edr?ts=markdown) * [What is an ERT?](https://www.paloaltonetworks.com/cyberpedia/what-is-an-incident-response-team#ert?ts=markdown) * [Incident Response Team FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-an-incident-response-team#faqs?ts=markdown) * [What is an Incident Response Plan Template?](https://www.paloaltonetworks.com/cyberpedia/incident-response-plan-template?ts=markdown) * [Importance of an Incident Response Plan](https://www.paloaltonetworks.com/cyberpedia/incident-response-plan-template#importance-of-ir-plan?ts=markdown) * [Benefits of a Well-Crafted Incident Response Plan](https://www.paloaltonetworks.com/cyberpedia/incident-response-plan-template#benefits?ts=markdown) * [Key Components of an Incident Response Plan Template](https://www.paloaltonetworks.com/cyberpedia/incident-response-plan-template#key-components?ts=markdown) * [Steps to Create an Incident Response Plan](https://www.paloaltonetworks.com/cyberpedia/incident-response-plan-template#steps?ts=markdown) * [Incident Response Plan Templates](https://www.paloaltonetworks.com/cyberpedia/incident-response-plan-template#templates?ts=markdown) * [Incident Response Plan FAQs](https://www.paloaltonetworks.com/cyberpedia/incident-response-plan-template#faqs?ts=markdown) * What Is an Incident Response Plan (IRP)? * [Why is an Incident Response Plan Important?](https://www.paloaltonetworks.com/cyberpedia/incident-response-plan#why?ts=markdown) * [How to Build an Incident Response Plan](https://www.paloaltonetworks.com/cyberpedia/incident-response-plan#how?ts=markdown) * [Incident Response (IR) Plan FAQs](https://www.paloaltonetworks.com/cyberpedia/incident-response-plan#faqs?ts=markdown) # What Is an Incident Response Plan (IRP)? 4 min. read Table of contents * * [Why is an Incident Response Plan Important?](https://www.paloaltonetworks.com/cyberpedia/incident-response-plan#why?ts=markdown) * [How to Build an Incident Response Plan](https://www.paloaltonetworks.com/cyberpedia/incident-response-plan#how?ts=markdown) * [Incident Response (IR) Plan FAQs](https://www.paloaltonetworks.com/cyberpedia/incident-response-plan#faqs?ts=markdown) 1. Why is an Incident Response Plan Important? * * [Why is an Incident Response Plan Important?](https://www.paloaltonetworks.com/cyberpedia/incident-response-plan#why?ts=markdown) * [How to Build an Incident Response Plan](https://www.paloaltonetworks.com/cyberpedia/incident-response-plan#how?ts=markdown) * [Incident Response (IR) Plan FAQs](https://www.paloaltonetworks.com/cyberpedia/incident-response-plan#faqs?ts=markdown) An incident response (IR) plan is a documented strategy outlining how an organization will detect, respond to, and recover from [cybersecurity attacks](https://www.paloaltonetworks.com/cyberpedia/what-is-a-cyber-attack?ts=markdown) or other disruptions. Its purpose is to minimize the impact of [security breaches](https://www.paloaltonetworks.com/cyberpedia/data-breach?ts=markdown), [data leaks](https://www.paloaltonetworks.com/cyberpedia/data-leak?ts=markdown), [malware attacks](https://www.paloaltonetworks.com/cyberpedia/what-is-malware?ts=markdown), and other potential threats while ensuring business continuity. ### Understanding Your Attack Surface and How to Protect Your Crucial Data ![2024 Incident Response Report with Unit 42 | Discover key insights from Unit 42's 2024 Incident Response Report, including the rise of software vulnerabilities as the main access point for threat actors and increased business disruption.](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/video-thumbnail-2024-incident-response-report-with-unit-42.jpg) close ## Why is an Incident Response Plan Important? In today's rapidly evolving digital landscape, the importance of a well-crafted incident response plan (IRP) cannot be overstated. Organizations are increasingly vulnerable to security incidents that jeopardize sensitive data, financial stability, and stakeholder trust: * **Attack surface change inevitably leads to exposures.** Across industries, [attack surfaces](https://www.paloaltonetworks.com/cyberpedia/what-is-attack-surface-management?ts=markdown) are always in a state of flux. Our research indicates that, on average, an organization's attack surface has over 300 new services every month. These additions account for nearly 32% of new high or critical cloud exposures for organizations. * **Opportunities for [lateral movement](https://www.paloaltonetworks.com/cyberpedia/what-is-lateral-movement?ts=markdown) and [data exfiltration](https://www.paloaltonetworks.com/cyberpedia/data-exfiltration?ts=markdown) are abundant.** Just three categories of exposures---IT and Networking Infrastructure, Business Operations Applications, and Remote Access Services---account for 73% of high-risk exposures across the organizations we studied and can be exploited for [lateral movement](https://www.paloaltonetworks.com/cyberpedia/what-is-lateral-movement?ts=markdown) and [data exfiltration](https://www.paloaltonetworks.com/cyberpedia/data-exfiltration?ts=markdown). * **Critical IT and security services are dangerously exposed to the internet.** Over 23% of exposures involve critical IT and security infrastructure, opening doors to opportunistic attacks. These include vulnerabilities in application-layer protocols like SNMP, NetBIOS, PPTP, and internet-accessible administrative login pages of routers, firewalls, VPNs, and other core networking and security appliances. Developing an effective incident response strategy is essential for navigating the complexities of security management and maintaining the confidence of clients and stakeholders alike. An effective incident response plan outlines the necessary actions to: * Identify and react to an incident. * Quickly and efficiently evaluate the situation. * Inform the relevant individuals and organizations about the incident. * Coordinate the company's response. * Intensify the response efforts according to the seriousness of the incident. * Assist in the recovery efforts following the incident. ![Best Practices for Building a Solid Incident Response Plan](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/incident-response-plan/best-practices-for-building-solid-incident-response-plan.png "Discover an industry best-practice approach to a solid incident response plan.") ## How to Build an Incident Response Plan Being prepared for a security incident is half the battle. Having an IRP will help you respond quickly and effectively if an incident occurs. An incident response plan should lay out clear instructions for actions to take in case of a cyber incident. Given the incident type and severity, it should align with the [NIST Incident Response Lifecycle](https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf) and include a clear and concise description of the appropriate incident response steps. **Here are the key components of an incident response plan:** ### Define Purpose and Scope Define the purpose and scope of your IRP. Identify the goal, personnel, and organizational systems it addresses and the objectives you hope to achieve. Addressing these items will help you create a plan tailored to your organization's specific [cybersecurity](https://www.paloaltonetworks.com/cyberpedia/what-is-cyber-security?ts=markdown) needs. ### Identify Document Review and Maintenance Requirements Define the process for reviewing and maintaining the IRP by specifying the roles responsible for its upkeep and approval and the frequency of this process. It is recommended that the IRP be reviewed, updated, and approved at least once a year whenever there are significant changes in the operational environment or following a simulated or actual execution of the IRP. Additionally, lessons learned from these simulated or actual exercises should be evaluated and assessed to identify potential improvements to the document after each exercise. ### Identify the Cybersecurity Incident Response Team The Cybersecurity Incident Response Team ([CSIRT](https://www.csirt.org/)) comprises core members who will respond to security threats. The document should include a list of roles and responsibilities and the contact information for each individual fulfilling those roles, either in the main body or as an appendix. Designate an incident response lead (IRL) and outline the members of the core response team. This core team should consist of individuals from various departments that regularly handle cybersecurity matters, including [security operations](https://www.paloaltonetworks.com/cyberpedia/what-is-security-operations?ts=markdown), security management, legal, and [privacy](https://www.paloaltonetworks.com/cyberpedia/data-privacy?ts=markdown). Furthermore, the organization should identify an extension team that can be activated when necessary. This extension team may include personnel from human resources, marketing, physical security, law enforcement liaisons, and any other relevant departments required to respond to the incident. ### Document a Risk Classification Matrix An organization should create a risk classification matrix that considers the severity and urgency of security incidents. This matrix should outline the specific risk classification levels that trigger the activation of the incident response plan. Establishing a risk-based timeline for activating the IRP is an essential step that should ideally be taken. Furthermore, the organization should identify incidents that warrant immediate activation of the IRP. Such incidents include [ransomware attacks](https://www.paloaltonetworks.com/cyberpedia/what-is-ransomware?ts=markdown), malware infections, denial-of-service attacks, customer [data breaches](https://www.paloaltonetworks.com/cyberpedia/data-breach?ts=markdown), and critical [insider threats](https://www.paloaltonetworks.com/cyberpedia/insider-threat?ts=markdown). ### Outline and Describe the Incident Response Process To ensure the IRP is in an easily consumable format, develop a diagrammed workflow for the incident response process. Procedures should be identified in the IRP for each process area in the overall workflow. This should include: * **Preparation:** Outlines how the IRP and response teams are prepared and trained for an incident. * **Incident Handling Systems:** Covers the systems used for event investigation and incident ticketing/tracking. * **Detection and Analysis:** Describes how an event is identified and evaluated to determine if escalation to an incident is required. * **Containment, Mitigation, and Eradication:** The process for containing the incident's impact, remediation and environmental mitigation. * **Recovery:** How the organization will take steps to restore normal business operations, typically a reference to a disaster recovery plan (DRP) or system runbooks * **Deactivation of the IRP:** Specifies the criteria and processes for formally deactivating the incident response once the incident has been fully contained and recovered. * **Post-incident Activity:** Explains how the organization will document historical events, identify the root cause of incidents, identify lessons learned, and incorporate improvements into future IRP iterations. ### Define a Communications Plan Define a communications plan in either the document's body or appendix. Expected IRL communications must be outlined here to achieve coordinated outcomes during uncertain and stressful situations. This plan is often provided in table format. It should define: * Tools used in an incident (e.g., conference bridges, email, or messaging service). * Protocols for how team members should communicate with each other, * Specific communications templates or content that should be sent. * The frequency at which communications need to be sent. * Any time-based requirements for sending communications. * Format and method for delivering the communications. * Designated owners and senders responsible for communications. * Intended audience and recipients lists for each communication. ### Establish IRP Training and Testing Document the requirements for training personnel in the IRP and performing tabletop exercises or full simulations. To ensure preparedness, it is recommended that personnel be trained and tested on the IRP at least annually. ### Establish Performance Measuring and Metrics Define how the performance of the IRP is measured and which metrics will be used to measure performance. These may include standard metrics for detection and response, such as: * Mean time to acknowledge (MTTA) * Mean time to detect (MTTD) * Mean time to contain (MTTC) * Mean time to recovery (MTTR) * Mean time between failures (MTBF) * System availability * Service-level Agreement (SLA) Compliance * Process metrics (such as the number of times the IRP is updated or tested annually) ### Define Compliance and Non-Compliance Identify how the organization will assess compliance with the IRP and what actions (such as disciplinary action) shall be taken for non-compliance or certain types. It's important to remember that incident response planning is a continuous and evolving process rather than a one-time task. After you've created an initial incident response plan, ongoing testing and evaluation are crucial, as both processes and threats can change over time. ### Ongoing Updates To ensure the plan's effectiveness, conduct regular assessments and simulations that reflect the current threat landscape and organizational structure. It's advisable to reassess and validate incident response plans annually. This regular review helps identify gaps in the plan and incorporates lessons learned from past incidents or exercises. Any significant changes within the organization, such as IT infrastructure updates, business operations shifts, or alterations to regulatory and compliance requirements, should trigger an immediate revision of the incident response plan. ## Incident Response (IR) Plan FAQs ### What are the key steps in an IR plan? The key steps in an IRP typically include: * **Preparation:** Establishing policies, tools, and teams. * **Identification:** Detecting and confirming incidents. * **Containment:** Limiting the spread of threats. * **Eradication:** Eliminating the root cause of the incident. * **Recovery:** Restoring systems and data to normal operation. * **Lessons Learned:** Reviewing and improving the plan post-incident. ### Who should be involved in creating and implementing an IR Plan? An IRP should involve stakeholders from various departments, including IT security, legal, HR, public relations, and senior management. External partners, such as cybersecurity consultants and law enforcement, may also play a role during significant incidents. ### How often should an IR Plan be updated or tested? An IRP should be reviewed and updated annually or whenever significant changes occur in the organization, such as new technology adoption or regulatory updates. Regular testing through simulations or tabletop exercises is critical to ensure its effectiveness. ### What are the common challenges organizations face when implementing an Incident Response Plan? Common challenges include: * Lack of clarity in roles and responsibilities. * Need for adequate training for incident response teams. * Poor communication during incidents. * Outdated or incomplete documentation. * More budget or resources are needed to support the plan. ### What tools are typically used to support an Incident Response Plan? Common tools include: * [SIEM](https://www.paloaltonetworks.com/cyberpedia/what-is-siem?ts=markdown) (Security Information and Event Management): For monitoring and identifying threats. * [EDR](https://www.paloaltonetworks.com/cyberpedia/what-is-endpoint-detection-and-response-edr?ts=markdown) (Endpoint Detection and Response): For detecting and mitigating endpoint threats. * Incident Management Platforms: To coordinate and document response efforts. * Forensic Analysis Tools: To [investigate the root cause of incidents](https://www.paloaltonetworks.com/cyberpedia/digital-forensics-and-incident-response?ts=markdown). * Communication Tools: For secure, real-time collaboration during incidents. Related content [How to Break the Cyber Attack Lifecycle Discover how to disrupt the cyber attack lifecycle with proactive security strategies.](https://www.paloaltonetworks.com/cyberpedia/how-to-break-the-cyber-attack-lifecycle?ts=markdown) [Unit 42 IRP Development and Review Minimize the damage of a cyberattack with a battle-tested incident response plan informed by experts on the frontlines.](https://www.paloaltonetworks.com/unit42/transform/incident-response-plan-development-review?ts=markdown) [2025 Unit 42 Global Incident Response Report Discover the latest threat actor tactics and get real world insights and expert recommendations.](https://start.paloaltonetworks.com/unit-42-incident-response-report.html) [IDC 2025 MarketScape Leader for Worldwide IR Services. See why IDC MarketScape recognized us.](http://start.paloaltonetworks.com/idc-incident-response-marketscape-2025) ![Share page on facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/facebook-circular-icon.svg) ![Share page on linkedin](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/linkedin-circular-icon.svg) [![Share page by an email](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/email-circular-icon.svg)](mailto:?subject=What%20Is%20an%20Incident%20Response%20Plan%20%28IRP%29%3F&body=Explore%20practical%20strategies%20for%20developing%20an%20incident%20response%20plan%20%28IRP%29%20that%20aligns%20with%20compliance%20requirements%20and%20safeguards%20data%20integrity.%20at%20https%3A//www.paloaltonetworks.com/cyberpedia/incident-response-plan) Back to Top [Previous](https://www.paloaltonetworks.com/cyberpedia/incident-response-plan-template?ts=markdown) What is an Incident Response Plan Template? {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2025 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language