Security Incidents are some of the toughest situations you can be thrust into - not only as a security team, but as an entire organization.
They’re high-stakes, high-stress, and often come with reputational risk. The pressure is on to contain it fast and minimize the damage.
No matter what scenario puts you in this position, one thing’s certain - you’re in a tough spot.
But even when your back’s against the wall, there’s always an opportunity to turn the situation into something positive.
Every incident tells you something. It exposes weaknesses, highlights blind spots, and reveals parts of your attack surface you didn’t know existed.
Once you’ve contained the incident and things start to stabilize, don’t just move on. If it didn’t completely take you down, it should become an opportunity to make you stronger. Treat it as a lesson, not a loss.
As one of my old coaches used to say: “Mistakes are good, as long as you learn from them.”
That’s where the Post-Mortem, or what I prefer to call the After Action Report (AAR), comes in.
An AAR is your chance to slow down, bring all stakeholders to the table, and talk openly about what happened - what went wrong, why it went wrong, and how to make sure it doesn’t happen again.
It’s not about blame. It’s about growth. It’s about acknowledging shortcomings, celebrating wins, and walking away with a concrete plan to strengthen your security posture.
For me, conducting AARs after major incidents isn’t optional - it’s non-negotiable.
Here are my must-haves for running an effective AAR that actually improves your security posture.
Root Cause Analysis
The first section of any AAR is also one of the most important: the Root Cause Analysis.
This is where all key stakeholders get the chance to formally discuss and agree on the true cause (or causes) of the incident.
The consensus forms the foundation for everything that follows. The root cause shapes not just the rest of the discussion, but also the bulk of the improvements that stem from it.
This is the moment to gather your SMEs and collectively identify what went wrong - not who went wrong. Blame doesn’t solve problems, but understanding does.
Nailing down the root cause is critical to ensuring history doesn’t repeat itself. When you start seeing the same causes appear across multiple incidents, it’s a red flag that your organization isn’t improving or maturing from a security perspective.
Once the group agrees on the cause, categorize it clearly and write a short description of what it entailed. That simple step makes later reporting, trend analysis, and follow-up work much easier.
A well-documented root cause sets the tone for a mature and transparent security culture - and that’s where real growth starts.
AAR Rubric
The AAR Rubric is a concept I coined to help objectively grade the team against a standardized framework each incident.
It’s a structured way to measure execution as a function, identify opportunities for improvement, and track performance over time.
Here’s some of my go-to questions, though there’s plenty of room to customize based on your environment:
Was the incident detected in a timely manner?
Did members have sufficient training to handle this type of incident?
Was there an IR plan or playbook in place?
Were IR procedures adequate?
Were internal docs adequate to triage the incident?
Were stakeholders kept appropriately informed throughout the incident?
Were communications adequate?
Were mitigation efforts sufficient to prevent further impact?
Were the proper resources available to address the incident?
Did the response process avoid unnecessary downtime or collateral damage?
Is the team confident that similar incidents can be prevented in the future?
I have a standardized grading system for each category:
N/A (Not Applicable)
Poor
Needs Improvement
Good
Great
Highlight
Yes
No
The purpose is twofold: to spot specific areas that need work, and to identify trends over time.
For instance, if the question “Were IR procedures adequate?” consistently gets marked as “Needs Improvement,” that’s a clear signal something systemic needs to change.
The real value of the AAR Rubric is in its trend analysis. It helps ensure your team isn’t just reacting incident to incident - but actually improving with each one.
Continuous improvement is the goal. The rubric gives you the data to prove it’s happening.
🚨 Calling All Incident Responders! 🚨
I’ve been building IRHQ, a new platform for security teams that makes incident response trackable, repeatable, and insightful - not a chaotic mix of Slack threads, docs, and spreadsheets.
If you’ve ever struggled to keep timelines straight, track details mid-incident, or wish you had real data to back up IR improvements, that’s exactly what IRHQ is built to fix.
I’m looking for a few experienced responders from the Cybersec Café Community to test it out and share feedback that shapes where it goes next.
No sales pitch - just looking for thoughtful feedback to build something better for IR teams.
Discussion Items
Discussion Items are a two-part process.
The first happens during the incident. These are notes or thoughts that you, or anyone on the team, capture in real time. They’re small things you don’t want to lose sigh of, like:
Something that didn’t go smoothly
A tool you wish you had
A gap in documentation or communication
I usually dedicate a section in my Incident Response document where participants can drop these items, along with a quick note or context.
The second part comes during the AAR itself. This is where we actually discuss each item in detail and document the outcomes of those discussions.
The purpose is to dig into the specifics - what went wrong, what could’ve gone better, and what we need to fix or improve. Whether it’s:
A misconfiguration spotted
A process that needs to be formalized
An SOP that caused friction
Whatever it is, make sure it gets surfaced and talked through. And always track who wrote down each item - the author will have the most context and can help drive a productive conversation.
The end goal of Discussion Items is to spark actionable improvements. Not every improvement ties directly to the root cause or the rubric. Some are smaller, one-off issues - but they still matter.
That’s where Discussion Items really shine - they capture the small details that often slip through the cracks but can have a huge impact when addressed.
Cost
One of the most underrated parts of an AAR is estimating the cost of the incident.
It’s not just about technical impact. It’s about illustrating exactly how much each incident actually costs the business. This transparency can be a powerful tool for driving executive buy-in and securing future funding for the improvements that matter most.
Here are the main categories I like to track.
Human Costs: Break this down into human hours and estimated salary/hourly costs for everyone involved, not just the security team. Think engineers, product managers, customer success, or anyone else pulled into the response.
Tooling Costs: Capture any tools or licenses purchased specifically to aid the investigation or response.
Service Costs: Track any external services or consulting engagements used during the incident.
Revenue Impact: Estimate the business impact. Did the incident cause downtime or interrupt operations that affected revenue?
Once you have your data, I like to summarize it into three clear metrics that tell the full story:
Estimated Incident Costs = Human + Tooling + Service
Estimated Revenue Impact
Estimated Total Cost = Incident Costs + Revenue Impact
Over time, tracking these numbers helps you see patterns - especially if certain types of incidents keep costing you more.
If those costs start trending upward, you now have tangible data to justify additional spend in areas that will actually reduce your long-term risk and financial exposure.
Trust me, this is one adjustment I wish I’d started much earlier in my career.
Improvement Items
Improvement items are the entire reason you conduct an AAR in the first place.
They’re the concrete action items that are meant to prevent the same incident from happening again.
The most important thing here is ownership. Every improvement item must have a clear owner - because without ownership there is no accountability. And without accountability, those items will never get done.
Not every action item will be a top priority, and that’s okay. What is important is in the AAR to clearly document:
What was discussed
Why it matters
Who is responsible
Each root cause should be tied to at least one improvement item, if not more. Otherwise, you’re leaving parts of the incident unaddressed - and that’s how repeat issues happen!
During the AAR, I like to assign one member of the security team to take live notes on potential improvement items as the discussion unfolds. That way, by the time you get to this section, you’re not starting from scratch - you’re simply refining and assigning.
And finally, don’t let these items live and die inside your AAR document. Track them in your project management system or backlog where there’s visibility, reminders, and progress tracking.
Continuous improvement only happens when visibility and accountability go hand in hand.
The Cybersec Café Discord is officially live! Join a growing community of cybersecurity professionals who are serious about leveling up. Connect, collaborate, and grow your skills with others on the same journey. From live events to real-world security discussions — this is where the next generation of defenders connects. Join for free below.
Always Be Improving
Remember - mistakes are good, as long as you learn from them.
While an incident is never ideal, every single one is a learning opportunity. It’s a direct signal point to where your security posture needs to improve.
The way I run my AARs has consistently helped pinpoint root causes, uncover org-wide areas for improvement, and drive accountability through clearly owned action items.
Doing things asynchronous and hoping they’ll just “get done” will never be as effective as sitting down for a formal discussion to hash out what actually happened and how to prevent it next time.
But now I want to hear from you - the Cybersec Café community! How do you run your Post Mortems? This is one of those processes that rarely gets talked about openly, so I’d love to hear how others approach it. Drop your insights below!
And if you’re currently drowning in incidents, give AARs a shot. Worst-case scenario? You spend two hours talking with your team about how to get better. Best-case scenario? You continuously improve your security posture, start identifying long-term trends, and build a rock-solid business case for more investment in security.
Either way, you come out ahead.
Securely Yours,
Ryan G. Cox
P.S. The Cybersec Cafe follows a weekly cadence.
Each week, I deliver a Deep Dive on a cybersecurity topic designed to sharpen your perspective, strengthen your technical edge, and support your growth as a professional - straight to your inbox.
. . .
For more insights and updates between issues, you can always find me on Twitter/X or my Website. Let’s keep learning, sharing, and leveling up together.