Glen Thomas

Software / Platform Engineer

3 minute read Security

Incidents happen. Maybe it was a misconfigured S3 bucket, a leaked token, or a logic bug that let a user see someone else’s data. The temptation after containing a security incident is to move on quickly, patch the hole, and hope it doesn’t happen again.

But that’s a missed opportunity.

Handled well, a post-incident security review (PISR) doesn’t just close one vulnerability, it builds a culture of resilience, improves your threat model, and strengthens your team’s ability to respond next time.

Here’s how to run one that’s more than just box-checking.

Step 1: Containment Isn’t Closure

Before you even think about reviewing the incident, make sure it’s actually contained. That means:

  • The attacker’s access is revoked or blocked.
  • Affected systems are patched or segmented.
  • Logs are preserved (even if incomplete).
  • A basic public/internal communication plan is agreed upon.

Containment is the triage. The review is the surgery.

Step 2: Reconstruct the Timeline

A good review starts with a clear, evidence-based timeline.

Start by identifying:

  • Initial entry point — how the attacker got in or how the bug was introduced.
  • Sequence of events — user actions, alerts, code changes, access patterns.
  • Detection moment — how and when the issue was discovered.
  • Response actions — who did what, when.

Use logs, alerting data, commit history, and chat threads to put together a linear story. Don’t gloss over gaps — highlight where you wish you had better visibility.

Step 3: Identify Root Causes, Not Just Symptoms

Avoid stopping at “the bug was here” or “this setting was wrong.” Go deeper.

Ask:

  • Why was this possible in the first place?
  • Why wasn’t it detected earlier?
  • Why wasn’t it prevented by testing, code review, or monitoring?

Root causes often fall into categories like:

  • Gaps in training or onboarding.
  • Incomplete threat modeling.
  • Overly permissive defaults.
  • Broken assumptions about trust boundaries.
  • Lack of automated safeguards.

If you’re only fixing the specific vulnerability, you’re not fixing the system that allowed it.

Step 4: Invite the Right People to the Table

The best post-incident reviews aren’t just for the security team.

Invite:

  • Engineers who wrote or deployed the affected code.
  • On-call responders.
  • Product managers (if customers were affected).
  • Security and infrastructure stakeholders.

This isn’t about blame. It’s about building shared understanding and identifying actionable improvements across roles.

Keep the tone constructive and forward-looking. Use blameless language like:

“This assumption made sense given what we knew at the time… but now we see the risk.”

Step 5: Document and Share Clearly

Write a report that captures the key takeaways — not just what happened, but what will be done differently.

Your write-up should include:

  • What happened (narrative + timeline).
  • Root cause analysis.
  • Impact assessment (internal + external).
  • Response timeline.
  • What went well (tools, teamwork, detection).
  • What could improve.
  • Action items with owners and deadlines.

Even better: create a redacted version that can be shared with the broader team. Normalise transparency. The more people learn from each incident, the stronger your organisation gets.

Step 6: Turn Lessons Into Lasting Change

Follow-through is everything.

If you found that logs were incomplete, fix your logging strategy. If roles and permissions were too broad, define a least-privilege policy. If a third-party library had a critical flaw, update your dependency scanning process.

Security reviews should lead to systemic improvements: new guardrails, better observability, clearer escalation paths.

Schedule a follow-up in a few weeks to check progress on action items. Don’t let the review gather dust.

Final Thoughts

Security incidents are a fact of life. What separates strong teams from the rest is how they respond, and how they evolve.

A well-run post-incident review isn’t about pointing fingers, it’s about finding cracks in assumptions, strengthening trust boundaries, and building resilience across the board.

Handled right, every incident becomes not just a story of what went wrong, but a blueprint for what to do better.

Further Reading.

A book I would highly recommend on the subject of reviewing and publicising failure is Black Box Thinking: The Surprising Truth About Success.

Black Box Thinking by Matthew Syed explores how embracing mistakes and learning from failure drives progress and innovation. Drawing parallels from aviation’s use of “black boxes” to analyse accidents, Syed argues that organisations and individuals improve most when they investigate errors openly and systematically, rather than hiding or ignoring them.

The book’s core message aligns closely with post-incident security reviews: both emphasise the importance of transparency, blameless analysis, and turning setbacks into learning opportunities. Just as aviation investigates every incident to prevent recurrence, effective post-incident reviews treat security failures as chances to strengthen systems and processes, fostering a culture of continuous improvement.

Leave a comment

You may also enjoy