Phase 4: Respond

Purpose

The Respond phase prepares the organization to handle security incidents effectively. It covers incident response planning, forensic readiness, stakeholder communication, containment strategies, and post-incident review processes.

Skills

Incident Response

/security:incident-response <topic>

Creates a comprehensive incident response plan. Covers incident classification, severity levels, response team roles, escalation procedures, and step-by-step response playbooks.

Output: Incident response plan with severity-based playbooks → .metapowers/security/<topic>/04-respond.md

Forensic Readiness

/security:forensic-readiness <topic>

Establishes forensic readiness capabilities. Covers evidence preservation procedures, chain of custody requirements, forensic tooling, and legal hold processes.

Output: Forensic readiness plan with evidence handling procedures → .metapowers/security/<topic>/04-respond.md

Incident Communication

/security:incident-communication <topic>

Develops incident communication templates and procedures. Covers internal notifications, customer communications, regulatory notifications, media responses, and status page updates.

Output: Communication templates with notification timelines → .metapowers/security/<topic>/04-respond.md

Containment Strategy

/security:containment-strategy <topic>

Defines containment strategies for different incident types. Covers network isolation, account lockdown, service degradation procedures, and rollback strategies.

Output: Containment playbooks by incident category → .metapowers/security/<topic>/04-respond.md

Lessons Learned

/security:lessons-learned <topic>

Establishes post-incident review processes. Covers blameless postmortem templates, root cause analysis methods, improvement tracking, and knowledge base updates.

Output: Lessons learned framework with postmortem templates → .metapowers/security/<topic>/04-respond.md

Next Phase

After Respond, proceed to Recover to plan recovery procedures and business continuity.