Turning Incidents Into Improvement Instead of Repetition
When an incident finally ends, most organizations do the same thing: they exhale.
Systems are back online. Alerts stop firing. Customers stop calling. Leadership announces that things are “under control.” Usually right before everyone quietly agrees never to talk about it again.
I get it. That instinct is human. It’s also the fastest way to guarantee the next incident will be worse.
Incident Response doesn’t end when containment is complete or when systems are restored. That’s just the point where the real work either starts or quietly gets skipped.
Phase 4, the post-mortem, is where organizations either mature or stay exactly as brittle as they were before. It’s also the phase most organizations avoid, rush through, or perform so poorly that it might as well not exist.
The reason is simple: post-mortems are uncomfortable. Especially for organizations that prefer optimism over accuracy.
They force people to slow down after adrenaline wears off. They surface decisions that didn’t go well. They expose assumptions that felt reasonable until reality proved otherwise. And unlike detection or containment, they don’t come with blinking dashboards or clear technical wins.
This is exactly why Phase 4 matters so much.
In reality, post-mortems only happen in two situations.
The first is after a live-fire incident. Real attackers. Real consequences. Real pressure. These post-mortems tend to be emotional and political. People are exhausted. Leaders want reassurance. Engineers want credit for their effort. Nobody wants to be the person who says, “This didn’t go as well as we think.”
The second is during a tabletop exercise. No attackers. No outages. No legal exposure. Just people walking through decisions in a controlled environment.
This is why tabletop exercises are so powerful in the Incident Response lifecycle. They give organizations permission to be honest. You can talk about what broke without assigning blame. You can identify confusion without anyone feeling personally responsible. You can focus on process instead of survival.
Organizations that only learn during real incidents learn slowly and expensively. Organizations that learn during tabletops improve before the next attacker shows up.
And yet, even when post-mortems happen, most of them are ineffective.
A bad post-mortem is easy to spot. There’s a meeting. There’s a slide deck. The phrase “lessons learned” appears somewhere near the top. People spend most of the time talking about what went well. A few vague action items get written down. Someone says, “We should improve communication,” and everyone nods. Bonus points if the slide deck gets saved to a shared drive and never opened again.
Then nothing changes.
No policies are updated. No procedures are clarified. No timelines are adjusted. The Incident Response plan looks exactly the same as it did before, except now everyone feels like they did their due diligence.
Frankly, that’s not a post-mortem. That’s a victory lap disguised as process, with everyone patting themselves on the back while holding a glass of champagne. Yeah, great job everyone, see you next month when someone else enters their credentials into another phish.
A real post-mortem focuses on friction. Where things slowed down. Where decisions stalled. Where people were unsure who had authority. If something felt confusing during the incident, that confusion didn’t come from nowhere. It came from gaps in Phase 1.
This is where metrics matter, and why so many organizations struggle with them.
If you can’t answer basic questions like how long it took to detect the incident, how long escalation took, how long decisions took to make, or how long containment actually took, then you’re not evaluating response. You’re just telling stories about it and stories don’t improve response times.
And if your organization doesn’t have metrics yet, that’s not a failure. That’s normal! The post-mortem is exactly where good metrics come from.
Ask the team what felt slow. Ask where they were waiting on answers. Ask which decisions took longer than they should have. Those pain points become your initial measurements. Next time, you measure them. After that, you improve them.
This will come as a complete shock, I’m sure, but this is how Phase 4 feeds Phase 1 — and it’s a sign you’re actually doing things right.
The goal of a post-mortem is not to prove the team did a good job. The goal is to make the next response objectively better. That requires transparent honesty, not reassurance. If your Incident Response plan doesn’t change after a post-mortem, then nothing was learned.
This is where the imbalance in the Incident Response lifecycle becomes obvious.
Phases two and three matter. Sure, detection, containment, eradication, and recovery are critical. But they are reactive by nature. They only exist because something already went wrong, and there is absolutely nothing you can do to change that.
Phase 1 and Phase 4 are different. They’re the parts you can change.
Planning determines how calmly and confidently you respond. Post-mortems determine whether you ever improve. Organizations that invest heavily in these two phases get faster, more coordinated, and less chaotic over time.
Organizations that don’t just get better at panic.
They buy better tools. They tune alerts. They improve dashboards. And then they repeat the same mistakes because the underlying decisions never changed.
This is why the Incident Response lifecycle is a circle, not a checklist.
Planning informs response. Response creates lessons. Lessons inform planning again. Break that loop, and Incident Response becomes a series of disconnected emergencies instead of an evolving capability.
Having something, even something imperfect, keeps the loop alive. A rough post-mortem is better than none. A few actionable updates are better than a polished report no one revisits. Because, after all, progress matters a lot more than polish.
If you don’t invest in Phase 4, Phase 1 never gets better.
When your Incident Response plan never changes, your response becomes predictable.
And predictable responses are exactly what attackers plan for. They don’t need creativity when you give them consistency.
