Knowing an incident had occurred might be the hardest part of the process, security breaches or incident sometimes may go unnoticed for more than a year before someone finally unearth it. Detection is just the first part, how you go about containment, eradication and recovery are crucial of incident response. However, the most important part of all is the aftermath, where we analyze and pinpoint the root cause of the incident, consolidating effort with management and apply appropriate measures to prevent it from happening again.

An external incident response provides a non-basis and multi-facet view of the incident and it frees up in-house security resources to focus on security operations. Combining the expert knowledge of the security team we can trace the incident with the perspective of a defender and an adversary, providing a holistic view of the incident. 

Prevention is better than cure, what an organization adjusts its policies and practices is equally important to what it does during the incident. Just pluggings the hole in the wall is not enough, the occurrence of the incident may implicate a pattern of vulnerability, an organization must analyze the root cause of the incident and implement necessary policy changes and educate its staff to raise their awareness to the incident.