IBM's annual Cost of a Data Breach report has consistently found that the mean time to identify and contain a breach is around 277 days - roughly nine months from initial compromise to containment. That's not nine months of active defense. That's nine months of an attacker having access to your systems, your data, and your customers' information before you shut them out.
Most companies have an incident response plan. Most of those plans would not materially reduce that 277-day number. The plan exists, it satisfies the compliance checkbox, but it was written by a consultant two years ago, nobody has read it since, the phone numbers in it are probably wrong, and the team has never actually practiced using it.
Incidents are high-stress, fast-moving situations where people revert to trained behavior. If you've never actually practiced incident response, what you'll revert to is confusion, delayed decisions, and communication breakdowns. That's what turns a containable incident into a nine-month breach.
Why Most IR Plans Fail in Real Incidents
The first failure mode is detection lag. Most IR plans assume you already know something has happened when they start. They don't account for the fact that sophisticated attackers spend weeks or months establishing persistence, moving laterally, and exfiltrating data before triggering anything that looks like an alert. The detection problem is upstream of the response plan.
The second failure mode is unclear authority. In a real incident, someone needs to be able to make fast decisions with incomplete information: take this system offline, revoke these credentials, notify these customers, engage this IR firm. When it's not clear who has authority to make those calls, everyone defers to everyone else, and nothing moves quickly. IR plans that don't explicitly designate an incident commander with clear escalation paths will produce exactly this outcome.
The third failure mode is overemphasis on documentation during the incident. Some IR plans read like project management documents - full of logging requirements and documentation steps at every stage. Documentation matters, but not more than containment. The priority ordering during an active incident is: detect, contain, document. Reversing the order because the plan was written by people who were thinking about post-incident review rather than in-incident pressure is a common mistake.
What a Proper IR Playbook Actually Contains
Detection covers the mechanisms that tell you an incident is happening. This includes your SIEM alerting rules, your EDR behavioral detections, your anomaly detection on authentication logs, and - often underrated - clear channels for employees to report suspicious activity without bureaucratic friction. Many of the fastest incident detections happen because an employee noticed something odd and knew immediately who to call.
Containment is the most time-sensitive phase and the one where automation provides the most leverage. If your EDR detects malware on an endpoint, the first containment action - network isolation of that endpoint - shouldn't require a human to log into a console. It should happen automatically or with a single approval. Every minute between detection and isolation is time the attacker can use to move laterally.
Eradication is what happens after containment: finding and removing the root cause. This means identifying all the ways the attacker got in (usually plural - they rarely use just one technique), all the persistence mechanisms they established, and all the lateral movement they made. This phase requires careful forensic work. Rushing it means you contain the visible part of the incident and miss the persistence that lets the attacker return.
Recovery is bringing affected systems back online safely - not just restoring from backup, but verifying that the restored systems are clean and that the vulnerabilities that enabled the initial compromise have been fixed. Many organizations that suffer ransomware attacks restore from backup without first addressing the initial access vector and get reinfected within days.
Post-mortem is where most of the long-term value lives. A proper post-mortem identifies not just what happened, but why the detection and response processes failed to catch it earlier. It produces specific, prioritized improvements to detection, containment, and prevention. Without a real post-mortem, you improve your processes slowly through gut feel rather than systematically through evidence.
Tabletop Exercises vs. Real Preparedness
Tabletop exercises - the facilitated discussions where you walk through hypothetical incident scenarios - have value. They help teams understand each other's roles, surface gaps in communication procedures, and think through decisions they haven't faced before. They are not a substitute for technical practice.
Real preparedness requires actually executing pieces of the plan. Can your security team actually isolate a compromised system using your EDR in under five minutes? Have they done it? Have you actually tried to restore your most critical systems from backup recently? Have you tested whether your IR firm's contact information is current and they can actually be reached after hours?
The companies that handle incidents well are not the ones with the best written plans. They're the ones where the response team has practiced the specific actions required until those actions are muscle memory. Practice under non-emergency conditions is the only way to build the speed and composure that real incidents demand.
Automation's Role in Reducing MTTC
Mean time to contain is the metric that matters most for breach cost. IBM's research shows that breaches contained within 200 days cost roughly $1 million less than those that take longer. Automation directly attacks MTTC by compressing the time between detection and initial containment response.
Automatic endpoint isolation on malware detection. Automatic credential rotation on suspected account compromise. Automatic quarantine of suspicious files. Pre-approved containment playbooks that execute without requiring human approval for the first tier of response actions. Each of these can reduce the detection-to-containment window from hours to minutes for the scenarios they cover.
The 277-day number isn't inevitable. Companies with mature detection and response capabilities consistently contain breaches far faster. But getting there requires actually investing in preparedness - not just writing a plan that satisfies a compliance reviewer, but building and practicing a response capability that will actually work when something goes wrong. Because something always eventually goes wrong.