csirp/post-incident/lessons-learned.md

Post-Incident Activities

1. Lessons Learned

• Conduct post-incident review within 2 weeks
• Document what worked and what did not
• Update procedures based on findings

2. Process Improvement

• Update detection rules
• Improve containment playbooks
• Address training gaps

3. Reporting

• Final incident report to stakeholders
• Update incident metrics
• Archive evidence per retention policy