Post-incident analysis remains a critical concern at most security organizations today. According to Foundry’s Security Priorities study, 57% of security leaders report their organization struggled to find the root cause of security incidents experienced in the past year, leaving them at heightened risk of getting breached again.

Security experts tell CSO the finding underscores that the immediate pressure to firefight often leaves post-incident learning under-resourced. Organizations need to treat incident response as a continuous learning cycle, not a one-time clean-up exercise if they are to reduce the likelihood of repeat breaches.

“Many organizations are stuck in a reactive cycle, focusing solely on containing the immediate breach, which comes at the expense of a crucial forensic investigation, leaving the ‘patient door’ wide open for the next attacker to walk right back in,” Dray Agha, senior manager of security operations at managed security response firm Huntress, tells CSO.

“Without a thorough postmortem to pinpoint the root cause, companies are essentially defending themselves blindfolded, destined to repeat the same mistakes,” Agha says.

Resilience through root cause analysis

Other experts agree that too many enterprises treat incident response as an operational exercise rather than an analytical one. As a result, containment and recovery actions might be well-rehearsed while deeper forensic investigation and post-incident learning lag.

“Without a disciplined approach to evidence preservation and root cause analysis, valuable insights are lost,” says Tom Moore, director of digital forensics and incident response at managed security services vendor BlueVoyant. “Robust incident response isn’t just about getting systems back online — it’s about using lessons learned to inform detection, prevention, and risk mitigation strategies.”

Moore adds: “That continuous feedback loop ultimately drives long-term resilience and is particularly valuable when the cyber threat landscape is evolving and adapting so quickly.”

Marie Hargraves, principal crisis management consultant at cloud security vendor Semperis, agrees that “most organizations focus on fighting fires instead of learning from the flames.”

Every crisis has three phases: detection, response (the acute phase), and review.

“It’s the third phase, the post-crisis review, where resilience is built,” Hargraves says. “Organizations that capture real-time data, analyze it rigorously, and act on lessons identified recover faster and emerge stronger.”

“Incident response isn’t just about surviving; it’s about adapting and building resilience,” Hargraves adds.

Tracing an attack path

Preparation is key, so businesses need to have dedicated tools and skills for digital forensics in place before an incident occurs through technologies such as security incident and event management (SIEM).

SIEM devices are important because, for example, many gateway and VPN devices have a local storage that overwrites itself within hours.

“If a cybercriminal breaks in through the VPN and dwells for a day or so before they pivot to business-critical servers, then the VPN telemetry has evaporated into the abyss,” Huntress’ Agha explains. “The centralization and retention of VPN logs, like through a SIEM, allows for reactive detections but also stores valuable data and allows for root cause analysis to figure out how the initial breach [occurred].”

Statistics from Huntress show that near 70% of sophisticated cybercriminals break in through the VPN. “Where SIEM has been enabled, we are able to catch them much earlier in their attack path, but also deploy retrospective analysis to identify the exact root cause that led to the breach,” Agha says.

Various services such as managed detection and response (MDR) and extended detection and response (XDR) can also include forensic capturing software — technology that enables providers to work hand in hand with forensic cyber investigators to identify the source of the breach and work to remediate it.

“Without tools such as this, trying to work back retrospectively to identify the ‘how’ becomes increasingly difficult,” says Rob Derbyshire, CTO at cybersecurity firm Securus Communication. “There are companies that offer incident response services when breaches occur, but the key to sorting it quickly, and preventing it from happening again, is ensuring you already have the tooling and processes to make any response significantly slicker.”

Arda Büyükkaya, senior cyber threat intelligence analyst at EclecticIQ, points out that without thorough root-cause analysis the “actual cause of the attack remains unknown and potentially still active.”

“Best practices should include digital forensics expertise, root cause analysis processes, and threat intelligence integration to connect incidents to broader attacker tactics and campaigns,” Büyükkaya advises. “This approach allows organizations to build resilience from every incident.”

Robust planning

An incident response team, typically led by the CISO, should be designated to take charge during an incident. The plan should also specify roles and responsibilities for each stakeholder, from IT staff to legal advisors.

Experts quizzed by CSO say an incident response playbook boils down to a few key steps:

• Preparation: Maintain a tested incident response plan, clear roles, and escalation paths.
• Detection and analysis: Centralize monitoring, leverage threat intelligence, and ensure forensic capability.
• Containment and recovery: Act fast but preserve evidence; validate systems before restoration.
• Postmortem: Conduct structured reviews, document findings, and feed them into security architecture and training.
• Continuous Improvement: Integrate threat modeling, automate containment, and invest in skills development.

Many organizations opt to use established frameworks and ISO standards as templates for their incident response plans.

“These frameworks offer a structured approach, providing sections and subsections that cover all essential areas, from governance to technical responses,” says Richard Ford, CTO at Integrity360. “By using a recognized framework, you not only ensure completeness but also facilitate easier communication with external parties who may be familiar with the framework.”

Building organizational resilience

Effective incident response should be geared toward building a structured, repeatable, and intelligence-driven process that strengthens resilience over time.

Incident response plans should be regularly tested, refined, and updated — for example, through simulations or tabletop exercises — as part of a wider business continuity and organizational resilience strategy.

Bharat Mistry, field CTO at cybersecurity vendor Trend Micro, says many organizations suffer from a maturity gap in their incident response — which should extend beyond simply containment and recovery to encompass forensic analysis and postmortems.

“When organizations bypass root cause analysis, they are only treating symptoms,” Mistry warns. “This challenge stems from a combination of issues: fragmented visibility due to siloed tools that prevent accurate attack reconstruction, a skills gap that leaves teams short on forensics and threat hunting expertise, and process weaknesses where postmortems are often informal or simply skipped.”

Breaking the cycle of ‘breach, patch, repeat’

In many cases, evidence is inadvertently destroyed, such as when servers are wiped, logs are lost, and forensic trails disappear, because the emphasis is on restoring operations quickly.

“This is compounded by pressure from the business, time constraints, as well as limited resources, which push teams to move on to the next urgent task rather than learning from the incident,” Mistry adds. “As a result, retrospective scans, root cause analysis, and updates to procedures are frequently skipped.”

The initial attack vector and lateral movement often remain unknown, leaving vulnerabilities unaddressed and creating a cycle of “breach, patch, repeat.”

“To break this cycle, organizations must embed forensic readiness into their response strategy: preserve evidence, conduct structured postmortems, and ensure lessons learned are fed back into security architecture and training,” Mistry concludes.