Security Incident Response Template

Ransomware incident — Brussels file servers (SEC-2026-014)

Severity
Critical
Status
Eradicated
Incident Commander
DLDavid Lefevre
Type
Ransomware

🔍 Detection and triage

Detected: 06/02/2026, 14:23 CET — EDR alert on FS-BRU-03 flagged encryption activity on shared drive. SOC analyst confirmed ransomware signature (LockBit 3.0 variant) within 8 minutes.

Scope: 2 of 6 Brussels file servers affected. Approximately 12,000 files encrypted across Finance and HR shared drives. No evidence of lateral movement to domain controllers or backup infrastructure.

🛡️ Containment

  1. Isolated FS-BRU-03 and FS-BRU-04 from the network at 14:31 CET (8 min after detection).
  2. Disabled the compromised service account (svc-backup-bru) and forced password reset for all Brussels admin accounts.
  3. Blocked C2 IP ranges (185.220.x.x) at the perimeter firewall across all European sites.
  4. Preserved forensic images of both servers before remediation.

📋 Communication log

TimeRecipientChannel
14:35CISO + IT DirectorPhone call
15:00Brussels site usersEmail (pre-approved template)
16:30Belgian DPA (GDPR notification)Online portal
Content continues in Elium...

Give IT security and operations teams a structured format for handling security incidents — from initial detection and triage through containment, eradication, and post-incident review. This template ensures every security event is documented, escalated correctly, and analysed to prevent recurrence.

Try now in Elium

What is a security incident response template?

A security incident response template is a structured document for recording and managing security events — from detection through resolution and lessons learned. It defines the triage criteria, escalation paths, containment actions, and communication steps required to handle incidents consistently, regardless of severity or time of day.

Security incidents demand speed and precision. When a threat is detected, the team cannot afford to improvise. Without a standardised template, critical steps are missed under pressure, communication breaks down, and the post-incident review lacks the detail needed to prevent recurrence. A structured response template ensures every incident is handled with the same rigour, whether it is a phishing attempt or a ransomware attack.

Who should use this template?

This template is for teams responsible for information security:

  • IT Security Managers — coordinate the response to security events and ensure containment follows documented procedures
  • SOC Analysts — document initial detection, triage findings, and containment actions in real time
  • CISOs and IT Directors — review incident records for compliance reporting and strategic risk assessment
  • Compliance Officers — ensure incident documentation meets regulatory requirements (GDPR, NIS2, ISO 27001)

What’s included in this template?

The template has two parts: structured metadata fields and the incident response body.

Metadata fields classify each incident:

  • Incident title and reference number (e.g. SEC-2026-014)
  • Severity level (critical, high, medium, low)
  • Incident type (malware, phishing, data breach, unauthorised access, DDoS)
  • Incident commander — the person leading the response
  • Detection date and current status (detected, contained, eradicated, closed)

Incident response body documents the full lifecycle:

  • Detection and triage — how the incident was discovered, initial assessment, and severity classification
  • Containment — immediate actions taken to limit the impact, including systems isolated and accounts disabled
  • Eradication — steps to remove the threat, including patches, scans, and configuration changes
  • Recovery — restoration of services, verification of integrity, and monitoring for recurrence
  • Communication log — notifications sent to stakeholders, regulators, and affected parties with timestamps
  • Post-incident review — root cause analysis, timeline, and recommendations to prevent recurrence

How to create and customise this template in Elium

  1. Open the Template Builder — Go to your profile menu and select the Template Builder tab, or click “+ Create” and choose “Create a new template”.
  2. Set the scope — Choose an icon, enable the template, and decide whether it applies platform-wide or to specific spaces (e.g. IT Security only).
  3. Add structured fields — Click “Field” to add metadata: text fields for incident title and reference number, a tag field for severity (pre-populate with “Critical”, “High”, “Medium”, “Low”), a tag field for incident type, a user field for incident commander, a date field for detection date, and a tag field for status. Mark severity, incident commander, and status as mandatory.
  4. Build the response structure — Use the “+” button to add content blocks: text blocks for detection and triage, containment, eradication, and recovery. Add a table block for the communication log (columns: timestamp, recipient, channel, message) and a text block for the post-incident review with root cause and recommendations.
  5. Preview and save — Review the template layout, then save. Security teams can now select it when handling incidents, and you can apply it to existing content in bulk.

Decision Tree ready: This template also works as an Elium Decision Tree — instead of reading through a static document, guide your team through step-by-step questions that lead directly to the right answer. Learn more about Decision Trees.

How AI helps you create and use this template

Capture faster. Paste log extracts, alert notifications, and chat transcripts from the incident response into Elium’s AI. It organises the information into a structured timeline with detection, containment, and recovery phases — so the security team documents while responding, not after the fact.

Retrieve smarter. A SOC analyst asks Elium’s AI: “How did we handle the ransomware incident affecting the Brussels file servers last quarter?” The AI returns the containment steps, eradication procedure, and post-incident recommendations — so proven responses inform the current incident.

Why teams use Elium for security incident management

Security incidents generate critical knowledge — containment procedures that worked, escalation paths that failed, and root causes that need systemic fixes. When this knowledge is locked in ticketing systems or email threads, the next incident team starts from scratch. Elium makes incident knowledge reusable: structured templates capture the full response, search lets analysts find similar past incidents, and post-incident reviews become a living reference library.

VINCI Energies — 97,000 employees across 61 countries — uses Elium to centralise IT knowledge including incident procedures and response guides. Security teams across the organisation access consistent response procedures regardless of location.

Frequently asked questions

A security incident response plan defines the process for detecting, containing, and resolving security events. Without one, teams improvise under pressure — missing critical steps, delaying containment, and failing to document evidence needed for forensics and compliance. A structured plan ensures consistent, auditable responses that minimise damage and recovery time.
A complete incident response template includes metadata (title, severity, type, commander, status), sections for detection and triage, containment actions, eradication steps, recovery procedures, a communication log with timestamps, and a post-incident review covering root cause analysis and specific preventive recommendations for the future.
Standardised response templates reduce resolution time because teams follow proven procedures. They improve compliance because every incident is documented to regulatory standards. They capture institutional knowledge so lessons from past incidents inform future responses. They ensure consistency across shifts and locations.
Start with clear severity criteria so the team triages consistently. Define escalation paths for each severity level. Document containment actions as specific, executable steps. Include communication templates with pre-approved messaging for stakeholders. End with a post-incident review section that captures root cause and preventive actions.
An incident report documents what happened after the fact — a record of the event for compliance and analysis. An incident response is the active process of handling the event in real time — detection, containment, eradication, and recovery. The response template guides the team during the incident; the completed document becomes the report.

Related reading: Read more on our blog