Where do your incidents come from?

August 28, 2024

I’ve since expanded on the topic of discovery questions aimed at getting close to ground truth about a security program, quickly.

I often find myself in situations where I’m trying to quickly assess a company’s cybersecurity program. One of the most useful questions of all is: Where do your incidents come from?

How do you identify your highest severity incidents in the first place? Which data sources or products deliver the investigative leads? And which are critical to detection and response? These questions speak directly to the value of data sources, products, and functions.

What are the prevailing root causes? This speaks directly to the quality of incident management, particularly post-incident review.

I can’t stress enough the importance of being able to answer these questions as the leader of any operational team (cybersecurity, technology, or otherwise). And the answers will say more than any org chart, policies, or other attestation.

by Keith McCammon

Where do your incidents come from?

You May Also Enjoy

Assorted links 2026-05-19

Security Operations Center (SOC) outcomes in the age of AI

Exploits and malware are still subject to the laws of physics

Introducing Atomic Scorecard: A test tracking tool for ATT&CK + Atomic Red Team