There is a baseline for incident response six phases familiar to anyone who has spent time around a SANS classroom. But there are some aspects to this baseline that organizations routinely get wrong. Rob Lee, the DFIR curriculum lead at SANS, says the biggest gap is a failure to understand that incident response is a process, it’s not a thing. Most organizations don’t really adapt to fluid environments such as those of the early 2000s (or older) Lee: “It takes incredible self-awareness for an organization to admit they failed and own up to the fact they have to take their shot””]