Blog post

On Three IR Gaps

By Anton Chuvakin | August 20, 2013 | 2 Comments

securityincident response

A useful concept that emerged in my security incident response research is a one of THREE IR GAPS.

  1. Detection gap
  2. Triage gap
  3. Remediation gap

Here is what I mean:

Stage before Gap Gap length Stage after
“Everything is fine!” Detection gap Days to years
“Oh no, this looks like an incident!”
We are having an incident Triage gap Hours to weeks We know the full scope of this one and we know how they got in
Investigation mostly complete, ready to fix it Remediation gap Days to weeks Incident remediated – next?


Posts related to the same research project:

Comments are closed


  • H. Carvey says:

    There’s not really a great deal on which to comment….

  • That’s really not that much of a comment… 🙂