Train From Home on Your Schedule with OnDemand - Special Offers Available Now


Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Maturing, Changing and Improving: Results of the 2019 SANS Incident Response Survey

Containment and Remediation Times; Visibility Issues Remain

  • Bethesda, MD
  • July 15, 2019

Organizations are making some crucial improvements in incident response (IR), according to results of the SANS 2019 Incident Response Survey to be released by SANS Institute on August 1, 2019 and discussed on August 2.

“It is gratifying to see that organizations are improving on important metrics,” says Matt Bromiley, SANS analyst/instructor and author of the survey. “For the second year in a row, results showed an improvement in how incident response (IR) teams are responding to incidents.”

In fact, 67% of respondents indicated that they moved from detection to containment within 24 hours—a 6% uptick from last year. Interestingly, time to remediation was a bit longer. Still, 89% of remediation efforts are occurring within 30 days.

“That 30 days may seem long to some, but a month to remediate may actually be quick, depending on the nature of the incident and data to be replaced,” continues Bromiley. “Depending on the type of incident, remediation can be a complex problem to solve, and we would rather see an organization take its time to perform the right remediation, rather than the fastest.”

Despite these improvements, many organizations are still showing severe gaps in visibility—a critical problem that needs to be front and center. Organizations can't truly determine their security posture if they are blind to portions of their environment. Many respondents are still expressing concerns about levels of staffing and their skills shortage, problems that may require some out-of-the-box thinking.

Full results will be shared during an August 1, 2019 webcast at 1 PM EDT, sponsored by DFLabs, DomainTools, ExtraHop, InfoBlox, King & Union, OpenText, and Unisys, and hosted by SANS. Register to attend the August 1 webcast at

Representatives from DomainTools and ExtraHop join Matt Bromiley on August 2 at 1 PM EDT for a panel discussion. Register to attend that webcast at

Those who register for the webcasts will also receive access to the published results paper developed by SANS Analyst and incident response expert, Matt Bromiley.

Tweet This:

Don't miss the 2019 SANS #IR Survey results with SANS expert @mbromileyDFIR | 8/1 @ 1PM ET |

Join SANS expert @mbromileyDFIR on 8/1 as he discusses best practices for improving #incidentresponse functions and capabilities, based on results from the 2019 SANS #IR Survey |

Gain greater insight into #incidentresponse processes | @mbromileyDFIR discusses selected results with sponsors | 8/2 @ 1PM ET |

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions worldwide. Renowned SANS instructors teach more than 60 courses at In-Person and Live Online cyber security training events, and more than 50 courses are available anytime, anywhere with our OnDemand platform. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system – the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (