Maturing, Changing and Improving: Results of the 2019 SANS Incident Response Survey

Bethesda, Md. – Organizations are making some crucial improvements in incident response (IR), according to results of the SANS 2019 Incident Response Survey to be released by SANS Institute on August 1, 2019 and discussed on August 2.

“It is gratifying to see that organizations are improving on important metrics,” says Matt Bromiley, SANS analyst/instructor and author of the survey. “For the second year in a row, results showed an improvement in how incident response (IR) teams are responding to incidents.”

In fact, 67% of respondents indicated that they moved from detection to containment within 24 hours—a 6% uptick from last year. Interestingly, time to remediation was a bit longer. Still, 89% of remediation efforts are occurring within 30 days.

“That 30 days may seem long to some, but a month to remediate may actually be quick, depending on the nature of the incident and data to be replaced,” continues Bromiley. “Depending on the type of incident, remediation can be a complex problem to solve, and we would rather see an organization take its time to perform the right remediation, rather than the fastest.”

Despite these improvements, many organizations are still showing severe gaps in visibility—a critical problem that needs to be front and center. Organizations can't truly determine their security posture if they are blind to portions of their environment. Many respondents are still expressing concerns about levels of staffing and their skills shortage, problems that may require some out-of-the-box thinking.

Full results will be shared during an August 1, 2019 webcast at 1 PM EDT, sponsored by DFLabs, DomainTools, ExtraHop, InfoBlox, King & Union, OpenText, and Unisys, and hosted by SANS. Register to attend the August 1 webcast at

Representatives from DomainTools and ExtraHop join Matt Bromiley on August 2 at 1 PM EDT for a panel discussion. Register to attend that webcast at

Those who register for the webcasts will also receive access to the published results paper developed by SANS Analyst and incident response expert, Matt Bromiley.

Tweet This:

Don't miss the 2019 SANS #IR Survey results with SANS expert @mbromileyDFIR | 8/1 @ 1PM ET |

Join SANS expert @mbromileyDFIR on 8/1 as he discusses best practices for improving #incidentresponse functions and capabilities, based on results from the 2019 SANS #IR Survey |

Gain greater insight into #incidentresponse processes | @mbromileyDFIR discusses selected results with sponsors | 8/2 @ 1PM ET |

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions world-wide. Renowned SANS instructors teach more than 60 courses at in-person and virtual cyber security training events and on demand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (