Skip to content
Log in

After-Action Report (AAR)

Definition

The formal document produced during Lessons Learned that records the incident timeline, decisions made, outcomes, and recommended improvements. The AAR drives updates to IR plans, playbooks, and detection rules.

Related terms

Containment strategy
A deliberate decision about how to limit an incident's spread, balancing the need to stop harm immediately against the risk of alerting...
Eradication
The phase in which the root cause of an incident is removed from the environment: deleting malware, patching exploited vulnerabilities, revoking compromised...
Incident declaration
The formal decision, made during the Identification stage, that a detected event meets the organisation's criteria for a security incident. Declaration triggers...
NIST SP 800-61
The US National Institute of Standards and Technology's Computer Security Incident Handling Guide. It defines a four-phase IR lifecycle: Preparation; Detection and...
PICERL
Acronym for the six SANS IR stages: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. The model is cyclical: the final stage...

Explained in

  • The SANS PICERL ModelThe formal document produced during Lessons Learned that records the incident timeline, decisions made, outcomes, and recommended improvements. The AAR drives...

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account