Skip to content
Log in

Incident declaration

Definition

The formal decision, made during the Identification stage, that a detected event meets the organisation's criteria for a security incident. Declaration triggers the formal IR process and activates the incident response team.

Related terms

After-Action Report (AAR)
The formal document produced during Lessons Learned that records the incident timeline, decisions made, outcomes, and recommended improvements. The AAR drives updates...
Containment strategy
A deliberate decision about how to limit an incident's spread, balancing the need to stop harm immediately against the risk of alerting...
Eradication
The phase in which the root cause of an incident is removed from the environment: deleting malware, patching exploited vulnerabilities, revoking compromised...
NIST SP 800-61
The US National Institute of Standards and Technology's Computer Security Incident Handling Guide. It defines a four-phase IR lifecycle: Preparation; Detection and...
PICERL
Acronym for the six SANS IR stages: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. The model is cyclical: the final stage...

Explained in

  • The SANS PICERL ModelThe formal decision, made during the Identification stage, that a detected event meets the organisation's criteria for a security incident. Declaration trigger...

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account