The Cybersecurity Incident Manifesto

Domain: https://thecybersecurityincidentmanifesto.org/

Version: 0.1

Status: DRAFT

Classification: PUBLIC

Date: 06/02/2025

Author: (Andy Latham) (JandSec Ltd)

Licence: This work is licensed under a (Creative Commons Attribution 4.0 International Licence).

Feedback & Community: https://github.com/JandaSec/thecybersecurityincidentmanifesto/

A Declaration of Principles for Effective Cyber Incident Response

Cybersecurity incidents are inevitable. How we respond to them defines the resilience, trust, and integrity of an organisation. In the face of crisis, security professionals, executives, and stakeholders must adhere to core principles that prioritise clarity, action, and accountability over chaos, blame, and panic.

This manifesto serves as a guiding philosophy for handling cybersecurity incidents with professionalism, discipline, and responsibility. It is a declaration of how we, as security leaders, should think, act, and lead when facing an attack.

1. Transparency Over Secrecy (Except When It Risks More Harm)

We commit to timely, clear, and responsible disclosure. Concealing incidents erodes trust, but reckless disclosure can amplify harm. The balance between transparency and security must be carefully managed.

2. Preparedness Over Reaction

Cybersecurity incidents are not a matter of if but when. Crisis is no time for improvisation. Continuous training, simulation, and readiness ensure that when an attack happens, we execute a well-rehearsed plan—not a chaotic response.

3. Urgency Over Panic

A calm mind makes better decisions. We respond with urgency, not hysteria. Measured, methodical action outperforms knee-jerk reactions. Rushed decisions in the heat of an incident often cause more damage than the attack itself.

4. Containment & Eradication Over Premature Recovery

Restoring systems before ensuring full containment and eradication risks reintroducing attackers, spreading infections, or restoring compromised access. A system is not “fixed” just because it is online. We prioritise isolation, forensic preservation, and full remediation before restoration.

5. Action Over Blame

Incidents happen. Instead of pointing fingers, we focus on mitigation, containment, and learning. Accountability matters, but scapegoating does not secure systems. We fix problems—not assign blame.

6. Data Integrity Over Speculation

Incident response must be driven by facts, not assumptions. Whether communicating with stakeholders, investigating root causes, or reporting incidents, evidence is king. Speculation fuels panic; data-driven decisions ensure accuracy.

7. Collaboration Over Isolation

Security teams do not operate in silos. We work in partnership with IT, legal, PR, law enforcement, regulators, and business leaders. A coordinated response ensures a unified, effective defence.

8. Continuous Learning Over Complacency

Every security incident—no matter how minor—is an opportunity to improve. Post-mortems must be honest, action-driven, and bias-free. Lessons learned must be applied, and security debt must be addressed. If we don’t learn, we will repeat our failures.

9. Ethics Over Expediency

Incident response must be guided by ethics, not just compliance checkboxes. Decisions should be based on what is right—not just what is legal. The interests of affected parties must be prioritised over corporate reputation management.

10. Resilience Over Perfection

Breaches are inevitable. How we respond defines us. The goal is not flawless security, but resilient systems, adaptive teams, and a culture that embraces improvement. A breach should not be an organisation’s downfall — it should be a catalyst for becoming stronger.

11. Leadership Over Emotion

A crisis is not the time for anger, blame, or panic. Leaders must rise above emotion and focus on solutions, not shouting. Customers, executives, and teams look to leadership for calm, decisive action—not frustration and fear. Emotional outbursts don’t solve incidents—rational thinking does.

Closing Statement

The Cybersecurity Incident Manifesto is a call to action for security leaders, executives, and professionals to uphold these principles when responding to attacks. By embracing these values, we strengthen not just our defences, but also trust, integrity, and resilience in the face of cyber threats.

Adopt it. Live by it. Improve upon it.