For incident response leads
who own detection-to-closure on a defensible engagement record

An incident response workspace built around the engagement record the live incident runs on

Incident response leads own the lifecycle that starts when an alert escalates from triage and ends when the after-action report is signed off, the regulator notification window has been honoured, the corrective actions are tracked to closure on the security backlog, the IR runbook has been updated against what actually happened, and the next tabletop exercise has the new failure mode on the script. The work usually carries across a paging tool, a Zoom war room, a Slack incident channel that ages out the moment the incident closes, a shared drive folder for the evidence, a spreadsheet of action items, a ticket queue for the engineering owners, a separate doc for the executive readout, and a wiki page nobody updated since the previous incident. The cost is not the licensing. It is the reconciliation hours after each major incident and the residual gaps that survive between incidents because the corrective actions never land on a tracked backlog.

SecPortal gives incident response leads one workspace for the incident engagement record, timestamped contributing findings with CVSS 3.1 scoring, retesting workflows that confirm eradication actually held against the original contributing finding rather than against a new record, document management for the IR plan and the per-scenario runbooks and the after-action report, compliance tracking that maps SOC 2 CC7.4, ISO 27001 Annex A.5.24 through A.5.28, NIST CSF 2.0 RS function, NIST SP 800-53 IR-4 through IR-8, PCI DSS Requirement 12.10, HIPAA Security Rule 164.308(a)(6), NIS2 Article 23, DORA Articles 17 through 23, GDPR Articles 33 and 34, and the SEC cybersecurity incident materiality disclosure on the same record, AI-assisted reporting for the executive readout and the regulator brief, role-based access control with enforced multi-factor authentication, and an append-only activity log on top.

SecPortal is not a SIEM, a SOAR, an XDR or EDR platform, a UEBA platform, an MDR service, a packaged paging or on-call rotation engine, a forensic imaging or memory acquisition tool, a network traffic analysis tool, a digital evidence preservation appliance, a chain of custody attestation signer, a packaged Jira or ServiceNow or PagerDuty or Opsgenie or Slack ticket or notification connector, a real-time event ingestion pipeline, or a regulator filing portal. It does not ingest event telemetry from endpoint, network, identity provider, cloud platform, or application sources, it does not run correlation logic, it does not page a responder on an event, it does not generate the regulator filing on behalf of the legal team, and it does not connect through API to a SIEM, a SOAR, an XDR, a ticketing tool, or a paging tool. Teams running a dedicated SIEM, SOAR, XDR, MDR, or paging platform keep those platforms; SecPortal carries the incident engagement, the contributing finding queue, the retest run, the document trail, the exception decision, the compliance mapping, the AI-assisted report, the role-scoped access, and the append-only audit trail next to those platforms rather than inside them.

Capabilities incident response leads use across the incident lifecycle

How incident response leads run the discipline inside SecPortal

An incident response programme that holds up under regulator scrutiny, audit fieldwork, cyber insurance claim review, board questioning, and post-incident litigation discovery operates on a small set of disciplines. The IR plan, the per-scenario runbooks, the after-action review, the regulator notification trail, the customer notification trail, the corrective-action queue, the tabletop scenario inventory, and the evidence pack inherit each one rather than carving out a parallel operating model per artefact.

From declared incident to signed-off after-action report, on one engagement record

The incident response loop is declare the incident, log contributing findings, move findings through state transitions during containment and eradication, verify eradication on the original finding through retest, map the controls and the regulator obligations, land the corrective actions on the security backlog, capture exceptions on accepted residuals, regenerate the executive and regulator narrative, and read the recurring programme cadence. SecPortal runs a single workflow that the incident commander, the forensic partner, the legal counsel observer, the communications partner, the audit observer, the regulator-side reviewer, and the executive sponsor can all work against without re-keying state into another tool.

1. 1Declare the incident and open the incident response engagement on the workspace. Capture severity, scope, in-scope assets, the named incident commander, the deputy commander, the assigned responders, the forensic partner, the legal counsel observer, the communications partner, the audit observer, and the executive sponsor on the engagement record. Attach the current IR plan, the per-scenario runbook (ransomware, business email compromise, data exfiltration, supply chain compromise, insider misuse, account takeover, web application compromise, third-party breach notification, distributed denial of service, OT or ICS compromise, mobile compromise), the regulator notification templates per jurisdiction, the legal hold playbook, the forensic preservation checklist, and the chain-of-custody form as documents.
2. 2Log contributing findings on the engagement as they surface. Every signal that mattered to the incident lands on the engagement record with the auto-calculated CVSS 3.1 vector, severity, evidence, named owner, and the open or in_progress state. Scanner output from the SAST or SCA pipeline, authenticated DAST output, external scanning output, manually surfaced findings from the responders, and bulk-imported pentest report findings consolidate on the same queue so the IR lead reads the contributing surface from one record.
3. 3Move findings through state transitions on the engagement record as containment, eradication, and recovery progress. The open or in_progress or resolved or verified or reopened workflow is explicit per finding, every state change is captured in the activity log with the actor and the timestamp, and the on-call commander reads the live containment surface from the same workspace the engineering owner is working the remediation on.
4. 4Verify eradication through retesting workflows that pair the post-eradication replay to the original contributing finding rather than opening a new record. The rescan output, the configuration check, the log query, the integrity check on the remediated asset, the credential rotation receipt, and the access-control verification land on the same record as the original detection. The activity log records who verified what against which retest run with timestamp and rationale, and the aging clock on the residual condition keeps running on the original capture date.
5. 5Map the incident engagement and the contributing findings against SOC 2 CC7.4, ISO 27001 Annex A.5.24 through A.5.28, NIST CSF 2.0 RS function with the RS.MA, RS.AN, RS.MI, RS.CO, and RS.RP categories, NIST SP 800-53 IR-4 through IR-8, PCI DSS Requirement 12.10, HIPAA Security Rule 164.308(a)(6), NIS2 Article 23, DORA Articles 17 through 23, GDPR Articles 33 and 34, the SEC cybersecurity disclosure obligations, and the state breach notification laws through compliance tracking. The audit-time evidence pack, the regulator filing, and the cyber insurance claim narrative read from the same engagement record the responders operated on.
6. 6Land corrective actions from the after-action review on the live security backlog through findings management. The detection-gap correction, the runbook update, the playbook addition, the access-control change, the monitoring rule addition, the credential rotation hardening, the network segmentation correction, the patch policy correction, and the tabletop scenario addition each carry severity, owner, evidence link to the incident engagement, and tracked remediation status. The IR lead reads in one query which corrective actions are open, which closed, and which are overdue against the next tabletop or the next quarterly review.
7. 7Capture exceptions on accepted-residual decisions, on monitoring gaps that the team cannot close in this cycle, on segmentation changes that need to wait for the next maintenance window, and on runbook gaps that need a longer-arc decision through finding overrides. Each exception carries the linked finding, severity, compensating controls, residual likelihood, residual impact, business rationale, expiry, and review cadence on a structured record attached to the finding, so the executive committee reads dated decisions with named owners and explicit expiry rather than re-debating the same items.
8. 8Regenerate the executive readout, the audit committee brief, the regulator filing, the board update, the cyber insurance claim narrative, and the customer incident report through AI-assisted reporting. Executive summaries, per-incident timelines, containment narratives, eradication narratives, recovery narratives, after-action summaries, and regulator-format briefs draft from the live engagement record on demand, so the IR lead edits drafts after a 72-hour response rather than writes them from a blank page.
9. 9Read the recurring incident programme cadence from the append-only activity log. Every finding update, scan run, document upload, retest run, exception decision, comment, credential lifecycle event, and team change is recorded with the actor, the timestamp, and the action. CSV export keeps the programme trail reproducible at regulator review time, cyber insurance claim review, audit committee evidence request, and post-incident litigation discovery.

Where the incident response view connects to the rest of the workspace

Most incident response functions adopt SecPortal in three phases: bring every declared incident onto an engagement record so the contributing findings, the retest evidence, the runbook attachment, and the after-action artefact live on one record; pair the engagement records with the IR plan, the per-scenario runbooks, the regulator notification templates, and the corrective-action queue so the live incident inherits the current playbook and leaves a defensible audit trail; and route the audit, regulator, cyber insurance, and executive cadence through compliance tracking, role-based access control, multi-factor authentication, and AI-assisted reporting so the regulator, the cyber insurance carrier, the audit committee, and the board all read from the same record the responders ran on.

• The engagement record model that anchors every declared incident is covered on the engagement management feature page, the per-incident contributing-finding repository with CVSS 3.1 scoring on the findings management feature page, and the IR plan, per-scenario runbook, after-action report, regulator notification template, and legal hold playbook attachment surface on the document management feature page.
• The post-eradication replay loop that pairs to the original contributing finding on the retesting workflows feature page, the multi-framework control mapping a single incident engagement record rides on the compliance tracking feature page, and the AI-assisted executive and regulator reporting surface on the AI reports feature page.
• The append-only programme trail across every declared incident on the activity log feature page, the role-scoped access for incident commanders, forensic partners, legal counsel observers, audit observers, and regulator-side reviewers on the team management feature page, and the enforced multi-factor authentication on every workspace account on the multi-factor authentication feature page.
• The incident response use case workflow from detection through closure on the incident response use case, the PSIRT product-security incident response workflow on the PSIRT use case, and the zero-day and emergency vulnerability response workflow on the zero-day vulnerability response use case.
• The breach notification and regulator-readiness workflow on the breach notification and regulator readiness use case, the cyber insurance security evidence workflow on the cyber insurance security evidence use case, and the retesting use case for post-eradication verification on the retesting use case.
• The SOC 2 framework anchor for the CC7.4 incident response controls on the SOC 2 framework page, the ISO 27001 framework anchor for the Annex A.5.24 through A.5.28 incident management controls on the ISO 27001 framework page, and the NIST CSF 2.0 RS function anchor on the NIST CSF 2.0 framework page.
• The NIST SP 800-53 IR-4 through IR-8 control family anchor on the NIST 800-53 framework page, the SEC cybersecurity incident materiality disclosure anchor on the SEC cybersecurity disclosure framework page, and the PCI DSS Requirement 12.10 incident response plan anchor on the PCI DSS framework page.
• The copy-ready incident response runbook template on the incident response runbook template tool, the multi-dimensional severity rubric that the on-call role applies at activation and the IC reclassifies as scope confirms on the security incident severity classification template tool, the tabletop exercise template that drives the next tabletop with the new failure mode on the incident response tabletop exercise template tool, and the business continuity and disaster recovery plan template that pairs to the IR plan on the business continuity and disaster recovery plan template tool.
• The incident response plan guide on the incident response plan guide, the post-incident review and after-action review walkthrough on the security incident postmortem and after-action review guide, and the tabletop exercise guide on the incident response tabletop exercise guide.
• The SEC cybersecurity incident materiality determination walkthrough on the SEC cybersecurity incident materiality guide, the enterprise incident response at scale guide on the enterprise incident response at scale guide, and the ransomware readiness programme guide on the ransomware readiness program guide.

Where the incident response lead role sits next to adjacent personas

Incident response leads run the per-incident lifecycle that sits between the alert producer functions (the SOC analyst tier and the detection engineering function), the platform-owner function (the security engineering team), the GRC and compliance evidence owner, the cross-source vulnerability management backlog owner, the application security discipline, the executive sponsor (the CISO), the cross-team programme coordinator (the security program manager), and the internal security team that runs the consolidated programme. The IR lead owns the per-incident engagement rather than any one of those adjacent shapes, and the corrective actions land on the security backlog those adjacent teams operate on.

If your function is the SOC analyst function that triages the alerts before they escalate to a declared incident, the SecPortal for SOC analysts page covers the per-shift triage queue shape that pairs to the IR lead shape on the engagement that escalates to a declared incident.

If your function is the detection engineering function that writes the rules and the correlation content the SOC reads alerts off, the SecPortal for detection engineering teams page covers the rule lifecycle shape that pairs to the IR lead shape when a missed technique becomes a declared incident and the corrective action lands as a new rule on the detection engineering backlog.

If your function is the security operations leader who owns the recurring SecOps cadence across vulnerability management, AppSec, GRC, and incident response, the SecPortal for security operations leaders page covers the recurring-cadence shape that the IR programme rolls into between incidents.

If your function is the security engineering platform discipline that owns the SIEM, the SOAR, the log pipeline, the paging tool, the on-call rotation engine, and the infrastructure the responders operate against, the SecPortal for security engineering teams page covers the platform-owner shape the incident response programme runs on.

If your function is the cross-source vulnerability management backlog owner that consolidates contributing findings and corrective actions into the wider security backlog, the SecPortal for vulnerability management teams page covers the unified queue discipline that incident contributing findings and post-incident corrective actions land on.

If your function is the GRC and compliance evidence owner that assembles audit packs, regulator filings, and cyber insurance claim narratives from the incident response engagement record, the SecPortal for GRC and compliance teams page covers the evidence-side discipline that reads from the same record the responders ran on.

If your function is the internal security team that runs the consolidated security programme across detection, AppSec, vulnerability management, identity, and incident response, the SecPortal for internal security teams page covers the consolidated workspace view the incident response programme rolls into.

If your function is programme-level executive sponsorship and board-level reporting on the incident response posture rather than the IR discipline specifically, the SecPortal for CISOs and security leaders page covers the leadership-tier reporting workflow the incident response posture rolls up into.

SecPortal is built for incident response leads who want one workspace for the detection-to-closure loop on each declared incident: incident engagement records with named commanders and observers, timestamped contributing findings with CVSS 3.1 scoring, retesting workflows that pair the post-eradication replay to the original contributing finding, document management for the IR plan and the per-scenario runbooks and the after-action report, multi-framework compliance tracking that covers SOC 2 CC7.4, ISO 27001 A.5.24 through A.5.28, NIST CSF 2.0 RS function, NIST SP 800-53 IR-4 through IR-8, PCI DSS Requirement 12.10, HIPAA 164.308(a)(6), NIS2 Article 23, DORA Articles 17 through 23, GDPR Articles 33 and 34, and the SEC cybersecurity incident materiality disclosure in parallel, AI-assisted regulator and executive reporting, role-based access control with enforced multi-factor authentication, and an append-only activity log on top. The forensic partner reads the same engagement the responders worked, the legal counsel observer reads the same evidence trail the regulator will read, the audit committee reads the programme posture across the IR estate, and the incident response lead gets back the days that used to disappear into reconciliation between chat threads, shared drives, ticket queues, and the regulator filing draft.