Incident response
What is incident response and how does it work?
In short
What incident response covers, the phases of a response, Indonesian reporting duties, and when a retainer beats scrambling mid-breach.
An employee reports that files on a shared drive have been renamed and will not open. A few minutes later, three more people say the same thing. Someone spots a ransom note in one of the folders. In the first hour, nobody yet knows how the attacker got in, which systems are affected, or whether they are still inside the network. What the organisation does in that hour, and whether anyone has decided in advance who makes which call, usually determines how bad the next week gets. That set of decisions and actions is incident response.
What incident response is
Incident response is the structured process an organisation follows to contain, investigate, and recover from a security incident. A security incident is any event that threatens the confidentiality, integrity, or availability of your systems or data: ransomware, a compromised account, data theft, or an intruder moving through the network.
The word structured is the important part. Under pressure, people improvise, and improvisation during a breach tends to make things worse. Systems get wiped before anyone captures evidence, the attacker is tipped off, or the wrong person spends an hour deciding who to phone. A response process replaces that scramble with a known sequence of steps and clear ownership, so the team spends its energy on the incident rather than on figuring out what to do.
The phases of a response
Most response frameworks describe the same lifecycle, closely following the widely used NIST model. The phases are not always strictly sequential, since detection and analysis often continue while containment is under way, but they give a shared vocabulary for what needs to happen.
| Phase | What happens in it |
|---|---|
| Prepare | Build the plan, define roles and contacts, and put logging and tooling in place before an incident, so the response is not invented on the day. |
| Detect and analyse | Confirm that an incident is real, work out its scope and severity, and identify affected systems and accounts. |
| Contain | Stop the incident from spreading, for example by isolating an endpoint, blocking a connection, or disabling a compromised account. |
| Eradicate | Remove the attacker's access and artefacts: malware, backdoors, and any footholds they created. |
| Recover | Restore systems and data to normal operation, and confirm they are clean and monitored before bringing them back. |
| Review | After the incident, examine what happened, what worked, and what to change so the next one goes better. |
The preparation and review phases are the ones organisations most often skip, and they are where most of the leverage sits. A plan written before an incident is worth far more than one improvised during it, and the review is what stops the same gap being exploited twice.
Why it matters in Indonesia
A slow or improvised response costs more than a fast one, and not only in downtime. The longer an attacker keeps access, the more data they can take and the more systems they can reach, which widens both the damage and the eventual cleanup. Reputational harm and regulatory scrutiny follow.
Indonesian organisations also carry reporting duties once an incident touches personal data or regulated systems. Under UU PDP, a personal data breach generally has to be notified to the regulator and to affected individuals within a defined window. BSSN coordinates national cyber incident response and issues guidance that many organisations are expected to follow, and sector regulators such as OJK set their own expectations for the institutions they supervise. The specifics vary by sector, so the safe approach is to confirm exactly what applies to you rather than assume. What is consistent across all of them is the underlying assumption: you can only report a breach you have actually detected and understood, which puts detection and a working response process ahead of the paperwork. Our guide to what a SOC is covers the detection side that feeds all of this.
In-house response vs a retainer
Every organisation can handle small incidents in-house, and most should. The question is what happens when a serious one lands, such as ransomware across the estate or a confirmed data theft. That is when you need forensics, legal coordination, and senior responders quickly, and it is when improvising is most expensive.
A retainer is a pre-agreed arrangement with a response provider. The terms, contacts, and scope are settled before anything happens, so when you call, the responders start work immediately instead of the incident stalling while procurement negotiates a contract. For ransomware specifically, where every hour of hesitation can mean more encrypted systems, that head start matters, and our guide to ransomware response in Indonesia walks through what that looks like in practice. The value of a retainer is not that it replaces your team; it is that a capable responder is already on the hook and ready to move on your worst day.
Where Alpha Code fits
Alpha Code provides incident response for Indonesian organisations, with responders who work in the same regulatory context you do and understand the BSSN, OJK, and UU PDP reporting that follows a breach. Whether you want a retainer in place before anything happens or help right now during an active incident, the response is planned rather than improvised, which is the whole point. If you are deciding how to prepare, agreeing the terms before you need them is the conversation worth having first.
Reviewed by Mohit Bhansali, Head of Technology
Frequently asked questions
Incident response is the whole cycle of handling a security incident, not just the cleanup. It covers preparing plans and contacts before anything happens, detecting and confirming the incident, containing it so it stops spreading, removing the attacker, restoring systems, and reviewing what went wrong afterwards. The goal is a controlled recovery rather than a panic.
Related
Our services
Ready to strengthen your security posture?
Talk to our Jakarta-based team about your requirements.
Jakarta-based team. We reply within one business day.