How to Speed Up Incident Response Times with IncMan SOAR

Back to all articles

Speed Up Incident Response Times

Following on from the previous post “The Importance of Evidence Preservation in Incident Response”, this blog will focus on the time it takes to respond to an incident and to also potentially contain and remediate it, as well as look into how the implementation of a Security Orchestration, Automation and Response (SOAR) solution, such as IncMan SOAR from DFLabs, can further help to increase this speed of response when it really matters.

So, how quickly can an incident response team respond to an incident? This question is rather open ended and would mostly likely be dependant on the type of incident and the processes and procedures that an organization has in place, but the general answer can be built up of a number of crucial factors and action points, including detection, analysis, containment/eradication and post-incident follow up, which we will discuss further.

In today’s advancing threat landscape, organizations are facing more cyber attacks than ever before, and as they grow in volume and sophistication, the availability of skilled cybersecurity professionals seems to be declining in a reversing trend. Technology such as SOAR has therefore started to mature, with organizations more readily looking for ways to improve their security operations efficiencies and effectiveness and their overall security program success.

DFLabs’ award-winning SOAR solution, IncMan SOAR, can help organizations respond faster and smarter than ever before. With the assistance of predefined sets of Playbooks and Runbooks for different incident types and situations, the organization’s existing tools and technologies can seamlessly work together to orchestrate and automate actions and responses as required. Also importantly, as soon as a security incident has occurred, all aspects of the incident response activity, including artifact preservation procedures and case notes, can be preserved in a legally defensible manner within the platform.

IncMan SOAR can manage the entire incident response workflow with the concept of Playbooks and Runbooks through a collection of manual and automated actions. The incident responder is able to define different categories, subcategories or actions necessary to perform a successful resolution. It is possible to define and execute the actions needed manually or automatically via a simple customizable user interface that ensures consistency between response actions. When defining automatic actions, it is possible to choose if the action will be set in order to enrich or contain the incident, depending on the current incident response stage. Each involved department or organization could leverage the detailed workflow automation in order to streamline the processes and integrate additional response workflows and organizational cooperation within IncMan directly.

IncMan can facilitate all of the incident response steps, from Detection and Analysis through Containment/Eradication and Follow Up Post-Incident phases. The phases were designed to provide a more complete response plan regardless of the incident type.

Let’s now look at these phases in a bit more detail.


Alerts can be sent to IncMan from a variety of other platforms and methods and can be automatically converted to incidents. Incidents are created and fields can be pre-populated using data from the originating alert. With inside IncMan it is possible to define incident templates and rules in order to map events and extract relevant data.


Once an incident is created within IncMan, one or more Playbooks can be automatically assigned. Each Playbook could provide manual or automated actions useful to start the enrichment process. Automated actions can collect results immediately after the incident creation without human intervention, reducing the response time which is crucial in many investigations. Other manual actions can contain more instructions/activities and can be entrusted to various IncMan users (analysts).


Automated actions can also be configured to perform certain changes in the environment in order to contain or mitigate the attack. These actions can be executed automatically or after an authorization process that IncMan follows asking confirmation to specific analysts before triggering the action.

Post-Incident Report

IncMan provides the capability to generate reports and a Key Performance Indicator (KPI) summary. IncMan automatically generates some parts of the final report and other parts can be easily adapted as necessary to ensure reports targeted specifically for the audience are possible (e.g. individual analyst, SOC manager or c-suite).

IncMan SOAR can assist an incident response team in each phase of an incident by automating processes and machine actions in terms of automatically creating incidents, sending relevant notifications to analysts which will be involved in the incident or other key stakeholders, as well as setting appropriate workflows based on the incident that happened. These notifications can be sent natively through IncMan's messaging service or through an organization's existing ticketing system, to ensure disperse teams within different departments of the organization are receiving the most up to date and relevant incident details, and to assist in accurate evidence preservation.

Additionally, the incident response team can be notified and/or updated with the latest best practices from the included Knowledge Base repository and it has the ability to define customized reports for each incident and customized visualization of team member responsibilities all from the Dashboard. IncMan is also fully capable of tracking and sharing various incident response procedures, artifact processing best practices and is fully compliant with International IODEF, ISO, STIX, VERIS and FS-ISAC standards.


To facilitate organization and incident response process collaboration, IncMan SOAR can focus team efforts in the most delicate phases of the incident response process with native automation and orchestration capabilities. This ensures efficient and effective synergy during each phase of the incident response lifecycle and provides the fastest mechanisms possible to respond when an incident occurs, reducing overall dwell time and potential damage that could be caused.

Once an incident is resolved and all systems are back to normal, each step, from incident detection, containment, eradication and recovery to compliance practices, can be prepared in a post-incident report with lessons learned to avoid or mitigate subsequent incidents in the near future.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo