Phased Model for Cyber Incidents

Why a phased model is necessary 

A cyber incident does not unfold in a linear way. Technical findings, business impact and legal requirements develop in parallel – often with conflicting impulses. 

The Aponsi phased model provides orientation. It structures the handling of an incident along clearly defined phases and ensures that decisions, measures and assessments are cleanly positioned in both time and substance. 

Phase 1: Initial awareness & classification 
Objective: Establish operational capability – without premature action. 
In the first phase, the focus is not on technical depth, but on structured classification: 
What is known – and what is not? 
Which systems, processes or business areas may be affected? 
Are there indications of acute risks or ongoing attacks? 
Aponsi supports the consolidation of information, the definition of priorities and the avoidance of uncoordinated reactions. 

At this stage, nothing is “repaired” – instead, decisions are made on how to proceed. 

Phase 2: Structuring & leadership organisation 
Objective: Establish clear governance and clean communication paths. 

The leadership and role structure is now actively put in place: 
establishment of the Executive Incident Steering structure 
definition of communication and decision-making paths 
separation of governance, analysis, assessment and recovery 
Aponsi ensures that responsibilities are clearly assigned and that all parties understand the role in which they are acting. 
Leadership does not emerge through action – but through structure. 

Phase 3: Forensic analysis & clarification of facts 
Objective: Create a robust factual basis. 
This phase focuses on forensic root cause analysis: 
reconstruction of the attack sequence 
assessment of affected systems and data 
identification of potential data exfiltration 
The analysis is conducted independently of recovery interests in order to preserve evidentiary value and traceability. 

Aponsi coordinates the interaction between forensics, governance and, where applicable, independent experts – without mixing roles. 

Phase 4: Assessment & decision-making 
Objective: Make decisions based on verified information. 

Findings from forensics and analysis are now: 
consolidated in a structured manner 
assessed both technically and formally 
prepared for executive management and boards 

This phase is critical for: 
legal classification 
insurance matters 
communication decisions 
further operational measures 
Not every technically feasible option is a responsible decision. 

Phase 5: Stabilisation & service recovery 
Objective: Controlled, stable operation – not maximum-speed recovery. 

The resumption of services takes place: 
prioritised according to business impact 
step-by-step and in a controlled manner 
in close coordination with forensics and governance 
Stabilisation takes precedence over speed. Secondary and follow-on attacks are actively taken into account. 

Phase 6: Closure, documentation & follow-up 
Objective: Traceability, organisational learning and protection. 

The closing phase includes: 
complete and consistent documentation 
robust reports for internal and external stakeholders 
structured post-incident review (lessons learned) 
This phase ensures that the incident is not only resolved, but also processed and organisationally embedded. 

Core principle of the phased model 
Each phase has: 
a clear purpose 
defined responsibilities 
its own decision focus 
Phases may overlap in content, but must not be mixed. 
Not everything at once – but the right thing at the right time. 

Positioning within Aponsi 
This phased model forms the foundation for structured, accountable incident response services delivered through Aponsi. 

Aponsi ensures that transitions between phases are coordinated, traceable and leadership-oriented.