The KRIs in this domain measure IR program readiness, not whether you had an incident, but whether the capability to respond well exists before one happens. They measure plan currency, team capability, external relationship readiness, regulatory notification preparedness, and the program improvement loop that makes each incident produce better capability than the last.
If you are standing this up from scratch, start with how to build a KRI program and the consolidated KRI reference library, which maps every domain to one CIS-aligned catalog.
KRI inventory
1. IR plan currency and completeness
What to measure. Days since the incident response plan was last reviewed, updated, and approved, and whether the plan includes current contact lists, regulatory notification workflows, forensic retainer information, and playbooks for the organization's top three threat scenarios.
Why it matters. An IR plan written before your current cloud architecture, current vendor relationships, and current regulatory obligations was written for a different organization. The contact list from 2022 has people who've left. The forensic retainer may not be with a firm on your insurer's approved panel. Currency is a proxy for whether the plan reflects reality.
- IR plan document: version history, last review date, approval signatures
- Legal and compliance team: regulatory notification workflow review date
- Insurance broker: confirmation that forensic retainer firm is on carrier's approved panel
- HR records: IR team member current contact information vs. IR plan contact list
- Change management: major architecture changes since last IR plan review, any unaddressed in the plan
KRI values.
- Days since last review: should trigger review at 12 months maximum
- Contact list currency: percentage of contacts in IR plan confirmed current within 6 months
- Regulatory workflow completeness: applicable notification obligations with documented workflow
- Scenario playbook coverage: top 3 threat scenarios (ransomware, BEC/wire fraud, data breach) with dedicated playbooks
| Status | Criteria |
|---|---|
| Green | Reviewed within 12 months; contact list verified within 6 months; all notification workflows documented and tested; playbooks for top 3 scenarios |
| Amber | 12–24 months since review; or contact list not verified; or missing playbooks for key scenarios |
| Red | >24 months; or IR plan missing regulatory notification workflows; or no scenario playbooks |
2. Tabletop and functional exercise cadence
What to measure. Frequency and completeness of IR exercises, tabletop scenarios, functional tests of specific response capabilities (backup restoration, network isolation, forensic tool deployment), and the percentage of findings from exercises that have been remediated.
Why it matters. An IR plan that hasn't been tested is an assumption document. Tabletops reveal gaps in the plan and in team coordination that paperwork never surfaces. Functional exercises validate that the technical capabilities the plan assumes actually work. Finding remediation rate measures whether exercises produce outcomes or just entertainment.
- Exercise records: tabletop agendas, participant lists, after-action reports with findings
- Functional test records: backup restoration test results, network isolation test results, failover exercise records
- Finding tracking: exercise findings with owner, remediation commitment, and current status
- Insurance policy: some carriers require evidence of annual tabletop, confirm exercise meets their documentation standard
How to calculate.
- Exercise cadence: months since last tabletop; months since last functional exercise
- Finding remediation rate: (Exercise findings remediated within committed timeline) ÷ (total exercise findings past commitment date) × 100
- Participant coverage: C-suite and legal counsel participation in at least one exercise per year
| Status | Criteria |
|---|---|
| Green | Tabletop within 6 months; functional exercise within 12 months; >85% of exercise findings remediated; executive participation confirmed |
| Amber | Tabletop 6–12 months ago; or findings tracked but remediation lagging; or executive participation absent |
| Red | >12 months since last tabletop; or no functional exercises; or exercise findings untracked |
3. Forensic retainer and external partnership readiness
What to measure. Whether pre-established retainer agreements exist with forensic incident response firms, breach counsel, public relations crisis communication partners, and cyber insurance breach coaches, and whether all of these are on the carrier's approved panel.
Why it matters. Selecting a forensic firm during an active incident adds hours to the response timeline and introduces the risk of choosing a firm your carrier won't pay for. Organizations with pre-negotiated retainers that are carrier-panel-approved can deploy resources in minutes rather than hours, with pricing already agreed and legal standing already established.
- Legal team: forensic retainer agreements and breach counsel retainer
- Insurance broker: carrier's approved forensic and legal panel list
- PR/communications team: crisis communication retainer or established relationship
- IR plan: contact information and engagement procedures for all retainer relationships
KRI values.
- Forensic retainer: active retainer with carrier-approved firm (yes/no)
- Breach counsel retainer: pre-established relationship with privacy/incident response legal counsel (yes/no)
- Carrier alignment: forensic firm confirmed on carrier's approved panel (yes/no)
- Annual retainer review: confirmation that retainer relationships and carrier panel alignment reviewed at each policy renewal
| Status | Criteria |
|---|---|
| Green | All three retainers active; all confirmed on carrier panel; annual review completed at last renewal |
| Amber | Retainers present but not confirmed against current carrier panel; or breach counsel relationship informal rather than retainer |
| Red | No forensic retainer; or forensic firm not on carrier panel; or no breach counsel relationship |
4. Regulatory notification workflow readiness
What to measure. For each applicable regulatory notification obligation (GDPR 72-hour, SEC 4-business-day, HIPAA 60-day, state breach notification laws), whether a documented, tested notification workflow exists including: triggering criteria, decision authority, template communications, and regulator contact information.
Why it matters. Regulatory notification timelines are among the most consequential and most commonly missed obligations in incident response. A GDPR notification that's 24 hours late is a potential fine on top of a breach. A SEC material incident disclosure delayed because nobody was sure who had authority to file is a separate regulatory problem on top of the incident. Workflow readiness is the preparation that prevents compounding failures.
- Legal/compliance: regulatory obligation inventory with notification timelines
- IR plan: notification workflow section, triggering criteria, decision tree, template language
- Legal counsel input: materiality determination framework (for SEC); threshold definitions for notification (for state laws)
- Exercise records: regulatory notification workflow tested in tabletop scenario
How to calculate. (Applicable regulations with complete documented workflow: triggers + authority + template + contact) ÷ (total applicable regulations) × 100
| Status | Criteria |
|---|---|
| Green | 100% of applicable regulations with complete, tested workflow; materiality framework defined for SEC; exercises include at least one notification scenario |
| Amber | 80–99%; or workflows documented but not tested in exercise |
| Red | <80%; or fastest-timeline obligation (72-hour) without documented workflow; or regulatory obligation inventory incomplete |
5. Post-Incident review completion and improvement rate
What to measure. Percentage of incidents above a defined severity threshold with a completed post-incident review (PIR), and the percentage of PIR findings that produced documented improvements to the IR plan, detection rules, or security controls within 90 days.
Why it matters. Incidents are expensive. The only way to extract value from that cost is to ensure they make the program better. Organizations that don't systematically capture lessons from incidents repeat them. PIR completion rate measures whether the learning loop is operating. Improvement implementation rate measures whether the loop produces outcomes.
- Incident management platform: incidents above severity threshold in trailing 12 months; PIR completion status field
- PIR records: findings documented, owner assigned, remediation committed
- Change management: controls or process changes implemented citing PIR findings as source
- SIEM/EDR: detection rule changes implemented post-PIR
How to calculate.
- PIR completion rate: (Incidents above threshold with completed PIR) ÷ (total incidents above threshold) × 100
- Improvement implementation rate: (PIR findings implemented within 90 days) ÷ (total PIR findings past 90-day mark) × 100
| Status | Criteria |
|---|---|
| Green | >95% PIR completion for high/critical incidents; >80% of findings implemented within 90 days; findings tracked in program improvement register |
| Amber | 75–94% PIR completion; or findings tracked but implementation lagging |
| Red | <75% completion; or PIRs completed but findings not tracked; or no PIR process |
6. Evidence preservation capability
What to measure. Whether forensic evidence preservation capability exists and has been tested, specifically: the ability to image and preserve volatile memory and disk state on compromised systems, preserve cloud audit logs before they expire, and maintain chain of custody for potential litigation or regulatory investigation.
Why it matters. Evidence preservation failures can convert a manageable breach into an undefendable legal position. Cloud audit logs that expire before they're preserved are lost forever. Volatile memory that isn't captured during live response is irretrievable. Organizations that can't demonstrate forensic integrity of their own incident evidence may be unable to prove what happened, or what didn't happen, to regulators and insurers.
- IR team capability assessment: tooling available for memory capture (WinPmem, Magnet RAM Capture, Volexity Surge), disk imaging (FTK Imager, dd), and cloud log preservation
- Cloud audit log retention settings: CloudTrail log file validation, Azure Activity Log export, GCP log sink configuration, are logs being preserved beyond default retention?
- Legal hold process: documented process for activating legal hold on relevant logs and systems when incident triggers potential litigation
- Functional exercise records: evidence preservation tested as part of IR exercises
KRI values.
- Forensic tooling deployed and accessible: IR team has endpoint and memory forensic tools available (yes/no)
- Cloud log preservation tested: cloud audit logs successfully captured and preserved outside the environment in last 12 months (yes/no)
- Chain of custody process documented: evidence handling procedure with integrity verification (yes/no)
| Status | Criteria |
|---|---|
| Green | Forensic tooling deployed and tested; cloud log preservation automated; chain of custody process documented and exercised |
| Amber | Tooling available but not tested; or cloud log preservation manual; or chain of custody process undocumented |
| Red | No forensic tooling; or cloud audit logs at default retention only (vulnerable to attacker deletion); or no evidence preservation process |
7. IR team capability and staffing coverage
What to measure. IR team staffing level against defined incident response capacity requirements, including on-call coverage, required competencies, and documented roles and responsibilities for each IR team member.
Why it matters. An IR plan that assumes four people are available at 2am on a Sunday is not a realistic IR program. IR coverage gaps, particularly outside business hours, when many ransomware events are initiated, are one of the most consistent findings in post-incident reviews. Capability assessment ensures the team that exists can execute the plan that's written.
- IR team roster and on-call schedule: coverage hours by role
- Skills inventory: certifications (GCFE, GCFA, GCIH, GCFR) and relevant experience per team member
- Training completion records: IR-specific training for all team members
- SOC staffing model: after-hours coverage for initial incident triage and escalation
- MDR/external IR provider: if relying on external IR for capacity, SLA for response engagement
KRI values.
- On-call coverage: 24/7 coverage with defined escalation path (yes/no/partial)
- Role coverage: all IR roles (lead, forensics, network, communications, legal liaison) with designated primary and backup
- Training currency: IR team members with current IR-relevant certifications or training within 24 months
| Status | Criteria |
|---|---|
| Green | 24/7 on-call with escalation path; all roles covered with backup; >80% of IR team with current relevant training; MDR retainer for capacity augmentation |
| Amber | Business-hours primary with on-call for escalation; or role gaps; or training currency <60% of team |
| Red | No defined on-call; or single-person IR team with no backup; or IR team with no formal training |
Deriving these KRIs by source type
From Incident Management Platforms (PagerDuty, ServiceNow, Jira)
- PIR completion: Filter closed incidents by severity; check PIR completion field or linked PIR document, calculate completion rate
- Incident timeline fields:
event_start,detected,contained,resolved, automate population via SOAR; use for MTTD/MTTC calculation (referenced in SecOps KRI file) - Recurrence detection: Query incident titles/categories for repeating issue types, signals PIR findings not implemented
- SLA tracking: Configure SLA timers per severity; SLA breach rate as a leading indicator of IR capacity issues
From Legal and Compliance Systems
- Regulatory notification workflow: Document as checklist fields in incident record, trigger at incident classification; track completion
- Legal hold activation: Legal hold tracking system or documented process, activation date per incident with potential litigation exposure
- Notification timelines: For each incident crossing notification threshold, track notification submission date vs. obligation deadline
From Cloud Platforms (AWS, Azure, GCP)
- Log retention verification:
aws cloudtrail get-trail-status→LatestDeliveryTime, confirms logs are flowing; check S3 bucket retention policy for preservation beyond default - Log integrity: CloudTrail log file validation enabled:
aws cloudtrail get-trail --name <trail-name> --query 'Trail.LogFileValidationEnabled' - Azure log preservation: Diagnostic settings export to Log Analytics or Storage Account with defined retention; check via Azure Monitor API
From Forensic and IR Tools
- WinPmem / Magnet RAM Capture: Presence in IR toolkit and last-tested date
- FTK Imager / Velociraptor: Deployment status and last-used date in exercise or live incident
- Velociraptor / DFIR-ORC: Remote forensic capability for large-scale incident response; deployment across endpoints as an IR readiness indicator
From Insurance and Legal Records
- Forensic retainer: Retainer agreement last review date; carrier panel confirmation letter date
- Carrier panel alignment: Compare forensic firm on retainer against carrier's current approved panel list, request from broker annually
- Tabletop documentation: Ensure exercise records meet carrier evidence standard, participant list, scenario, findings, date, required for some claims
Draxis turns these KRIs into a live signal
Draxis connects to the tools you already run (IR platforms, ticketing, and forensic retainer records) and computes these incident response KRIs automatically, with the green/amber/red bands, trend lines, and drift alerts described above. No spreadsheets, no manual stitching.
See how Draxis reads your stack →