Cyber Teams

7 min read

Strong IR capabilities are key to meeting new incident reporting deadlines

New requirements give organizations little time to investigate and triage breaches before reporting.

Howard Poston avatar

Howard Poston,
Oct 22
2024

Blue teaming
Hack The Box Article

Publicly reporting security incidents has pros and cons. On the one hand, public reports are necessary for regulatory compliance. 

They help prevent future incidents by educating users and other organizations about active cyberattack campaigns. 

On the other hand, acknowledging a breach can result in brand damage, financial losses, and regulatory penalties.

Companies’ responses to security incidents have ranged from frank and helpful postmortems

Loading Preview...

to attempted cover-ups that classify ransomware payments as “bug bounties.”

In recent years, several regulatory bodies—including the US’s Federal Trade Commission (FTC) and the European Union—have taken the decision of whether to disclose breaches out of organizations’ hands, instituting new breach reporting requirements.

These new requirements give organizations little time to investigate and triage breaches before the reporting deadline. This means today’s security teams need to have core incident investigation and response capabilities to ensure their ability to meet compliance requirements.

HTB powers cyber performance that meets tight incident reporting deadlines

NIS2 and other recent developments—SEC ruling, FTC safeguard rule, or the Cyber Incident Reporting for Critical Infrastructure Act of 2022—are raising the bar for incident reporting requirements. In order to meet them, companies need to shape threat-ready SOC teams and professionals.

Hack The Box workforce development plans are designed to enhance these key capabilities.

htb incident reporting deadlines data sheet
 
Get a free trial of the HTB platform
 

The rise of stricter reporting requirements 

Several regulatory bodies around the world have published draft regulations or enacted laws with new incident reporting requirements. 

strong IR capabilities are key to meeting incident reporting
 

These include:

Recommended read: A guide to navigating the SEC “material” reporting rule

Loading Preview...

These regulations and standards implement much tighter reporting deadlines than the laws we had previously. 

With the exception of certain industries or types of data, breach reporting was largely optional. 

Now, some EU companies need to report security incidents to regulators within 24 hours of discovery.

In addition to ushering in a new era of breach transparency, these regulations also require an organization to have certain incident response capabilities in place. 

Companies now need to be able to identify, triage, and contain incidents rapidly. This ensures: 

  1. They have the information needed to promptly make required reports

  2. That a previously non-reportable incident doesn’t grow into one that is “material” or “significant”. (This also involves the ability to accurately assess “materiality” or “significance” in the absence of clear direction from regulators.)

Key IR capabilities for swifter incident reporting

Regulators are demanding that organizations report security incidents promptly after discovery when certain criteria are met. However, determining when and what to report requires a Security Operations Center (SOC)

Loading Preview...

to have the right repertoire of capabilities.

htb hands on defensive upskilling

Regulatory awareness

A security team needs to be aware of its regulatory responsibilities, ideally before a breach occurs. 

This includes knowing who to report an incident to, the criteria for doing so, and how to do so. 

The best place to start might be the regulations themselves (and perhaps your legal team). Depending on where you’re located, those regulations may include:

United States:

European Union:

Described above are some of the far-reaching regulations with tight reporting deadlines. But they’re not the only ones. New regulations are being enacted regularly that could introduce new reporting requirements.

But knowing that these regulations exist is only half the battle. Security teams need to ensure they comply with them.

This is where developing incident response plans

Loading Preview...

and performing crisis control style tabletop exercises

Loading Preview...

—before an incident occurs—ensures the organization is prepared to manage intrusions while meeting critical compliance responsibilities.

Incident detection

The first step in the incident management process is identifying whether an incident has actually happened and when it occurred. 

This involves collecting, aggregating, and analyzing alert data within the corporate SOC to differentiate between false positives and true threats.

From a regulatory perspective, prompt detection is essential to report and contain an incident.

incident response planning

The longer that an intrusion goes on without detection, the greater the threat to the organization. The longer an attacker’s dwell time within the organization’s systems is, the more damage they can do, and the more difficult and costly it will be to remediate the incident.

HTB Academy includes a learning path

Loading Preview...

specifically designed for SOC analysts and digital forensics and incident response (DFIR) specialists. 

This path includes several modules designed to support an organization’s ability to identify security incidents, including discussions of the incident handling process, security monitoring, log management, and more. 

This path provides analysts with the foundational skills required to effectively identify potential threats to the organization.

incident detection thb
 

Triage and assessment

After identifying an anomaly or malicious activity indicating a potential security threat, the next step is triage and assessment. 

New rules state that “material” incidents must be reported or set a minimum number of affected customers that mandates reporting. So SOC teams need the right skills to rapidly determine whether an incident must be reported and detail its “significance” and “materiality.” 

The Triage and Assessment portions of the IR process are closely related:

  • Triage is determining the severity of a breach and how imminent the SOC's response needs to be.

  • Assessment is determining the impact of a breach. Such as how many people were impacted and what kinds of data have been breached. Assessing the impact is also vital for regulatory reporting.

HTB’s SOC Analyst path

Loading Preview...

includes content designed to support an organization's efforts to assess the potential scope and implications of a security incident. 

Log management, network traffic analysis, and digital forensics are all vital skills for collecting the information required to conclusively determine what occurred on the organization’s network.

strong IR capabilities
 

Containment and remediation

Once the security team understands what happened and its impacts, they can take action to limit the scope of the intrusion, and to restore systems.

Containment may not be explicitly a part of reporting deadlines, but it’s still important. If systems are infected with malware, you need to stop the spread of that malware. 

If an attacker still has access to a system, you need to remove their access. 

Without proper containment, an incident that previously didn’t meet the requirements for mandatory reporting may expand to become “material” or cross the threshold of affected users.

The remediation stage is when you begin to fix the underlying issue. 

After determining how an attacker gained access to a system, you can remediate the vulnerabilities they exploited. If an outdated piece of software gave them access, patch it to a new version. If they hacked someone’s account, enforce better password policies and permission management throughout the organization.

Preparing to meet regulatory requirements

Regulators are actively working to improve transparency about security incidents, an effort that benefits customers and other organizations alike. 

Being prepared for these evolving requirements is essential to avoid potential penalties for inadvertent non-compliance.

Security teams should be aware of their reporting responsibilities and incorporate these duties into incident response plans. Performing regular tabletop exercises and other simulations to test incident response plans helps ensure that teams have the processes, tools, and knowledge required to meet regulatory requirements.

Hack The Box helps security teams build the capabilities needed to meet regulatory requirements. With tight deadlines, security teams need to be able to quickly identify, triage, and contain an incident to satisfy their reporting obligations. 

Measure your crisis readiness

Develop your security capabilities

GET A DEMO FREE TRIAL

Contents

Latest News

Hack the Box Blog

Humans of HTB

9 min read

Humans of HTB #12: Tassos's journey into engineering

duckarcher avatar duckarcher, May 30, 2025

Hack the Box Blog

News

5 min read

Building a threat-ready cyber workforce: Hack The Box 2025 Buyers Guide

b3rt0ll0 avatar b3rt0ll0, May 28, 2025

Hack the Box Blog

Customer Stories

3 min read

Ynov Campus students put their skills to the test in a thrilling CTF experience powered by Hack The Box

Noni avatar Noni, May 26, 2025

Hack The Blog

The latest news and updates, direct from Hack The Box

Read More

The #1 platform to build attack-ready
teams and organizations.

Get a demo
Forrester wave leader Forrester wave leader
ISO 27001 ISO 27701 ISO 9001
G2 rating Capterra rating
Products
Solutions
Resources
Company
Products
Teams
Courses & Certifications Cyber Ranges Enterprise Attack Simulations Cloud Infrastructure Simulations Capture The Flag Tabletop Exercises Talent Sourcing

Individuals

Courses & Certifications Hacking Labs Defensive Labs Red Team Labs Capture The Flag Job Board
Solutions
Job Roles
Red Teams Blue Teams Purple Teams

Industries

Government Higher Education Finance Professional Services

Use Cases

Technical Onboarding Team Benchmarking Candidate Assessment Threat Management Code Vulnerability Crisis Simulation Governance & Compliance
Resources
Community Blog Industry Reports Webinars AMAs Learn with HTB Customer Stories Cheat Sheets Compliance Sheets Glossary Guides & Templates Parrot OS Help Center

Programs

Channel & Resellers Ambassador Program Affiliate Program SME Program
Company
About us Careers Brand Guidelines Certificate Validation Trust Center Product Updates Status

Contact Us

Press Support Enterprise Sales

Partners

Become a Partner Register a Deal

Store

HTB Swag Buy Gift Cards
Cookie Settings
Privacy Policy
User Agreement
© 2025 Hack The Box