AS-201c · Module 3

Post-Incident Reviews

3 min read

The post-incident review — sometimes called a retrospective or a post-mortem — is where an incident transforms from a cost into an investment. Every incident teaches something. The review is the mechanism that captures the lesson and distributes it to the organization. Without a structured review process, you pay the cost of the incident but forfeit the learning. You get the scar but not the wisdom.

The most important word in a post-incident review is "blameless." The moment the review becomes a blame exercise, people stop sharing information. The engineer who made the configuration error that enabled the breach is the person who best understands the failure mode — and they will not speak if speaking means punishment. Blameless does not mean unaccountable. It means the review focuses on systems and processes, not on individuals. "Why did the system allow this configuration?" is productive. "Who made this mistake?" is destructive.

  1. Document the Timeline Present the forensic timeline to the review group. What happened, when, and in what sequence. Facts first, interpretations second. Everyone should be working from the same chronological record before any analysis begins.
  2. Identify Contributing Factors Not one root cause — multiple contributing factors. The input filter was too permissive AND the system prompt was not hardened AND the output guardrail missed the pattern AND the tool permissions were too broad. Each contributing factor is a defense layer that needs improvement.
  3. Generate Action Items For each contributing factor, define a specific, measurable action item with an owner and a deadline. "Improve input filtering" is not an action item. "Add regex patterns for the five injection types identified in this incident to the input filter by March 1" is an action item.
  4. Update the Playbook Every review should produce at least one update to the incident response playbook, the monitoring rules, or the defense configuration. If the review does not change anything, the review was not thorough enough. Incidents that do not produce improvements are incidents wasted.