Incident Response Readiness Score Calculator
Evaluate your organization's incident response preparedness across six critical domains. Answer each question on a scale of 0–4 to receive a weighted readiness score and maturity rating.
1. IR Plan & Documentation (Weight: 20%) Documented IR plan exists and is approved:
0 – No plan exists
1 – Draft exists, not approved
2 – Approved but outdated (>2 years)
3 – Approved and reviewed within 1 year
4 – Approved, reviewed within 6 months, version-controlled
Plan covers all incident types (malware, DDoS, insider, data breach):
0 – Not covered
1 – Covers 1 incident type
2 – Covers 2 incident types
3 – Covers 3 incident types
4 – Covers all major incident types
Roles and responsibilities clearly defined (RACI):
0 – No roles defined
1 – Informally assigned
2 – Partially documented
3 – Documented, not tested
4 – Documented, tested, and understood by all
2. Detection & Analysis Capabilities (Weight: 20%) SIEM / log aggregation in place:
0 – No centralized logging
1 – Basic syslog only
2 – SIEM deployed, minimal tuning
3 – SIEM with custom rules and alerts
4 – SIEM with UEBA, threat intel feeds, and tuned alerts
Endpoint Detection & Response (EDR) coverage:
0 – No EDR
1 – <25% endpoints covered
2 – 25–50% endpoints covered
3 – 51–90% endpoints covered
4 – >90% endpoints covered with active monitoring
Mean Time to Detect (MTTD) known incidents:
0 – Unknown / not measured
1 – >30 days
2 – 7–30 days
3 – 1–7 days
4 – <24 hours
3. Containment, Eradication & Recovery (Weight: 20%) Incident-specific playbooks available:
0 – No playbooks
1 – 1–2 playbooks (ad hoc)
2 – 3–5 playbooks
3 – 6–10 playbooks, regularly reviewed
4 – Comprehensive playbook library, automated where possible
Ability to isolate/contain compromised systems:
0 – No capability
1 – Manual, slow process (>4 hours)
2 – Manual, moderate speed (1–4 hours)
3 – Semi-automated (<1 hour)
4 – Automated containment (<15 minutes)
Backup and recovery capability tested:
0 – No backups
1 – Backups exist, never tested
2 – Tested >1 year ago
3 – Tested within 6–12 months
4 – Tested within 3 months, RTO/RPO documented and met
4. Communication & Escalation (Weight: 15%) Communication plan for internal and external stakeholders:
0 – No plan
1 – Informal verbal process
2 – Partially documented
3 – Documented, includes legal/PR/exec
4 – Documented, tested, includes regulators and customers
Escalation thresholds and criteria defined:
0 – Not defined
1 – Informally understood
2 – Partially documented
3 – Documented by severity level
4 – Documented, automated alerts trigger escalation
Legal, regulatory, and breach notification requirements understood:
0 – Not understood
1 – Aware but not documented
2 – Partially documented (e.g., GDPR or HIPAA only)
3 – All applicable regulations documented
4 – Documented, legal counsel engaged, notification templates ready
5. Training & Exercises (Weight: 15%) IR team training and certifications (e.g., GCIH, GCFE):
0 – No formal training
1 – Ad hoc / self-study only
2 – Annual training, no certifications
3 – Regular training, some certifications
4 – Continuous training program, certified IR staff
Tabletop exercises conducted:
0 – Never conducted
1 – Once, >2 years ago
2 – Annually
3 – Semi-annually with lessons learned
4 – Quarterly, multi-scenario, with exec participation
Red team / penetration testing exercises:
0 – Never conducted
1 – Once, >2 years ago
2 – Annual external pentest only
3 – Annual red team + pentest
4 – Continuous red team, purple team exercises, findings tracked
6. Post-Incident & Continuous Improvement (Weight: 10%) Post-incident reviews (PIR) / lessons learned conducted:
0 – Never conducted
1 – Informally, no documentation
2 – Documented for major incidents only
3 – Documented for all incidents, shared with team
4 – Documented, tracked to closure, fed back into plan updates
IR metrics tracked (MTTD, MTTR, incident volume, false positive rate):
0 – No metrics tracked
1 – 1 metric tracked informally
2 – 2–3 metrics tracked
3 – 4+ metrics tracked and reported
4 – Full KPI dashboard, reported to leadership, trend analysis
Threat intelligence integrated into IR process:
0 – No threat intel used
1 – Ad hoc public feeds only
2 – Commercial TI feed, not integrated
3 – TI integrated into SIEM alerts
4 – TI platform integrated, IOCs auto-blocked, sector-specific feeds
Calculate Readiness Score
Your IR Readiness Score
Domain
Raw Score
Max
Weight
Weighted
Assumptions & References
Each question is scored 0–4 (0 = none/unknown, 4 = fully implemented and tested), giving a maximum raw score of 4 per question.
Domain weights reflect the relative criticality of each phase per NIST SP 800-61 Rev. 2 (Computer Security Incident Handling Guide) and the SANS Incident Response Process .
Maturity levels align with the CMMI Maturity Model (Levels 1–5) adapted for IR programs.
MTTD benchmarks reference the IBM Cost of a Data Breach Report 2023 (average MTTD: 204 days; best-in-class: <24 hours).
EDR coverage thresholds are based on CIS Control 10 (Malware Defenses) recommendations.
Backup/recovery RTO/RPO requirements reference ISO/IEC 27031 (ICT Readiness for Business Continuity).
Legal/regulatory notification requirements reference GDPR Article 33 (72-hour notification), HIPAA Breach Notification Rule , and SEC Cybersecurity Disclosure Rules (2023) .
Score of ≥85 = Optimized, 70–84 = Managed, 50–69 = Defined, 30–49 = Developing, <30 = Initial/Ad Hoc.
This calculator is a self-assessment tool and does not replace a formal IR program audit or third-party assessment.
