HolyGhost logoHolyGhost
← cd ..
Learn

What Is a Security Incident? Events, Incidents, Breaches, and What to Do

The difference between an event, an alert, an incident, and a breach, plus the incident response lifecycle every team follows. A calm, beginner friendly explainer.

HolyGhost··8 min read

Imagine a smoke alarm going off in a large building. Sometimes it means burnt toast. Sometimes it means a real fire. Occasionally it means a fault in the alarm itself. The sound is the same in every case, and the whole job of the people responsible is to work out, quickly and calmly, which one they are dealing with, and then respond in proportion. Security teams live in exactly this world, except the alarms number in the thousands and they never stop.

"We had a security incident" can mean anything from a single blocked login to a full data breach, and that vagueness causes real confusion. People either panic when they should not, or shrug when they really should not. This primer defines the words properly, so you can tell burnt toast from a fire, and then walks through what actually happens when something goes wrong.

Event, alert, incident, breach

These four words are not interchangeable, and mixing them up is where the trouble starts. They form a funnel, wide at the top and narrow at the bottom, and each step is a smaller, more serious subset of the one above it.

  • Event. Anything that happens on a system. A login, a file opened, a firewall allowing a connection through. Most events are completely normal and boring. A busy network generates millions of them a day, far too many for any human to read.
  • Alert. An event, or a pattern of events, that a tool decided is worth a human looking at. Software watches the flood of events and raises a hand when something matches a rule or looks unusual. Many alerts turn out to be nothing, which is normal and expected.
  • Incident. A confirmed event, or set of events, that actually threatens the confidentiality, integrity, or availability of your systems or data. Those three words are the classic goals of security, often called the CIA triad: keeping data secret (confidentiality), keeping it correct and untampered (integrity), and keeping it usable when needed (availability). An incident is when one of those is genuinely under threat. This is the real thing.
  • Breach. An incident where protected data was actually accessed or taken by someone who should not have it. Every breach is an incident, but not every incident is a breach. A breach is the specific, serious case where information got out.

A quick way to remember it

An event is anything. An alert is an event worth checking. An incident is confirmed harm or threat of harm. A breach is an incident where data got out. They narrow down at each step.

A simple example

Walk one scenario through the funnel, and the words stop feeling abstract.

Event    A user logs in from a new country at 3am.
Alert    The login tool flags the unusual location.
Incident An analyst confirms the real user was asleep at home,
         so the account is genuinely compromised.
Breach   The attacker downloaded the customer database.

Notice how each line is rarer and more serious than the last. Millions of logins happen (events). A handful look odd enough to flag (alerts). Fewer still turn out to be real trouble (incidents). And only some of those end with data actually leaving the building (breaches).

Not every story reaches the bottom, and that is the point. If the analyst checks and finds the user was simply travelling for work, the whole thing stops at "alert, resolved" and everyone moves on. The judgement in the middle, deciding whether an alert is nothing or something, is what security teams spend most of their days doing. It is quiet, careful work, and getting it right is what stops small oddities from becoming headlines.

Most alerts are false alarms, and that is fine

New analysts sometimes worry that closing an alert as "nothing" is a failure. It is not. A smoke detector that only ever went off for real fires would be missing most of the smoke. The skill is not avoiding false alarms, it is triaging them quickly and correctly so the real ones get full attention.

The incident response lifecycle

When something is a real incident, teams do not improvise. They follow a repeatable set of stages, worked out in advance, so they stay calm and do not make things worse under pressure. Having a plan is what separates a controlled response from a scramble. One widely used version has six stages.

  1. Preparation. Before anything happens, have the tools, logging, contacts, and plans ready. This is the least glamorous stage and the one people skip, yet it is arguably the most important. You cannot investigate what you never logged, and you cannot respond calmly to a crisis you never rehearsed.
  2. Identification. Confirm that an incident is genuinely happening, and work out its scope. What is affected, how far has it spread, and how bad is it? This is where an alert becomes a confirmed incident.
  3. Containment. Stop the bleeding. Isolate affected systems so the damage cannot spread further, for example by disconnecting a machine from the network, but do it in a way that preserves evidence rather than destroying it.
  4. Eradication. Remove the actual cause, whether that is malware to delete, a compromised account to lock, or a vulnerability to patch. Containment stops the spread. Eradication removes the root.
  5. Recovery. Carefully restore systems to normal, bring them back online, and confirm the threat is truly gone and not quietly waiting to return. This stage is deliberately unhurried, because rushing it is how you end up cleaning up the same incident twice.
  6. Lessons learned. Afterwards, review honestly what happened and what could be better, then improve, so the next incident is smaller, caught sooner, or never happens at all. This is a blameless review of the process, not a hunt for someone to punish.

What not to do in the moment

Do not panic and start deleting things, and do not immediately wipe or reboot a compromised machine. You can destroy the evidence needed to understand what happened. Contain first, preserve what you can, and follow the plan rather than improvising.

A useful way to see the whole flow at a glance.

Prepare  -> get ready before anything happens
Identify -> confirm it is real, and how big
Contain  -> stop it spreading, keep the evidence
Eradicate-> remove the actual cause
Recover  -> restore carefully, check it is truly gone
Learn    -> review, improve, repeat

The order matters. Skip ahead to recovery before you have eradicated the cause, and the attacker is still inside your freshly restored systems.

Why the lifecycle is a loop, not a line

The last stage, lessons learned, feeds straight back into the first, preparation. Every incident teaches you something about your own weak spots, and a good team folds those lessons into better logging, tighter rules, and updated plans. Over time this loop means each incident should leave you a little harder to hurt than the last. A team that never runs the loop keeps tripping over the same problems forever.

If you are the one who spots it

For someone early in their career, or just a staff member who happens to notice something odd, the right move is almost always the same. Report it quickly to the right people, and do not try to be a hero. You do not need to diagnose it, fix it, or fully understand it. You just need to raise your hand. Early reporting shrinks incidents, because the sooner a real problem is contained, the less it costs.

The instinct to stay quiet, out of embarrassment or fear of blame, is exactly how a small, cheap problem grows into a large, expensive one. A healthy security culture treats fast reporting as a win, never a fault. If you clicked something you should not have, saying so within minutes is far better than hoping nobody notices.

Speed beats certainty

You are not expected to be sure it is a real incident before you report. "This looks off and I wanted someone to check" is a perfect message to send. Let the people with the tools and context make the call. Your job is to get it in front of them fast.

The takeaway

An event is anything that happens, an alert is an event worth a look, an incident is confirmed harm or the threat of it, and a breach is an incident where data escaped. They form a funnel, and most of what enters the top never reaches the bottom. Real incidents are handled with a calm, repeatable lifecycle: prepare, identify, contain, eradicate, recover, and learn, looping the last stage back into the first. The goal is not to never have incidents, because that is impossible. The goal is to catch them early, respond in proportion, and handle them without making things worse. And if you are the one who spots something, speak up fast. That single habit prevents more damage than almost anything else.