In Part 1 of this special two-part panel, the Breaking Badness podcast gathers leading cybersecurity experts to explore the foundations of DFIR - Digital Forensics and Incident Response. Featuring Daniel Schwalbe (DomainTools), Lesley Carhart (Dragos), David Bianco (Splunk), and Sarah Sabotka (Proofpoint), the panel dives into what makes an effective incident response (IR) program, why preparation is often overlooked, and how to bring technical and human elements together during high-stakes security events.
Why Preparation is the Heart of DFIR
David Bianco says it best: “You actually ideally spend most of your time in the preparation phase.” The panelists emphasize that incident response isn't just about reaction, it’s a continuous cycle of training, testing, and refining. Organizations should approach DFIR as an ongoing investment, not a one-off project.
Lesley Carhart points out the emotional stakes: “People crying, people panicking, thinking they're going to lose their jobs.” Incidents aren’t just technical, they’re human. This makes regular tabletop exercises and simulations vital for readiness under pressure.
Key Takeaways:
- Don’t rely on canned incident plans. Customize severity ratings based on real operational risk.
- Training should go beyond security teams and include execs, legal, and even facilities.
- Documentation and clarity of scope are critical. Include mission statements and defined responsibilities in IR plans.
- Keep your playbooks iterative. Update them after every major incident or test.
Building the Right DFIR Team
Staffing came up as one of the most overlooked aspects of preparation. David Bianco advised: “You only need one or two really experienced people… the rest of the team can coalesce around them.” The panel recommends hiring a mix of senior staff and trainable mid-level professionals to maintain institutional knowledge and agility.
Other key players often left out of DFIR planning:
- Help desk and IT support (Sarah Sabotka: “They are like the hidden heroes behind the curtain”)
- Governance and brand protection
- Crisis comms and executive leadership
The emphasis is on breaking silos and ensuring security isn’t seen as “the department of no.”
The Power of Simulation
The group highlights how regular simulations build organizational muscle memory. Schwalbe likens them to fire drills: “Yes, it’s annoying… but when an actual alarm happens, you do it.”
You don’t need massive red-team ops to get value:
- Monthly drills to test tactical processes like backup restores or forensic tools
- Quarterly tabletop exercises for broader communications and decision-making flows
- Red team and CTI simulations to identify gaps and practice real-world attack scenarios
Identification and the Role of CTI
Once an alert hits the radar, what happens next? The team explores how threat intelligence can shape the identification phase.
Sarah Sabotka highlights how CTI (Cyber Threat Intelligence) plays a key role in real-time incident prioritization: “We can enrich [alerts] with what's happening on the landscape, or what we’re hearing from intel-sharing partners.”
David Bianco also warns against alert fatigue: “We've had that for 20 years… flooded with alerts.” The group urges organizations to optimize detection workflows, not just pile on tooling.
This phase is also where visibility gaps become obvious. “This is really where lessons learned."
Culture, Trust, and Cross-Functional Buy-In
A recurring theme was the importance of relationships between security and the rest of the organization.
Lesley Carhart stresses: “It's very easy to just fix things and never tell anybody they broke.” Whether it’s OT systems or finance databases, operations teams often bypass security due to fear, urgency, or misalignment.
Tips from the panel:
- Build trust with stakeholders early through job shadowing or training days
- Bribe with kindness (or donuts): “Bribery is great there,” says Carhart
- Set clear expectations and shared goals for legal, PR, and compliance teams during a response
Realistic Timelines and Legal Nuance
Schwalbe critiques unrealistic 24-hour regulatory notification windows: “What do you mean you need more than 24 hours? I want to know all the things!” In reality, investigations take time, and evidence must be preserved before it’s analyzed.
Pro tip: Include a glossary in your incident response plan so everyone, technical and non-technical understands what counts as an incident or breach.
This episode makes one thing clear that effective DFIR is a culture, not just a checklist. The tools matter, but so does empathy, communication, and continuous improvement. As Part 1 closes, the conversation turns to digital forensics, evidence preservation, and the often misunderstood “chain of custody.”
Stay tuned for Part 2 dropping next week, where the panel tackles Containment, Eradication, Recovery, and Lessons Learned.
Watch on YouTube
That’s about all we have for this week, you can find us on Mastodon and Twitter/X @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!
Heading
