Governance Frameworks & Incident Response Doctrine
Proprietary governance frameworks. Industry standard critique. Decision architecture that holds where NIST, SANS, ISO, and MITRE leave gaps. Not explanation — interpretation.
Named Governance Frameworks
Six proprietary, trademarked frameworks — each stress-tested across regulated mandates, audited by supervisors, and built to survive enforcement scrutiny.
Why Incident Response Frameworks Fail Under Pressure
Industry frameworks provide structure. They do not provide control. The difference becomes visible only during crisis — when it matters most.
The Core Problem
Organisations adopt frameworks. They pass audits. They achieve compliance certifications. Then, when crisis arrives, the framework does not hold. The response becomes non-linear, authority fragments, and the structured phases that worked in tabletop exercises collapse under real-world time pressure.
This is not a framework failure. It is a design limitation. Frameworks describe what should happen. They do not prescribe how to maintain control when the operational environment degrades.
The distinction that matters: Compliance means the framework was adopted. Control means the organisation can still make coherent decisions under pressure. These are not the same thing.
CSF 2.0 Alignment — Where the New Model Still Leaves Gaps
NIST defines four clear phases: Preparation, Detection & Analysis, Containment/Eradication/Recovery, and Post-Incident Activity. In structured environments with single-vector incidents, this sequence holds.
Where it breaks: Rev. 3 improves on the linear model but introduces new gaps. The CSF 2.0 mapping creates a governance-heavy structure that satisfies risk committees but does not address operational tempo. CrowdStrike's 2026 GTR records a 29-minute average eCrime breakout time — with one observed breakout in 27 seconds. Unit 42 documents 72-minute exfiltration windows, 4× faster than 2024. In March 2026, Stryker's networks were wiped in real-time by an Iran-aligned group; in April, Drift lost $285M in a single DeFi exploit. Governance cycles operate in weeks. Adversary cycles operate in seconds.
The real gap: Rev. 3 adds "Govern" as a function — but governance in practice requires pre-mandated decision authority, not just risk management structure. In 90% of 2026 breaches analysed by Unit 42, preventable gaps — limited visibility, inconsistent controls, excessive identity trust — enabled the intrusion. CrowdStrike confirms 82% of detections are now malware-free, meaning traditional control frameworks miss the majority of intrusions. NIST Rev. 3 describes what good governance looks like. It does not prescribe who decides when governance functions conflict under time pressure.
Doctrine position: NIST provides the operational vocabulary. Decision Rights Architecture™ provides the command structure that makes the vocabulary actionable under pressure.
Operational Sequence — When Sequence Breaks
SANS maintains its six-step PICERL model: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned. For 2026, SANS is expanding focus into cloud forensics, AI-assisted incident response, and threat hunting — reflecting the shift toward hybrid-cloud environments and autonomous adversary tooling. With AI-enabled adversary operations up 89% year-over-year (CrowdStrike 2026 GTR) and ransomware operators now pivoting through cloud identities and deploying exclusively to VMware ESXi hosts to evade monitored endpoints, the PICERL sequence is under more operational pressure than at any point in the framework's history.
Where it breaks: The sequence assumes incident progression is orderly. In practice, incident scope changes during response. What started as a phishing compromise escalates to credential theft, then lateral movement, then data exfiltration — all discovered out of sequence. Containment actions taken at step 3 are invalidated by discoveries at step 4.
The real gap: SANS excels at the technical response layer. It does not address the decision layer: board escalation thresholds, regulatory notification triggers, or the moment when technical containment must yield to business survival decisions.
Doctrine position: SANS defines the operational rhythm. The Crisis Decision Hierarchy defines who commands that rhythm when multiple stakeholders demand conflicting actions.
Compliance Structure — When Compliance Does Not Equal Control
ISO/IEC 27035-1:2023 (second edition) replaced the 2016 first edition, introducing the "incident management team" and "incident coordinator" roles with updated process subclauses. Parts 1 and 2 were revised in 2023; Part 3 remains from 2020. The standard provides internationally certified incident management structure for audit-driven and compliance-heavy environments.
Where it breaks: ISO frameworks optimise for process completeness, not decision speed. During a major incident, the governance structure that satisfied auditors becomes a bottleneck. Approval chains that took 48 hours in normal operations must compress to 15 minutes. The compliance structure was designed for steady-state, not crisis-state.
The real gap: Many organisations achieve ISO 27035 alignment and assume they have incident response capability. They have incident response documentation. Whether that documentation survives contact with a real adversary is a different question entirely.
Doctrine position: ISO 27035 satisfies the regulator. The Evidence Chain Model™ satisfies the regulator and preserves decision integrity when the incident is still in progress.
Adversary Visibility — When Visibility Does Not Equal Action
MITRE ATT&CK v18 (October 2025) introduced the most transformative update in the framework's history: retiring traditional Detections and Data Sources in favour of Detection Strategies and Analytics for every technique and sub-technique. New techniques target Kubernetes, CI/CD pipelines (T1677: Poisoned Pipeline Execution), container CLI/API exploitation, and cloud identity abuse. v19 is scheduled for 28 April 2026, with expanded Asset coverage, refreshed CTI content, and new cross-domain campaigns.
Where it breaks: v18's detection analytics are a significant improvement — but detection speed has not kept pace with adversary speed. CrowdStrike's 2026 GTR records a 29-minute average eCrime breakout, with the fastest observed breakout in 27 seconds. Unit 42 documents 72-minute exfiltration windows. Identity weaknesses played a material role in 90% of investigated incidents. ATT&CK now maps these techniques with precision. But organisations that see T1078 (Valid Accounts) on their dashboard still cannot act when the compromised identity belongs to a C-suite executive and legal, HR, and IT disagree on the containment action.
The real gap: ATT&CK tells you what the adversary is doing. It does not tell you what you should do when the adversary's actions create conflicting priorities across business units. When T1486 (Data Encrypted for Impact) is detected, the technical response is clear. The decision about payment, the decision about disclosure, the decision about business continuity — those are not in the ATT&CK matrix.
Doctrine position: ATT&CK provides the adversary map. The Control Collapse Model™ provides the organisational map — where decision authority fragments, where communication breaks, and where recovery stalls.
The Strategic Conclusion
Frameworks are necessary. They are not sufficient.
Every framework above was designed to solve a specific problem: NIST Rev. 3 structures governance around CSF 2.0, SANS operationalises the PICERL response, ISO 27035:2023 satisfies the auditor, ATT&CK v18 maps the adversary with detection analytics. None of them were designed to solve the problem documented in 750+ major incidents analysed by Unit 42 in 2026: the inability to make coherent decisions when CrowdStrike records 29-minute breakouts (27 seconds in the fastest case), Unit 42 documents 72-minute exfiltration windows, and 90% of breaches are enabled by preventable, structural gaps.
That problem is structural. It requires governance architecture, not better checklists. It requires decision authority that is explicit, pre-mandated, and tested before crisis arrives.
This is the layer that sits above frameworks. This is where doctrine operates.
Incident Response RACI — Decision Rights Under Pressure
This is not a task assignment matrix. It is a command architecture. In crisis, the question is never "what needs to be done." It is "who decides, who acts, and who arbitrates when decisions conflict."
| Phase / Activity | Incident Commander |
CSIRT / SecOps |
IT Ops / SysAdmin |
C-Suite / Board |
Legal & Compliance |
Comms / PR |
|---|---|---|---|---|---|---|
| Preparation | ||||||
| Define IR policy & playbooks | A | R | C | I | C | I |
| CSIRT roles, tooling & runbooks | C | A | R | I | I | I |
| Tabletop exercises & ATT&CK scenarios | A | R | R | C | C | C |
| Detection & Analysis | ||||||
| Monitor alerts & classify incident | C | A | R | I | I | I |
| Severity assessment & escalation trigger | A | R | C | C | C | I |
| Containment, Eradication & Recovery | ||||||
| Isolate affected systems | A | R | R | I | I | I |
| Forensics & evidence preservation | C | A | R | I | A | I |
| Eradicate threat & deploy controls | A | R | R | C | C | I |
| Restore services from clean state | A | C | R | C | I | C |
| Post-Incident & Regulatory | ||||||
| Root cause analysis | A | R | C | I | C | I |
| Regulatory notification (DORA/NIS2/GDPR) | C | C | I | A | R | C |
| External communications & disclosure | C | I | I | A | C | R |
| Update playbooks & policy revision | A | R | C | I | C | I |
Why This Matrix Exists
Most incident response failures are not caused by missing tools, delayed detection, or inadequate playbooks. They are caused by authority ambiguity — multiple stakeholders making conflicting decisions without a clear hierarchy.
The RACI matrix above encodes the Decision Rights Architecture™ into the NIST/SANS incident lifecycle. Every cell answers one question: when this activity is underway and conflict arises, who has the authority to arbitrate?
The matrix is aligned with NIST SP 800-61 Rev. 3 CSF 2.0 functions, ISO/IEC 27035-1:2023 incident management structure, and DORA Art. 17 ICT-related incident reporting requirements. With DORA active enforcement now in full operation — national competent authorities conducting on-site inspections, issuing compulsion payments, and cross-checking Register of Information data automatically (fines up to 2% of global turnover or €10M; ICT third-party providers face €5M plus 1% of daily global turnover for continued non-compliance) — and NIS2 penalties reaching €10M or 2% of revenue for essential entities with personal liability for managers under Art. 20, this matrix is designed to survive both operational and regulatory enforcement scrutiny.
CSIRT & Crisis Command — Structural Integration
A CSIRT that operates without decision authority is a detection team. A CSIRT with explicit command architecture is a crisis response capability.
The Structural Problem
Most organisations build CSIRTs as technical teams within IT or security operations. They are staffed, trained, and equipped. They monitor, detect, and escalate. What they cannot do — because they were never given the mandate — is decide.
When a major incident requires decisions that cross business boundaries (shut down a revenue-generating system, notify a regulator before legal review is complete, override a vendor SLA), the CSIRT has visibility but no authority. It escalates. But escalation without clear command structure creates delay — and with CrowdStrike documenting 29-minute average breakout times and Unit 42 recording 72-minute exfiltration windows, delay is indistinguishable from total loss. The global average breach cost stands at $4.44M (IBM 2025), but U.S. costs rose to $10.22M. Healthcare leads at $7.42M. Ransomware is present in 44% of breaches (up from 32%). Organisations without pre-mandated decision authority absorb these costs at the upper end. ENISA's revised EU Blueprint for Cyber Crisis Management (2026) and the forthcoming CRA Single Reporting Platform (operational September 2026) add further mandatory reporting obligations that only a pre-mandated command structure can satisfy in time.
Board & C-Suite
Owns regulatory notification decisions. Owns payment decisions (ransomware). Owns public disclosure timing. Does not manage technical response. Receives structured briefings at defined intervals. Makes irreversible decisions with board mandate.
Incident Commander
Single point of decision authority during active incident. Arbitrates conflicts between technical, legal, and business functions. Owns containment/eradication decisions. Escalates to Tier 1 at defined severity thresholds. This role is pre-mandated, not assigned during crisis.
CSIRT / SecOps
Detection, triage, forensics, containment execution. Threat hunting using MITRE ATT&CK mapping. Evidence chain preservation (Evidence Chain Model™). Reports to Incident Commander. Executes, does not decide cross-functional matters.
Legal, Comms, IT Ops, HR
Legal: regulatory notification, contractual obligations, litigation risk. Comms: stakeholder messaging, media protocol. IT Ops: system restoration, infrastructure recovery. HR: insider threat, staff communication, welfare. All report through Incident Commander.
Integration with Industry Frameworks
This command architecture is not an alternative to NIST, SANS, or ISO 27035. It is the governance layer that makes them operational under pressure.
NIST phases execute within Tier 3 (CSIRT). SANS operational sequence provides the tactical rhythm. ISO 27035 provides the documentation and audit structure. MITRE ATT&CK informs detection and threat hunting at the operational layer.
What this architecture adds is the decision layer: who commands, who arbitrates, and who makes the irreversible decisions that frameworks assume but do not define.
The Doctrine Position
Frameworks tell you what to do. Command architecture tells you who decides when what to do is disputed.
In every major incident that results in lasting organisational damage, the root cause is not a detection failure. It is a decision failure. The CSIRT saw the threat. Leadership could not agree on the response. Multiple functions made independent decisions. Those decisions contradicted each other. External parties — regulators, customers, media — observed the contradiction.
The organisation that enters crisis with pre-mandated decision authority, explicit escalation thresholds, and a tested command hierarchy will retain control. The organisation that defers this architecture until incident occurs will lose it.
How Proprietary Doctrine Extends Industry Frameworks
Each proprietary framework addresses a specific gap that industry standards leave open.
| Industry Standard | What It Provides | What It Misses | Doctrine Extension |
|---|---|---|---|
| NIST SP 800-61 | Incident lifecycle structure | Decision authority, phase arbitration | Decision Rights Architecture™ |
| SANS IR Framework | Operational response sequence | Board escalation, business survival layer | Crisis Decision Hierarchy |
| ISO/IEC 27035 | Compliance & audit structure | Evidence integrity under active incident | Evidence Chain Model™ |
| MITRE ATT&CK | Adversary behaviour mapping | Organisational failure mapping | Control Collapse Model™ |
| DORA / NIS2 | Regulatory reporting obligations (DORA: active enforcement 2026 — on-site inspections, compulsion payments, fines up to 2% global turnover or €10M; ICT providers: €5M + 1% daily turnover; NIS2: €10M penalties, C-level bans, personal manager liability under Art. 20) | Director-level liability architecture | Board-Survivable Cyber Architecture™ |
| EU AI Act / ISO 42001 | AI system classification & risk tiers (high-risk enforcement from Aug 2026; EU Digital Omnibus proposes deferral for legacy systems to 2027; transparency rules Art. 50 active; serious incident reporting within 2–15 days under Art. 73; AI regulatory sandboxes mandated per Member State by Aug 2026) | Operational AI incident command | AI Accountability Stack™ |
| Cyber Resilience Act (CRA) | Mandatory vulnerability & incident reporting for products with digital elements (ENISA Single Reporting Platform operational Sep 2026; manufacturer reporting obligations active) | Product-level incident command integration with enterprise IR | Evidence Chain Model™ + Board-Survivable Cyber Architecture™ |
The principle: Industry frameworks describe the problem space. Proprietary doctrine fills the decision gaps that frameworks leave open. The two layers are complementary, not competing.