Post-incident review feeds the red-team backlog
Demonstrate that incident post-mortems systematically generate red team exercises that validate whether remediation actions have effectively closed identified security gaps.
Description
What this control does
This control ensures that findings from post-incident reviews—including attack vectors, detection gaps, and response weaknesses—are systematically translated into offensive security testing scenarios and added to the red team's backlog. Post-incident analysis provides real-world attacker tactics and organizational blind spots that can be used to validate defensive posture improvements. By feeding these insights directly into red team exercises, the organization creates a closed-loop validation mechanism where defensive lessons learned are tested before the next real adversary exploits them.
Control objective
What auditing this proves
Demonstrate that incident post-mortems systematically generate red team exercises that validate whether remediation actions have effectively closed identified security gaps.
Associated risks
Risks this control addresses
- Adversaries exploit the same attack vector repeatedly because post-incident remediation was never validated through offensive testing
- Detection gaps identified during incident response remain unaddressed because no testing confirms whether monitoring improvements are effective
- Security investments prioritize theoretical threats rather than attack patterns proven feasible in the organization's actual environment
- Remediation actions are marked complete based on configuration changes without validating that adversarial techniques are now detectable or preventable
- Red team exercises test generic attack scenarios that do not reflect the organization's demonstrated vulnerabilities and incident history
- Knowledge from high-severity incidents is siloed within the incident response team and never translated into actionable security testing requirements
- Defensive improvements create a false sense of security because adversarial simulation never attempts to bypass the new controls using the original attack method
Testing procedure
How an auditor verifies this control
- Obtain the list of completed post-incident reviews from the past 12 months, including incident reports and documented lessons learned.
- Retrieve the red team or purple team backlog, exercise plan, or work tracking system covering the same 12-month period.
- Select a sample of 5-7 moderate-to-high severity incidents that involved successful attacker techniques or detection gaps.
- For each sampled incident, trace whether specific attack vectors, detection failures, or control weaknesses were documented in the post-incident review.
- Review the red team backlog to identify corresponding entries that reference each sampled incident and describe planned adversarial simulations of the same techniques.
- Examine red team exercise reports to verify that backlog items derived from incidents were executed and documented the effectiveness of remediation actions.
- Interview incident response leads and red team leads to validate the documented workflow for translating incident findings into red team scenarios.
- Review meeting minutes, change requests, or ticketing system links that demonstrate formal handoff or collaboration between incident response and offensive security teams.
Where this control is tested