As cyberthreats grow and infrastructure evolves, organizations must prioritize effective, dynamic, and adaptable incident response. Following the success of the original edition, Blue Team Handbook: Incident Response has been updated to reflect today’s evolving cybersecurity landscape. This trusted and widely used field guide for cybersecurity incident responders, SOC analysts, and defensive security professionals distills incident response essentials into a concise, field-ready format.

Author Don Murdoch draws on decades of real-world experience in incident response and cybersecurity operations to provide actionable guidance and sample workflows you can immediately apply in your own work. Whether you’re investigating an alert, analyzing suspicious traffic, or strengthening your organization’s IR capability, you’ll find this field-tested edition an essential resource for hands-on practitioners.

• Understand how modern adversaries operate and recognize common indicators of compromise in networks

• Analyze network traffic with common tools to identify and investigate suspicious activity

• Execute structured incident response procedures and follow a clear response plan

• Conduct basic forensic analysis on both Windows and Linux systems

• Use proven methodologies and tools

Praise for Blue Team Handbook: Incident Response

Don Murdoch has created an indispensable field guide that belongs on every incident responder’s desk. It’s packed with practical commands, real-world techniques, and hard-won wisdom from decades in the trenches.

—Justin Henderson, CEO of Tellaro, Inc.

Don Murdoch takes his many years of experience and boils them down into a handbook that will help you be a better blue teamer!

—Doug Burks, founder and CEO of Security Onion Solutions

Most incident response books give you theory or they give you commands. This one does both. It walks you through building an actual incident response program, the metrics, the leadership structure, the stuff that keeps you from flailing when things go sideways, and then hands you the PowerShell and packet captures to execute.

—James “@whiskeyhacker” McMurry, CEO, ThreatHunter.ai

Don’s coverage of incident response kept me reading through the night. Anyone in IR should keep this book in their go-bag.

—Dean Bushmiller, president, Expanding Security

Don Murdoch connects incident response to real adversary behavior in a way that is immediately useful, tying investigation steps to frameworks like MITRE ATT&CK and practical blue team decision-making. This is a handbook defenders can use to think clearly, prioritize quickly, and improve detection and response with purpose.

—Tannu Jiwnani, principal security engineer

If you defend systems for a living, this book belongs on your desk. Don Murdoch cuts through the noise and delivers an incident response playbook that’s practical, current, and battle-tested.

—Sri Sai Bhargav Tiruveedhula,

principal security engineer at Autodesk An essential reference for blue teams at any stage. Deeply practical, and sharply aligned with today’s adversary landscape.

—Yaamini Barathi Mohan,

award-winning cybersecurity leader Don is one of the brightest cyber professionals that I’ve had the pleasure to work with. His skills and knowledge are deep in incident response, endpoint security, and the controls that defend critical IT infrastructure. This book is great for any blue team cyber professional!

—Alex Kahn, staff cybersecurity engineer, Guidewire Software

Few books manage to be both a day-one field manual and a long-term desk reference; this one succeeds at both.

—Nikhil Teja Dommeti, product innovator and security

researcher at a Fortune 100 company As someone who has been mentored by Don, I’ve seen firsthand his dedication to the craft of cybersecurity. This updated edition is like having a master teacher by your side, distilling complex concepts into the actionable, real-life examples that define our field.

— Jack Callaway, PhD., SOC manager

About the Author

Don Murdoch, GSE, MBA, is a veteran cybersecurity professional with more than 20 years of experience in incident response and security architecture across nonprofit, academic, and Fortune 500 environments. He is a certified SANS Institute instructor who teaches cyber defense courses. Don holds numerous certifications, including CISSP, ISSAP, GSE, SABSA chartered architect, and TOGAF enterprise architect.