The absolute worst time to develop a breach response plan is directly after you have discovered a breach. The absolute best way to have your response team fail is to have them untrained on rarely practiced procedures while being overly reliant upon expensive, improperly configured technology. It is proven that humans perform at their least effective under exactly these conditions, making the task of recovery and root-cause analysis far more challenging than it could be. We'll see that by focusing on the people/process functions more than technology when an attack is identified, a measured and practiced response can be smoothly executed, providing the best possible path to remediation. In this session we will discuss this issue from two very different perspectives, firstly from an academic perspective, see the results of exhaustive research into incident response from the organization that coined the term CERT. In contrast we'll here from an experienced practitioner, with lessons learned from real world deployments.