What is an IRT?
An IRT (Incident Response Team) is a specialised team of professionals responsible for handling, coordinating and resolving Cybersecurity incidents within an organisation.
The IRT is the operational executor of your Incident Response Plan: from detection through to recovery.
An IRT is also referred to as a CSIRT (Computer Security Incident Response Team) or in some contexts as a CERT (Computer Emergency Response Team).
🎯 Tasks of an IRT
- Detecting and analysing incidents
- Coordinating containment and recovery actions
- Communicating with internal and external parties (such as suppliers, regulators)
- Documenting and reporting findings and actions
- Preventing recurrence through recommendations and improvement measures
👥 Who sits in an IRT?
| Role | Responsibility |
|---|---|
| IRT coordinator | Leads the team, manages communication and decision-making |
| Security analyst / SOC | Detection, triage and technical analysis of the incident |
| Network/system admin | Supports containment and recovery measures |
| OT specialist | Crucial in incidents involving PLC, SCADA or production IT |
| Communications / PR | For internal updates or press communication if required |
| Legal function | Advises on notification obligations, liability and GDPR |
| CISO / IT manager | Ultimately responsible for decision-making and escalation |
🧭 The IRT and the Incident Response process
The IRT is active in (at least) the following phases of incident handling:
- Detection
- Classification
- Escalation (where necessary)
- Containment & recovery
- Root cause analysis
- Documentation & reporting
- Follow-up and preventive actions
🔐 IRT in OT environments
In OT environments, the IRT is often multidisciplinary:
- OT engineers are crucial to understand the impact on production
- The safety department sometimes needs to be involved in possible risks
- Recovery must be aligned with planned downtime or backup strategies
- There may be overlap with SIS, Interlock systems or safety procedures
📦 Tools for an IRT
- Incident Response Plan and playbooks
- SIEM, EDR, Asset Inventory, SOAR
- CMDB or network maps
- Jump Server for secure access
- Templates for notification to CSIRT, NCSC or regulators
✅ Benefits of a well-organised IRT
- Fast and coordinated approach to incidents
- Less damage through rapid containment
- Better communication during crisis situations
- Transparency and reporting for compliance
- Continuous improvement of security and processes
📌 In summary
An IRT is the specialist team standing ready to detect, analyse, coordinate and resolve cyber incidents. Without an IRT, fast and structured incident response is practically impossible — especially in complex IT/OT environments.