The Security Incident Report Template That Gets Budget Approved, Not Filed and Forgotten

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
The standard post-incident report follows a template designed by security engineers for security engineers. It leads with the technical attack chain, lists CVEs, describes the malware family, and concludes with a list of hardening recommendations that go into a SharePoint folder and are never touched again. Leadership reads the executive summary, skims the recommendations, and approves nothing because nothing in the document connects to a business decision they can make. The report I'm going to walk through is built backwards from that. It starts with what the executive needs to decide, then provides the evidence required to make that decision. Technical detail is present but subordinate.
The core principle: translate every finding into a business consequence
Security people speak in TTPs, CVEs, and MITRE ATT&CK techniques. Executives speak in downtime, regulatory exposure, customer trust, and cost. Before writing a word of the report, do this translation exercise for every significant finding:
Technical: 'The attacker achieved persistence via a scheduled task running a PowerShell one-liner that beaconed to a C2 every 10 minutes for 23 days before detection.'
Business translation: 'An unauthorized party had undetected access to our network for 23 days. During that period they had access to [list the systems they touched]. If they had exfiltrated the customer data in those systems, we would be looking at GDPR Article 83 fines of up to 4% of global annual revenue, plus notification costs estimated at $X based on [X] affected records at the industry average of $7.91 per record.'
That second version gets attention. The first version gets filed.
The template structure
Section 1: What happened (3 sentences maximum)
Lead with the plain-English summary. Who detected it, when, what was affected, and whether data left the building. This is the only section every executive will read in full, it needs to give them the complete picture in under 60 seconds.
Example: 'On [date], our SIEM flagged unusual outbound traffic from a finance department workstation. Investigation confirmed a credential phishing attack had compromised one employee account on [date, X days earlier]. The attacker accessed [specific systems listed]. No data exfiltration was confirmed; however, the attacker had read access to [specific data types] for [X] days.'
Section 2: Business impact (the critical section)
This is where most reports fail. Populate every line with real numbers or documented estimates.
- Downtime: [X hours] of [system name] downtime during investigation and containment. Estimated operational cost: $[X] based on [revenue/hour or hourly labor cost of affected teams].
- Data at risk: [X records] of [data classification, PII, PHI, financial] were accessible to the attacker. Estimated notification cost if exfiltration confirmed: $[X]. Regulatory exposure: [specific regulation and potential fine range].
- Recovery costs: [X hours] of security team time at average loaded cost of $[X]/hour = $[X]. External forensics: $[X] if engaged. Total incident cost to date: $[X].
- Insurance: [Did this trigger a reportable claim? Yes/No. Policy deductible: $X.]
- Reputational: [Customer notification required? Yes/No. Press release required? Yes/No.]
For near-misses where no breach occurred, include a counterfactual cost box:
'Had the attacker exfiltrated the [X] customer records they had access to, estimated costs would have been: notification $[X], regulatory fines $[X], forensics $[X], legal $[X], reputational: [describe]. Total: $[X]. The cost of the controls that detected and contained this incident: $[X]/year.'
That last line is how you justify your security budget in a single paragraph.
Section 3: How it happened (one page maximum)
The technical timeline, written in plain English with jargon defined on first use. Use a table format: Date/Time | What Happened | How We Know. End with a single sentence identifying the root cause.
Example root cause: 'The attacker gained initial access by sending a credential phishing email that bypassed our email security gateway. The employee completed an MFA prompt that they believed was legitimate, a technique called MFA fatigue where attackers spam approval prompts until a user approves one.'
Section 4: What we're doing about it (the ask)
This is the decision section. Structure it as a table with three columns: Action | Cost | Risk Reduced | Status. For example: Deploy phishing-resistant MFA (FIDO2) at $X/year eliminates MFA fatigue attack class and needs approval; Email security gateway upgrade at $X/year catches 94% of credential phishing and needs approval; User awareness training at $X/year reduces click rate from X% to target X% and has been implemented.
Never list more than five actions. If you have more, prioritize by risk reduction and include an appendix. Decision fatigue kills budget requests.
Section 5: Compliance and legal (if applicable)
- GDPR/CCPA/HIPAA notification requirements and deadlines
- Law enforcement notification (FBI IC3 if ransomware)
- Cyber insurance claim status
- Board notification requirement under your company's incident response policy
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Before and after rewrites
Before (technical, gets ignored): 'CVE-2024-21413 was exploited via a malicious Office document attachment. The attacker established persistence using a scheduled task (T1053.005) and used Cobalt Strike for C2 communications over HTTPS to avoid detection. Lateral movement was observed via PsExec to three additional hosts.'
After (business-framed, gets action): 'An attacker exploited a known vulnerability in Microsoft Office to gain access to one employee's computer. Over the following 8 days, they moved to three additional computers, including two in the finance department, while communicating with external servers disguised as normal web traffic. The attacker had access to our accounts payable system, payment card processing credentials, and the finance shared drive containing [X] vendor banking records during this period.'
The technical details belong in the appendix for your security team. The executive summary gets the business version every time.
The one thing that consistently unlocks budget
Every experienced CISO I've talked to says the same thing: the reports that generate immediate budget approval are the ones that show the cost of what almost happened next to the cost of the control that would prevent it.
'This attack cost us $47,000 in labor and $22,000 in forensics. Phishing-resistant MFA would have prevented it. Annual cost: $8,400.'
That math works every time.
The bottom line
The reports that drive budget approval share one quality: they make the math obvious. What did this cost, what would the alternative have cost, and what does the fix cost. Build every incident report around those three numbers and the approval conversation becomes much shorter.
Frequently asked questions
How long should a post-incident executive report be?
The executive-facing report should be 2-3 pages maximum, a one-page executive summary covering what happened and business impact, one page on root cause and timeline, and one page with the remediation ask and cost table. Technical details belong in a separate technical appendix that your security team references but most executives won't read.
How do I calculate a dollar figure for a near-miss where nothing was actually stolen?
Use the IBM Cost of a Data Breach Report for per-record cost estimates by industry and data type (the 2024 global average is $4.88M per breach). Multiply by the number of records the attacker had access to for an estimated maximum exposure. Add regulatory fine estimates based on the applicable regulation (GDPR Article 83: up to 4% of global annual revenue; HIPAA civil penalties: up to $1.9M per violation category per year). This is your 'what could have happened' number.
Should the security team and the executive report be the same document?
No. Write two documents: the executive summary (2-3 pages, business language, decision-focused) and the technical post-mortem (full timeline, indicators of compromise, detection gaps, technical remediation steps). The executive summary references the technical document as an appendix. This structure means every audience gets what they need without compromising on depth for either.
What's the right timeline for delivering a post-incident report?
A preliminary executive summary should be delivered within 24-48 hours of containment while facts are still being established, clearly marked as preliminary. The full report with confirmed impact, root cause, and remediation plan should follow within 5-7 business days. If regulatory notification deadlines apply (72 hours under GDPR, 30 days under most US state laws), the preliminary report must address notification obligations explicitly.
How do I report an incident to a board of directors?
Board reporting requires even more compression than the executive summary. Prepare a maximum five-slide deck: (1) what happened in plain English, (2) business impact in dollars, (3) current status, contained/ongoing, (4) what we're doing and what we need approved, (5) compliance obligations. Boards want to know if it's over, what it cost, what regulatory exposure exists, and what decision they need to make. Everything else is detail for the management team.
What should I never put in an executive incident report?
CVE identifiers (unless the executive asked specifically), MITRE ATT&CK technique IDs, malware family names without explanation, log excerpts or raw data, internal IP addresses or hostnames, and blame language about individual employees or teams. All of these belong in the technical appendix or nowhere in the written report at all.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
