An incident timeline records what happened and when during a security incident.
It should capture:
- Initial report time
- Known facts
- Key decisions
- Assigned actions
- Customer or regulatory communications
- Containment and recovery steps
- Closure and review notes
A clean timeline helps with internal review, customer updates, legal analysis, and post-incident improvement.
