Here's a short thread about Incident Response. I generally try to stay away from IR for 3 main reasons : (1) it is unpredictable (2) it is utterly thankless. (3) it is mentally draining.

The first reason is easy : There's a lot of "stuff not happening time" where you should spend time practicing and sharpening your knives. When it changes to "stuff is happening" you go from 0mph to 200mph in no time. However ...

You're rarely given the time to practice and sharpen your knives. IR often feels like being thrown out of a plane with a parachute you've never jumped with and the essential cords are in weird places. Good luck trooper.

IR being thankless : There's 2 parts here ... (1) The spectators : there's a gazillion people in the periphery that are excited and want to know everything. They don't care about the people involved. They want to be able to tell their friends about the shit they didn't do.

(2) The execs : even when nothing is confirmed yet, they set out to know why all the tech they paid thousands of dollars/euros/pounds for didn't see "the thing" or worse ... why "you" didn't see the thing. Their primary goal is to shift blame to someone else than themselves.

I think my 3rd reason is a function of the previous two: IR has no measure for success. 99% of the time the general opinion is that you failed. You're also rarely given the things that are necessary for success.

At best it takes a few days of almost no sleep. At worst it is a few weeks but the end result is always the same : you find yourself sitting against a wall, dazed, confused and with nobody pulling you up. In more than one way, you sucked and that is it. On to the next.

Why anybody would even consider exclusively doing IR for a living is beyond me. I end up in IR occassionally and I hate the post-incident feels so freaking much. There's no glory, only blame.