Forged by Fire
Wildfire incident response doctrine mapped to NIST Cyber IR
Most people learn incident response from a framework.
I learned it as a captain in a volunteer fire department.
A certification gave me vocabulary. The fireground gave me discipline. The kind that matters when time is short, information is incomplete, and people are counting on you.
This Field Note is written like a wildfire response guide on purpose. Wildland doctrine forces operational clarity: preparation, size-up, risk management, triage, tactics, safety, mop-up, and learning.
Cyber incident response is the same work, just with different fuel.
This is a 3-part series
Part 1 (this post): Forged by Fire
The doctrine. A wildfire-style incident response guide mapped to modern NIST guidance.Part 2: The Field Manual
Templates and pocket cards you can copy and use.Part 3: Command and Control
Triage, trigger points, escalation, recovery sequencing, and the AAR that changes outcomes.
The current cyber source of truth
NIST’s current incident response publication is SP 800-61r3 (Final, 2025). It is written as a CSF 2.0 Community Profile so organizations can integrate incident response recommendations throughout cybersecurity risk management, not just during a crisis.
So instead of treating IR as “a separate activity,” the model becomes: preparedness and response are part of how you run the program.
That is also how wildland doctrine works. The NWCG Incident Response Pocket Guide (IRPG) 2025 exists because the fireline is not the place to invent process. The guide distills operational standards, safety doctrine, and decision aids into something you can use under stress.
The mapping
This is the translation layer for the rest of the guide.
Wildfire doctrine step → Cyber IR capability (SP 800-61r3 aligned)
Pre-incident planning and readiness → incident response integrated into risk management and readiness activities
Report, size-up, intelligence, risk management → disciplined detection, analysis, and decision support
Tactics, structure defense, containment and control, safety discipline → coordinated response actions to limit impact and regain control
Mop-up, patrol, AAR, reporting → continuous improvement and resilience through learning loops
That’s the core point of this Field Note: the outcome of the incident is decided early, and your performance under pressure is the product of work done in the midst of calm. Like Sun Tzu said, “Plan for what is difficult while it is easy. Do what is great while it is small.”
Phase 1: Preparation
Wildfire: reduce exposure before there is flame
Cyber: reduce blast radius before there is breach
Wildland interface work (WUI) exists as a distinct discipline because homes, terrain, access, and time-to-impact make “normal” tactics insufficient. USFA WUI resources and training emphasize planning and readiness for interface operations.
Cyber has an equivalent reality: cloud scale, identity sprawl, third-party dependencies, and rapid attacker reuse make “we’ll figure it out during the incident” a losing strategy.
Step 1.1 — Build the plan before the incident
Wildfire equivalent
The IRPG exists as a pocket reference because crews need durable process and safety doctrine in changing conditions.
Cyber mapping
SP 800-61r3’s posture is straightforward: build incident response into your program so response is not improvised governance.
Your minimum deliverable
Named incident lead (commander)
Named technical lead
Named communications lead
Named decision authority for containment and public/legal notification paths
If these are “a committee,” you do not have command. You have delay.
Step 1.2 — Pre-stage resources and access
Wildfire equivalent
WUI training reinforces planning for resources, access, and safe operations based on conditions.
Cyber mapping
Pre-stage your “water supply”:
backups that you have tested restoring
known-good builds (gold images)
a trusted admin path (clean workstations and clean credentials)
logging and retention that matches the dwell time you realistically face*
*more on this in future posts!
This is not a tooling point. It’s a readiness point.
Step 1.3 — Decide your priorities before you are forced to
Wildfire equivalent
Wildland doctrine makes safety and risk management foundational, not optional, and the IRPG is built around that discipline.
Cyber mapping
Write decision thresholds now:
When do we isolate a segment?
When do we revoke access at scale?
When do we take an outage to stop spread?
Who is authorized to make that call?
This is what separates response from panic. If you’re making decisions mid-crisis, you’re not the one making the decisions.
Phase 2: Report, Size-Up, Risk Management
Wildfire: do not fight what you have not understood
Cyber: do not contain what you have not scoped
Step 2.1 — Name the incident and establish command
Wildfire equivalent
The IRPG exists for rapid decision-making under stress.
Cyber mapping
Within the first minutes:
Name the incident
Declare command roles
Establish a working scope hypothesis
Identify evidence sources that support that hypothesis
This is not bureaucracy. This is preventing fragmentation.
Step 2.2 — Run a continuous risk loop
Wildfire equivalent
Risk management is a constant operational function, not a one-time checklist. The Red Book is explicit about risk management and operational discipline.
Cyber mapping
Treat detection and analysis as a loop:
identify hazards (what is compromised)
assess spread potential
select controls (containment options)
implement controls
evaluate and adjust
That is how you keep the attacker from setting your tempo.
Phase 3: Containment, Control, Recovery
Wildfire: you cannot defend everything
Cyber: you cannot save everything
Step 3.1 — Triage what can be defended safely
Wildfire equivalent
The IRPG includes structure triage concepts that force honest prioritization and safety-based commitment.
Cyber mapping
Not every system stays online. Not every host gets saved first. Some things get isolated to prevent spread, even if it hurts.
Triage is not cruelty. It is professionalism. We’re talking cattle vs. pets.
Step 3.2 — Do not commit without safety doctrine
Wildfire equivalent
IRPG safety doctrine exists because conditions shift faster than humans can rationalize.
Cyber mapping
Before major containment actions, you need the cyber equivalents of:
someone watching telemetry continuously
authoritative comms and an out-of-band backup
isolation actions plus rollback plans
a known-good rebuild path and trusted admin playbooks
If you cannot answer to those, you’ve already lost.
Step 3.3 — Recover deliberately, then patrol
Wildfire equivalent
Mop-up and patrol exist because embers and spot fires persist after the front passes.
Cyber mapping
After “containment,” you hunt persistence, validate integrity, and monitor for re-entry. A quiet attacker is not proof of safety.
Phase 4: Post-Incident Learning
Wildfire: AAR (after-action review) is how competence compounds
Cyber: improvement is part of response
Step 4.1 — AAR that produces changes
Wildfire equivalent
IRPG is updated over time to reflect learning and standardization across agencies.
Cyber mapping
SP 800-61r3 is written to integrate IR into risk management and improvement. Post-incident work is where you reduce the next incident’s impact.
Your AAR should produce changes you can point to:
updated decision thresholds
updated containment options
clarified authority
closed logging gaps
scheduled exercises
Closing
The fireground taught me something cyber teams learn the hard way: the incident is decided before it ever happens.
What’s Next?
In Part 2, I’m publishing the field manual: templates and pocket cards you can run in a tabletop or a real incident.
In Part 3, Command and Control. Triage, trigger points, escalation discipline, and recovery decisions that hold up under pressure.
*After this trilogy: turning dwell time data and incident history into logging and retention standards you can defend.