Best Incident Response Software

Incident response software automates the process of and/or provides users with the tools necessary to find and resolve security breaches. Companies utilize the tools to monitor networks, infrastructure, and endpoints for intrusions and abnormal activity. They then use the programs to inspect and resolve intrusions and malware in the system. These products provide capabilities to resolve issues that arise after threats have bypassed firewalls and other security mechanisms. They alert administrators of unapproved access of applications and networks. They also have the ability to detect a variety of malware variants. Many tools automate the process of remedying these issues, but others guide users through known resolution processes.

Many incident response solutions function similarly to security information and event management (SIEM) software, but SIEM products provide a larger scope of security and IT management features.

To qualify for inclusion in the Incident Response category, a product must:

  • Monitor for anomalies within an IT system
  • Alert users of abnormal activity and detected malware
  • Automate or guide users through remediation process
  • Store incident data for analytics and reporting
G2 Grid® for Incident Response
High Performers
Market Presence
Star Rating

Incident Response reviews by real, verified users. Find unbiased ratings on user satisfaction, features, and price based on the most reviews available anywhere.

Compare Incident Response Software

Results: 77
G2 takes pride in showing unbiased ratings on user satisfaction. G2 does not allow for paid placement in any of our ratings.
Results: 77
Filter Results
Filter by:
Sort by
Star Rating
Sort By:

    Rapid7 InsightIDR is a fully integrated detection and investigation solution that gives you the confidence to identify a compromise as soon as it occurs. InsightIDR leverages attacker analytics to detect intruder activity earlier in the attack chain, cutting down false positives and unnecessary work for security professionals. Hunt for actions indicative of compromised credentials, spot lateral movement across assets, detect malware, and set intruder traps. Make investigations 20x faster by uncovering insight hidden in your user activity, logs, and endpoints. With InsightIDR you can get up and running in hours, gaining the insight you need to make better decisions, faster.

    Trend Micro develops server security, cloud security, and small business content security solutions.

    Build, run and secure your AWS, Azure, Google Cloud Platform or Hybrid applications with Sumo Logic, a cloud-native, machine data analytics service for log management and time series metrics.

    Swimlane is a leader in security orchestration, automation and response (SOAR). By automating time-intensive, manual processes and operational workflows and delivering powerful, consolidated analytics, real-time dashboards and reporting from across your security infrastructure, Swimlane maximizes the incident response capabilities of over-burdened and understaffed security operations. Swimlane was founded to deliver scalable, innovative and flexible security solutions to organizations struggling with alert fatigue, vendor proliferation and chronic staffing shortages. Swimlane is at the forefront of the growing market for security automation and orchestration solutions that automate and organize security processes in repeatable ways to get the most out of available resources and accelerate incident response. Swimlane offers a broad array of features aimed at helping organizations to address both simple and complex security activities, from prioritizing alerts to remediating threats and improving performance across the entire operation. Swimlane is headquartered in Denver, Colorado with operations throughout North America and Europe.

    Cb Response is the market-leading incident response and threat hunting solution designed to provide responders with the most information possible, accompanied by expert threat analysis and armed with real-time response capabilities to stop attacks, minimize damage and close security gaps. Cb Response makes these teams more efficient, reducing investigations from days to hours, and more effective, enabling them to discover threats before attacks can exploit them. Cb Response also allows teams to connect to and isolate infected machines to prevent lateral movement and remediate devices without costly IT involvement.

    D3 Security provides a proven incident management platform that empowers security operations with a full-lifecycle remediation solution and a single tool to determine the root cause of and corrective action for any threat- be it cyber, physical, financial, IP or reputational.

    AlienVault USM Anywhere is a cloud-based security management solution that accelerates and centralizes threat detection, incident response, and compliance management for your cloud, hybrid cloud, and on-premises environments. USM Anywhere includes purpose-built cloud sensors that natively monitor your Amazon Web Services (AWS) and Microsoft Azure cloud environments. On premises, lightweight virtual sensors run on Microsoft Hyper-V and VMware ESXi to monitor your virtual private cloud and physical IT infrastructure. With USM Anywhere, you can rapidly deploy sensors into your cloud and on-premises environments while centrally managing data collection, security analysis, and threat detection from the AlienVault Secure Cloud. Five Essential Security Capabilities in a Single SaaS Platform AlienVault USM Anywhere provides five essential security capabilities in a single SaaS solution, giving you everything you need for threat detection, incident response, and compliance management—all in a single pane of glass. With USM Anywhere, you can focus on finding and responding to threats, not managing software. An elastic, cloud-based security solution, USM Anywhere can readily scale to meet your threat detection needs as your hybrid cloud environment changes and grows. 1. Asset Discovery 2. Vulnerability Assessment 3. Intrusion Detection 4. Behavioral Monitoring 5. SIEM

    DERDACK Enterprise Alert
    (6)4.8 out of 5
    Optimized for quick response
    Optimized for quick response

    DERDACK Enterprise Alert® is an alert notification & mobile response software for on-premises and private cloud installation. It increases agility and responsiveness of operations teams in manufacturing, utilities, IT services, transport & logistics. Enterprise Alert fully automates targeted alerting processes and provides for a faster, more reliable and effective response to incidents threatening the continuity of services and operations. This is in particular importance for 24/7 operated mission-critical systems and IT. Enterprise Alert provides automated, and persistent alert notifications by voice, text, push, email and IM. It tracks the delivery of notifications, acknowledgements and replies and reacts automatically on non-delivery or non-reply by utilizing escalation chains, on-call schedules and presence information. Enterprise Alert enables convenient scheduling of on-call duties by drag & drop in any browser. Based on scheduling information it can then alert the right engineers at the right time. Backup engineers and stand-ins are also available. IT service staff or engineers who are alerted often need to communicate with managers, on-call staff of other teams or subject-matter experts. Derdack´s Enterprise Notification Software provides perfect toolset for a real-time, anywhere collaboration experience. Handling critical incidents shouldn’t stop with acknowledging an alert. With our mobile app you can comfortably manage alerts, troubleshoot problems and even resolve them by triggering parameter-based IT automation tasks. The mobile app mobilizes incident management and makes you independent from your monitoring or service desk console. Enterprise Alert has been specifically designed for large and global enterprises and organizations with the highest demands in reliability, productivity, integrations and security. That is why our product is one of the very few, if not the only one, that fully addresses the needs that come with running business-critical operations such as enterprise IT, manufacturing lines, energy & utility creation and distribution.

    Demisto is a platform that provides automated and collaborative security solutions.

    LogRhythm, a leader in NextGen SIEM, empowers organizations on six continents to measurably reduce risk by rapidly detecting, responding to, and neutralizing cyberthreats. LogRhythm’s Threat Lifecycle Management (TLM) workflow is the foundation for security operations centers, helping customers secure their cloud, physical, and virtual infrastructures for IT and OT environments.

    Netwrix Auditor is a visibility platform for user behavior analysis and risk mitigation that enables control over changes, configurations and access in hybrid IT environments to protect data regardless of its location. The platform provides security intelligence to identify security holes, detect anomalies in user behavior and investigate threat patterns in time to prevent real damage. Netwrix Auditor includes applications for Active Directory, Azure AD, Exchange, Office 365, Windows file servers, EMC storage devices, NetApp filer appliances, SharePoint, Oracle Database, SQL Server, VMware, Windows Server and network devices. Empowered with a RESTful API and user activity video recording, the platform delivers visibility and control across all of your on-premises and cloud-based IT systems in a unified way.

    Proofpoint Threat Response Auto-Pull (TRAP) enables messaging and security administrators the ability to automatically retract threats delivered to employee inboxes and emails that turn malicious after delivery to quarantine. It is also a powerful solution to retract messages sent in error as well as inappropriate, malicious, or emails containing compliance violations and also follows forwarded mail and distribution lists and creates an auditable activity trail. With Proofpoint Threat Response Auto-Pull, you can protect your people, data, and brand from today’s threats by: • Automatically pulling malicious or unwanted messages from an end-users inbox. • Enriching each message by checking every domain and IP address against premium intelligence feeds. • Including built-in reporting, showing stats like: Email quarantine success or failures, email retraction read status, targeting by active directory attribute • Reducing the remediation time needed from hours to minutes.

    CylanceOPTICS uses machine learning (ML) and artificial intelligence (AI) to identify and prevent widespread security incidents, providing consistent visibility, targeted threat hunting, and fast incident response.

    The Resolve Software System is used to accelerate incident resolution for all types of incidents in customer care, network, and IT operation centers.

    The Siemplify Security Operations Platform is an intuitive, holistic workbench that makes security operations smarter, more efficient and more effective. Siemplify combines security orchestration, automation and response (SOAR) with context-driven case management, investigation and machine learning to make analysts more productive, security engineers more effective, and managers more informed about SOC performance.

    SIRP is a Security Orchestration, Automation and Response (SOAR) platform that helps organizations effectively manage their security operations with Incident Management, Threat Intelligence, Vulnerability Management and Risk Management modules. It combines security infrastructure orchestration, playbook automation and case management capabilities to integrate your team, processes and tools together. SIRP makes security data instantly actionable, provides valuable intelligence and context, and enables adaptive response to complex cyber threats.

    With experience in every industry, Symantec's Incident Response team can get your organization back to normal operations.

    A scalable, open source and free Security Incident Response Platform, tightly integrated with MISP (Malware Information Sharing Platform), designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.

    Vectra AI provides an automated threat management solution that monitors internal network traffic to detect in real time active cyber attacks inside networks.

    Check Point’s multilayered security technology provides protection against advanced and zero-day cyber threats, preventing attacks, minimizing risks and offering rapid response

    Hexadite Automated Incident Response Solution is a software that remediates threats and compresses weeks of work into minutes, it optimizes overtaxed security resources for increased productivity, reduced costs and stronger overall security.

    StealthDEFEND is the real-time threat analytics component of STEALTHbits’ Data Access Governance Suite. Leveraging unsupervised Machine Learning, StealthDEFEND eliminates excessive and undifferentiated warnings to surface truly meaningful trends and alerts on attempts to compromise your sensitive data. TOP FEATURES: - Unsupervised Machine Learning – Analyze a rich set of data with Machine Learning models that evaluate, correlate, and baseline the activity and behavior of users. - Seamless Sensitive Data Integration – Threat and Data Access Governance information is seamlessly integrated, further reducing noise by honing in specifically on the files that matter most. - Preconfigured Threat Models – StealthDEFEND has been purpose-built to detect file system threats associated with Ransomware, Abnormal Behavior, First Time Host Access, First Time Client Use, Unusual Processes, and more. - Response Playbooks – StealthDEFEND's actions engine automates security responses and connects various security applications and processes together with multi-stage actions. Out-of-the-Box or custom "Playbooks" can be leveraged to respond to threats automatically or programatically. - User Behavioral Profiles – Concrete understanding of each individual user’s behavior is incorporated into StealthDEFEND’s threat analytics and Machine Learning models, complemented by visuals that make understanding any user’s normal behavior a trivial task. - Comprehensive Investigations – Create, configure, and save detailed reports, alerts, and threats on User and Group activity. - SIEM Integration – Out-of-the-box SIEM integration and preconfigured dashboards extend ready-to-use functions. - Real-Time Alerting – Real-time security alerts powered by Machine Learning allow you to master your threat data in a continuous way that leads to faster investigations and threat neutralizations. - Interactive, Real-Time Visualizations – Through a unified web presentation layer, threat data is streamed, processed, and visualized as it happens, including modern visualization elements like heat maps that update themselves in real-time to bring data to life. - Incident Detection Response Workflow – Quickly coordinate your team’s efforts so they’re prepared to share information and track who is working on an issue at any given time.

    ActivLink is middle-ware that integrates ActivWare, Activus visualization and collaboration software platform, with a customers analytical or monitoring software to automatically present actionable information based on a triggering event or alarm condition, leading to better, faster incident response

    Cyber Triage™ is incident response software that simplifies the collection and analysis of endpoint data. Cyber Triage enables companies to have a first response capability by automating the collection and analysis of endpoint data that answers the triage questions. It provides endpoint visibility without requiring software agents. It compares data with other systems in the enterprise to help responders know what is normal. It makes the results available during future responses so the knowledge can be shared.

    The ServiceNow Instance Security Dashboard gives your ServiceNow administrator quick and easy visibility to your instances' current compliance levels based on application security standards.

    LogicManager believes performance is a result of effective risk management. Since 2005, LogicManager's enterprise risk management (ERM) software has empowered organizations to uphold their reputation, anticipate what's ahead, and improve business performance through strong governance. Today, LogicManager’s SaaS software and included advisory service help businesses integrate risk, governance, and compliance activities so they can protect their employees, customers, and shareholders. LogicManager was named one of Insight Success’ 50 Most Valuable Technology Companies, was awarded GRC 20/20’s GRC Value Award in Risk Management, and has been recognized by Forrester Research with a perfect 5.0 in Customer Feedback. With offices in the United States and Europe, LogicManager enables companies around the globe to achieve success. To learn more about LogicManager, visit

    OneTrust is the largest and most widely used technology platform to operationalize privacy, security and third-party risk management. According The Forrester New Wave™: GDPR and Privacy Management Software, Q4 2018, OneTrust "leads the pack for vision and execution." Additionally, Fast Company named OneTrust as one of 2019's World's Most Innovative Companies.   More than 2,500 customers, both big and small and across 100 countries, use OneTrust to implement their privacy, security and third-party risk programs, automatically generating the specific record keeping needed to demonstrate compliance with privacy regulations including the EU GDPR, California Consumer Privacy Act (CCPA), Brazil LGPD, and hundreds of the world's privacy laws. 

    ThreatCloud Incident Response helps mitigate future risks with post-incident reports and security best practices advisement.

    Control your website traffic with pat. pending click and block tech.

    Agari Incident Response™ is the only turnkey solution purpose-built for Microsoft Office 365 to automate the process of phishing incident response, remediation, and breach containment. Agari Incident Response, using continuous detection and response technology, simplifies and accelerates threat hunting by instantly discovering all email attacks matching newly discovered indicators of compromise (IOCs) across all inboxes. The Agari SOC Network, a cyber intelligence sharing network, provides a continuous source of human-vetted threat intelligence to member organizations from the world’s top SOCs, internal employee reported phish, and the Agari Cyber Intelligence Division (ACID).

    Kona Site Defender is designed to protect the web and mobile assets of organizations from sophisticated and targeted web application and DDoS attacks by providing customizable and advanced security features.

    Attack Mitigation System is a network security software with several security modules, like network behavioral analysis and intrusion prevention.

    Ayehu eyeShare is an IT toolbox that automate IT processes, using a visual workflow and pre-built activities it can automate tasks across systems Linux, Windows, Active Directory, File systems, Database, Storage, Network, Web and many more.

    Order, configure and deploy your Canaries throughout your network. Then you wait. Your Canaries run in the background, waiting for intruders.

    Cloud-based threat hunting and incident response (IR) solution delivering unfiltered visibility for top security operations centers (SOCs) and IR teams.

    CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows.

    Every incident is unique and one plan won’t fit all situations. Cobalt helps you manage all those “What if?” moments and makes sure everyone is reacting accordingly. The result? The response you plan is the response you get. Our comprehensive platform provides the simplest and most effective way to coordinate your response team and track progress for incidents major and minor.This increased efficiency will get you back in business, faster. Cobalt is a cloud-based, incident response system that keeps businesses and communities safe. Based on a highly secure “off-the-shelf “, per user, software service; Cobalt helps you plan for and respond to incidents as they unfold, right on your mobile device. Cobalt can also automatically trigger protocols to dispatch response teams immediately, right from your phone. Now distributed by major public safety organisations like Motorola Solutions, Cobalt Mobile App allows users to access critical files, send mass notifications, trigger alerts, respond to assigned dynamic tasks, control patrols, and track security guards, keeping the command center and management team always up-to-date. In 2016, Cobalt was inducted into the Business Continuity Institute (BCI) Hall of Fame and received the World Innovation Award by the CIR Magazine after winning the Middle East Innovation Award, by the BCI, in 2013, 2014 and 2015. Cobalt is used by governments and financial institutions to keep operations intact when incidents occur. If you have any questions, don’t hesitate to reach out. Our team is always on hand to help make sure you and your organization are running smoothly.

    To date, organizations have lacked an efficient process for gathering, organizing, and analyzing user reports of suspicious emails that may indicate early stages of a cyber attack. Cofense Reporter provides organizations with a simple, cost-effective way to fill this information gap.

    CDS technology analyzes in real time all communications between machines in your network. CDS offers comprehensive security coverage to defend organizations against the cyber threats of new generations.

    Continuity Engine ("CE") is a business continuity software that protects your most mission-critical applications with a goal of zero downtime. Beyond HA or replication, CE takes a proactive approach with true continuous data protection. CE delivers near-zero recovery times by monitoring the health of your applications and instantly failing over if a threat is detected. Simply put, we can help you prepare for and protect your applications, servers, and data from disaster and unplanned outages.

    CounterTrack EPPl is a solution that empowers security teams to counter advanced endpoint threats in real-time to delivers unprecedented visibility and context around targeted, persistent threats for a comprehensive approach to endpoint detection and response.

    Cybereason automatically detects malicious activity and presents it in an intuitive way. It deploys easily with minimal organizational impact and provides end-to-end context of an attack campaign. Most organizations deploy Cybereason and start detecting attacks within 24 to 48 hours.

    DarkMatter's Cyber Network Defence division provides sophisticated active defence solutions, including assessments, penetration testing, threat hunting, and incident readiness and response services to help organisations unify and strengthen their security programmes.

    CyberSponse is a enterprise automation and orchestration platform that combines both cyber security solutions with human intuition.

    Our Content Threat Removal Platform is the world's first cyber security solution that mitigates the risk of stegware attacks that hide from detection using steganography techniques.

    Evanios provides end-to-end visibility and actionable intelligence for dynamic IT environments. Utilizing preconfigured logic, machine learning algorithms, and ITSM contextual data, it automatically reduces alert noise, prioritizes events, identifies root cause and predicts outages before they occur.


    Malware Analysis (AX series) products provide a secure environment to test, replay, characterize, and document advanced malicious activities. Malware Analysis shows the cyber attack lifecycle, from the initial exploit and malware execution path to callback destinations and follow-on binary download attempts.

    FireEye Network Security (NX) solutions protect against known and unknown advanced attacks with the signature-less Multi-Vector Virtual Execution (MVX) engine, conventional intrusion prevention system (IPS) and intelligence-driven detection.

    Redline provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile.

    Latest Incident Response Articles