Incident Response Escalation Guidance

Frequently Asked Questions

Q: I think I’ve been compromised, and it may be a vulnerability. What do I do?

A: Research existing vulnerabilities on the Cisco Security Advisory page, along with collecting relevant information—code version, platform, etc.—to see if it’s a known vulnerability.

Q: I think I’ve been compromised, and I’m not sure if it was a vulnerability or not. What do I do?

A: Use the forensic guides listed on this page, collect pertinent device outputs, and open a Service Request with Cisco TAC. Consider engaging Talos Incident Response whenever there is an active cyber incident. Refer to the Cisco Security Advisory page for the latest vulnerability information.

Q: When is it appropriate to contact Cisco’s Product Security Incident Response Team (PSIRT)?

A: Contact Cisco PSIRT when there is a belief that a product compromise related to a known PSIRT security advisory has happened or there is a suspicion of a new zero-day vulnerability in a Cisco product.

Q: Our organization is recovering from a cyber incident related to Cisco devices. What resources are available?

A: Refer to the appropriate Cisco hardening guides listed on this page for device hardware and software best practices.

Q: How can our organization better prepare for an incident response activity?

A: See Cisco’s What Is an Incident Response Plan for IT? Additionally, there are many freely available resources on the web, such as the SANS Institute’s Incident Handler's Handbook.


Forensic Guides

These documents are meant to be a resource for first-level incident responders who may suspect that a Cisco platform has been tampered with or compromised. They will assist a first responder in triaging the incident and ensuring that all information pertinent to a potential device compromise is collected.

Assessing the Integrity of Cisco Firepower Management Center Software

Cisco ASA Forensic Investigation Procedures for First Responders

Cisco Firepower 2100 Series Forensic Data Collection Procedures

Cisco Firepower 4100 Series and 9300 Series Appliances Forensic Data Collection Procedures

Cisco Firepower Threat Defense Forensic Data Collection Procedures

Cisco IOS Access Point Software Forensic Data Collection Procedures

Cisco IOS Software Forensic Data Collection Procedures

Cisco IOS XE Software Forensic Data Collection Procedures

Cisco IOS XR Software Forensic Data Collection Procedures

Cisco NX-OS Software Forensic Data Collection Procedures


Hardening Guides

These documents contain information that will help users secure Cisco operating systems and devices to increase the overall security of a network.

Cisco TelePresence Hardening Guide

Cisco UCS Hardening Guide

Cisco Guide to Securing Cisco NX-OS Software Devices

Cisco Guide to Harden Cisco IOS Devices


Technical Assistance Center (TAC)

Cisco TAC: https://www.cisco.com/c/en/us/support/index.html

Enterprise and Service Provider Products: 800-553-2447 US/Canada

Small Business Products : 866-606-1866 US/Canada

Cisco TAC Tools & Resources: https://www.cisco.com/c/en/us/support/web/tools-catalog.html


Cisco Services

See the Responding to a Security Incident section of this link for additional incident response resources not listed elsewhere on this page.

Cisco Security Services: https://www.cisco.com/c/en/us/products/security/service-listing.html

Talos Incident Response: https://talosintelligence.com/IR


Blog Links

Cisco Security Blog