the early steps, incident management tends to follow the same immediate action steps. As more information is gathered, the team’s actions will be adjusted to conform with the circumstances. Upon receiving an alert that a questionable event has occurred,the first step is to verify that it has occurred. Some technical tools such as an Intrusion Detection System (IDS) may provide “false positive” events based on their configuration. Activating are action team for every alert may wear people out by “crying wolf” too often and lessen the urgency for a real summons.