Having an intruder inside your systems for months, unnoticed by system administrators, security specialists and end users alike, is tantamount to giving the intruder the keys to your business or organization. In far too many cases, organizations discover that they have been subjected to a data breach by being told by someone else that their private data has been offered for sale on the dark web. Leading voices within the security profession state we must do better at detecting the intruder in our midst; many say that detecting the intruder should be the priority for security professionals. Ransomware attacks have become big business, involving not only large-scale extortion attacks but also the selling of ransomware attack tools and services and exploitation of data exfiltrated during the breach. Government officials and industry professionals around the world, such as Anne Neuberger, U.S. Deputy National Security Advisor for Cyber and Emerging Technology, have raised their voices about this “new and very troubling variant” in the advanced persistent threat (APT) attackers’ business model. In this course, we will focus on incident response and recovery. We will explore the incident life cycle as defined by NIST and continue with a deeper look at supporting forensic investigations. We will also extend these ideas and concepts around the theme of business continuity and disaster recovery.