Incident response (IR) in an enterprise environment is no longer just about “putting out fires.” This presentation will show a proven framework for preparing your organization for attacks, quickly detecting them, coordinating response across teams, and safely restoring operations—with an emphasis on metrics that reduce MTTR and minimize business impact. In the second part, we will introduce the IstroSec Gryphon tool, which complements EDR/XDR and SIEM with behavioral ransomware detection and the ability to operate in offline mode, which is key for sensitive or isolated network segments (OT/ICS, regulated environments). We will demonstrate selected features relevant to IR, including the isolation of compromised endpoints, blocking granularity (by path/file/hash), tactical use of ZTNA, real-time detection via kernel-level rules, centralized “server-side” task management, remote PowerShell/RDP/ Filemanager for rapid investigation, and integration with third parties. We will also show how Gryphon supports post-attack recovery (file recovery, VSS protection) and threat hunting over acquired artifacts.