// Comparison

Incident Response and Computer Forensics vs The Practice of Network Security Monitoring: Which Should You Read?

Two cybersecurity books on Defensive, compared honestly: who each is for, what each does best, and which to read first.

Intermediate

4/52014

Incident Response and Computer Forensics

Jason T. Luttgens, Matthew Pepe, Kevin Mandia

Luttgens, Pepe, and Mandia's working playbook for running an enterprise IR engagement: pre-engagement readiness, evidence acquisition, network and host forensics, and the project-management discipline that separates a controlled response from a panic.

Intermediate

5/52013

The Practice of Network Security Monitoring

Understanding Incident Detection and Response

Richard Bejtlich

Richard Bejtlich's NSM playbook: how to deploy collection sensors, validate that you actually see what you think you see, and build detection workflows around open-source tools.

Read this if

Junior-to-senior incident responders, SOC leads, and CISOs who need the canonical cross-discipline reference for what a real IR program looks like end to end. Strongest as a structural primer — the maturity model implicit in the book is still the field's de facto baseline.

Every SOC analyst and detection engineer. Bejtlich's foundational text on NSM: collect-everything, alert-on-narrow, investigate-broadly. Defines the vocabulary the modern detection field still uses.

Skip this if

Readers wanting current tradecraft on identity-attack response (AAD, OAuth abuse, golden SAML), cloud-IR specifically, or modern EDR-driven hunting; the book is largely on-prem 2014. Pair with cloud-IR-specific resources (Mandiant blog, AWS / Azure incident-response runbooks) for the missing layer.

Readers wanting current SIEM tooling specifics. The book pre-dates EDR-as-default and modern cloud-native telemetry; the principles transfer, the tooling specifics don't.

Key takeaways

Readiness is the engagement: most of what determines the outcome of an IR is decided before the call comes in.
The acquire-then-analyze discipline still holds; cutting that corner is what produces the bad-headline retrospectives.
The book's project-management chapters are the underrated half — most failed responses are management failures, not technical ones.

Detection without prevention is a strategic choice, not a fallback; Bejtlich was years ahead in arguing the case and the book remains the clearest argument.
The four data types (full content, session, transactional, statistical) are still the right framework for thinking about detection coverage.
Most SOC failures are organizational and procedural, not tooling; the book's chapters on workflows, runbooks, and analyst growth are still the best in print.

How they compare

We rate The Practice of Network Security Monitoring higher (5/5 against 4/5 for Incident Response and Computer Forensics). For most readers, that means The Practice of Network Security Monitoring is the primary pick and Incident Response and Computer Forensics is a useful follow-up.

Both books target intermediate-level readers, so the choice is about topic, not difficulty.

Incident Response and Computer Forensics and The Practice of Network Security Monitoring both cover Defensive, so reading them in sequence reinforces the same material from different angles.

Keep reading