Cyber Shelf

// Comparison

Intelligence-Driven Incident Response vs The Practice of Network Security Monitoring: Which Should You Read?

Two cybersecurity books on Defensive, compared honestly: who each is for, what each does best, and which to read first.

Intermediate
4/52023
Intelligence-Driven Incident Response

Outwitting the Adversary

Scott J. Roberts, Rebekah Brown

A practitioner's guide to wiring threat intelligence into the incident response loop, built around the F3EAD cycle rather than tool-of-the-week tutorials.

Intermediate
5/52013
The Practice of Network Security Monitoring

Understanding Incident Detection and Response

Richard Bejtlich

Richard Bejtlich's NSM playbook: how to deploy collection sensors, validate that you actually see what you think you see, and build detection workflows around open-source tools.

Read this if

IR analysts and CTI practitioners who want a shared process language, and team leads building an intel capability from scratch.
Every SOC analyst and detection engineer. Bejtlich's foundational text on NSM: collect-everything, alert-on-narrow, investigate-broadly. Defines the vocabulary the modern detection field still uses.

Skip this if

Anyone hunting for hands-on tooling labs or detection engineering recipes. This is process and analytic tradecraft, not a hands-on lab manual.
Readers wanting current SIEM tooling specifics. The book pre-dates EDR-as-default and modern cloud-native telemetry; the principles transfer, the tooling specifics don't.

Key takeaways

  • F3EAD gives incident response and intelligence a single, repeatable loop instead of two disconnected workflows.
  • Good intelligence is a product with a consumer; if no decision changes, the analysis was overhead.
  • Attribution and the kill chain are tools for action, not trophies to collect.
  • Detection without prevention is a strategic choice, not a fallback; Bejtlich was years ahead in arguing the case and the book remains the clearest argument.
  • The four data types (full content, session, transactional, statistical) are still the right framework for thinking about detection coverage.
  • Most SOC failures are organizational and procedural, not tooling; the book's chapters on workflows, runbooks, and analyst growth are still the best in print.

How they compare

We rate The Practice of Network Security Monitoring higher (5/5 against 4/5 for Intelligence-Driven Incident Response). For most readers, that means The Practice of Network Security Monitoring is the primary pick and Intelligence-Driven Incident Response is a useful follow-up.

Both books target intermediate-level readers, so the choice is about topic, not difficulty.

Intelligence-Driven Incident Response and The Practice of Network Security Monitoring both cover Defensive, so reading them in sequence reinforces the same material from different angles.

Keep reading

Intelligence-Driven Incident Response

Alternatives to Intelligence-Driven Incident ResponseWhat to read after Intelligence-Driven Incident Response

The Practice of Network Security Monitoring

Alternatives to The Practice of Network Security MonitoringWhat to read after The Practice of Network Security Monitoring

Related topics

Defensive