Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for incident response are disclosed. In one aspect, a computer-implemented method includes receiving data identifying two or more groups of actions performed to remediate a computer security threat. The method includes determining first unique paths from a first action of each of the two or more groups of actions to a second action of each of the two or more groups of actions, and determining second unique paths from the second action of each of the two or more groups of actions to a third action of each of the two or more groups of actions. The method also includes combining common paths among the first unique paths and the second unique paths, identifying one of the common paths that appears most frequently, and determining a core path that includes a subset of the actions of the two or more groups of actions based on the one of the common paths that appears most frequently.
展开▼