This paper focuses on defining levels of critical incident response maturity and how organizations can continually improve their incident response capabilities to help reduce the risk of experiencing a damaging incident. It provides a framework to help organizations determine where they are in the security journey and where they want to be.