This document discusses best practices for detecting and responding to security breaches. It summarizes that comprehensive security intelligence is needed to scope infections and disrupt breaches. An investigation demo shows connecting threat intelligence, network, endpoint, and identity data to identify the root cause of a breach. Best practices for breach response include ingesting data from network, endpoint, threat intelligence, and identity sources and using a security intelligence platform to automate analysis and improve techniques for preventing compromises from becoming breaches.