Every engagement incident response teams lead to learnings - things that we tell ourselves we can do differently with each event. Things that would prevent us from experiencing the same issues again. The circumstances surrounding each engagement leads to questions on our process cycles - from training to SDL, to threat models to detection and response. This talk will be a peak under the curtain on how Microsoft Identity handles our Security PIR process! High quality post incident reviews (PIRs) provide the single strongest insight into our capabilities in the future, if we invest properly and use them correctly. By creating a 'flywheel' for how we respond to security events, we make sure that we bake the learning into all areas of our culture, and security posture. In each PIR we should critically evaluate, blamelessly, whether it's our security education programs, product security reviews, monitoring, alerting, processes… The opportunities for growth are boundless. This talk will leave the audience with a stronger understanding of how a PIR process drives us to improve, learn from our events, use data-driven analysis to make the wheel turn. They will leave with the knowledge that every detail, however small, produces key learnings and innovation.