An internal CSIRT is entirely within the organization being protected. The staff may be dedicated, or part-time, but they are employees of the company.

Realistic aims of an internal CSIRT are linked to their size and employment model, but the primary aim is providing reactive services (things that happen in the detection and analysis, and containment, eradication, and recovery phases). As the team increases in size and dedication, they may provide proactive services such as creating security tools and improving IDS/IPS/firewall policies. These proactive services allow the organization to react more effectively.

Finally, larger CSIRTs may also move into the preparation stage, providing quality management services such as risk analysis, disaster recovery planning, and education and training.