Cyber resilience has emerged as a complementary concept to cybersecurity, expanding the traditional predict and-protect paradigm to include business continuity and adaptive capacities. However, much of the literature remains normative, emphasizing what organizations should do, rather than analyzing what cyber resilience looks like in practice. This paper presents a theoretical framework for analyzing cyber resilience in organizations. Drawing on resilience theory and socio-technical systems theory, the framework identifies four interdependent capabilities—anticipate, withstand, recover, and adapt—and uses the principle of joint optimization to examine how technical and social elements interact within and across these capabilities. The framework was developed using a concept analysis method and is designed to be applied to empirical data, such as interviews or case studies. Its key contribution is to enable structured analysis of how resilience manifests, and how different capabilities compensate for one another depending on the system’s state. We argue that the organization is constantly evolving and changing, meaning that observations are of a temporary system state that has already begun to change. However, analyzing snapshots of the system’s capabilities can help identify areas for improvement. Future research can apply the framework to understand the mechanisms underlying cyber resilience.