Most security incidents are not won or lost in the response itself; they are won or lost in the first hour, when scope is unclear, evidence is fragile, and the temptation to react before thinking is at its highest. The operational playbook for that first hour is well-documented but consistently under-rehearsed. NIST’s Computer Security Incident Handling Guide (SP 800-61r2) at nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf sets the canonical framework; ENISA’s CSIRT handbook fills in the European context.
Stripped down to the essentials, the first hour breaks into four distinct activities, in order.
Minutes 0-10: Confirm and triage
The first decision is whether what is happening is actually an incident. The detection signal that brought the alert may be a false positive (most are), a benign anomaly, or a true compromise. Before the response machinery activates, someone with judgement needs to look at the evidence and reach a confidence threshold.
Concrete checklist:
Pull the original alert and the supporting telemetry. EDR detection, SIEM correlation, IDS hit, user report, whatever started it.
Validate the affected asset. Is it real? Is it production? What is on it?
Look for second-source confirmation. A single EDR alert is suspicious; the same activity confirmed by network telemetry or by user report is much closer to actual.
Raise or stand down. If raised, the incident becomes a defined event with an owner, a tracker, and a clock. If stood down, document why so the next analyst does not start over.
This is the stage where most organisations fail: the alert is dismissed without proper triage, and the same activity reappears two weeks later as a confirmed breach.
Minutes 10-25: Activate the response and define scope
Once the incident is confirmed, the response team activates. In a mature organisation this is a defined call list and a defined process. In most organisations it is improvised. Either way, the activities of this stage are:
Convene the core team. Incident commander (someone with decision authority), lead investigator, communications lead, and a scribe who records everything in a single canonical timeline.
Open a dedicated channel. A separate Slack room, Teams channel, or war room, out of the main work channels so the conversation has a clean record and is harder to leak.
Assume your communications channel is potentially compromised. If the indicator is account takeover or email compromise, do not coordinate the response on the compromised platform. Use a separate, out-of-band channel, Signal, dedicated phone bridge, or a different SaaS instance.
Define initial scope. What systems, accounts, or data are confirmed affected? What is suspected? What is ruled out? Document the answer at this point in time. Scope will change; the timeline of what was known when is what regulators and lawyers will ask for later.
Notify the stakeholders. Legal counsel must be in the loop early, privilege starts running from the first communication. Cyber-insurance carriers usually require notification within hours under policy terms. Executive sponsors get a one-paragraph briefing, no speculation.
Three things to deliberately not do at this stage:
Do not power off affected machines. You will lose volatile memory and active session evidence. Network-isolate them via EDR instead.
Do not delete malware. Preserve the artefacts for analysis. The IOC you destroy is the pivot point you need three days from now.
Do not communicate externally. No customer notifications, no press, no social media. Get the facts first.
Minutes 25-45: Contain, do not eradicate
Containment is reducing the blast radius. Eradication is removing the attacker. Containment first; eradication later, when scope is fully understood. Premature eradication tells the attacker they are detected and triggers data destruction or accelerated exfil.
Containment actions, in priority order:
Network-isolate confirmed compromised hosts. Modern EDR consoles do this in one click. Preserves the host, cuts attacker access.
Disable confirmed compromised accounts. Both at the identity provider and at the application level. Terminate active sessions; revoke OAuth tokens.
Block confirmed attacker infrastructure. Add command-and-control IPs and domains to firewall blocklists, DNS sinkholes, and EDR custom indicators.
Preserve evidence as you go. Memory dumps from affected hosts before reboot, packet captures of any continuing C2 traffic, snapshots of cloud workloads and storage. Chain of custody starts now.
The judgement call: how aggressively to contain. Aggressive containment risks tipping the attacker; conservative containment risks ongoing data theft. The right answer depends on confidence in scope and on the asset class affected. CISA’s "First 24 Hours of Detection and Response" guidance is a useful reference.
Minutes 45-60: Stand up the long-running incident response
The first hour ends with a transition: from urgent triage to sustained investigation. The operational shape of the next 24 to 72 hours becomes clearer.
Activities at this point:
Engage external incident response if the scope warrants. Mandiant, CrowdStrike Services, Unit 42, Kroll, Stroz Friedberg, Coveware. Cyber-insurance carriers usually have preferred panels; using them simplifies the claim.
Open the legal track. Outside counsel, regulatory notification timelines (GDPR’s 72-hour rule, US state breach notification laws, SEC Item 1.05 disclosure for public companies, the SEC requirement is at sec.gov/files/rules/final/2023/33-11216.pdf).
Define investigation tracks. Forensics on affected hosts, identity investigation, network analysis, application logs, cloud audit logs. Each track gets an owner and a deliverable.
Plan the next briefing. Executive update at the end of hour two; SLT update at end of business day; cadence from there.
Decide on customer and external communication. The default is silence until facts are confirmed. Communications drafts should be prepared early, reviewed by legal, but only released when triggered by either confirmed disclosure obligation or the certainty that silence is no longer viable.
What separates the well-rehearsed from the rest
The single best predictor of a clean incident response is whether the playbook has been rehearsed. Tabletop exercises every six months, with executives and counsel in the room, are the difference between a smooth first hour and a chaotic one. CISA publishes free tabletop exercise packages at cisa.gov/resources-tools/services/tabletop-exercise-packages.
The second-best predictor is whether the technical contacts and approval authorities are documented somewhere accessible during a crisis. The most common failure mode of a 2 a.m. incident is "we cannot find the person who can authorise X." Pre-approval, written into the runbook, eliminates an entire class of delay.
The first hour will be chaotic. The goal is not to make it calm; the goal is to make the chaos productive. Confirm, scope, contain, document, communicate, transition. The breach will write its own story; the response decides whether that story ends well.