Incident Response in 60 Minutes: What the First Hour Looks Like

Most companies do not get to choose whether they have a security incident. They get to choose what the first hour looks like.

The first hour decides almost everything that follows: whether the incident becomes a breach notification, whether you preserve the evidence your forensics partner will need, whether your customers hear from you or from a journalist, and how long the incident actually lasts.

Here is the sequence a competent IR team works through.

The first four decisions happen fast and often at the same time.

• Scope: what systems, accounts, or data are potentially involved? Start broad, narrow with evidence
• Classify: severity tier based on your pre-defined criteria. Not by gut feel
• Notify: page the incident commander, notify leadership, start the running timeline
• Contain: stop the bleed where containment doesn't destroy evidence (revoke sessions, disable accounts, not yet wipe)

The hardest part of minute 15 is not doing the last step. Reflexively wiping a compromised laptop is how you lose the ability to answer the only questions that matter later: what did they access, how did they get in, are they still in.

Eradication and evidence preservation want opposite things. Eradication says remove the attacker now. Preservation says freeze the environment so the forensics partner can reconstruct what happened.

The competent answer is to do both, sequentially. Snapshot the affected systems first (memory, disk, network captures). Then eradicate. If you eradicate first, your later forensics is guesswork. If you preserve forever without eradicating, the attacker is still operational.

Two audiences, two messages. Internal: leadership, legal, customer success, comms. They need to know what you know, what you do not know, and what you are doing about it. External: customers, regulators, law enforcement, insurance carrier. Do not over-commit in the first hour. Say what is true, timestamp it, and promise an update.

Your cyber insurance carrier almost certainly requires early notification. Many policies have a 48 or 72 hour window; miss it and coverage can be disputed. This call happens in the first hour, not the next day.

The running timeline is the most valuable artifact of the incident. Every decision, every notification, every containment action, every finding: timestamped in a single document. If the forensics partner, regulator, auditor, or insurance carrier asks for a chronology later, this is it.

Build the timeline as the incident unfolds, not from memory on day three. Memory under pressure is unreliable. A running timeline is the cheapest insurance policy you have.

None of the above works if you are reading it for the first time at minute five. The first hour requires a playbook that names the incident commander, classification criteria, notification list with phone numbers, containment decision tree, and stakeholder communication templates.

A written playbook is not enough. You need to have run a tabletop exercise against it in the last twelve months. Tabletops surface the gaps written plans never do.

For companies that do not have 24/7 SOC coverage, we run the incident response function as part of Managed Operations: named incident commander, documented playbook, quarterly tabletop, carrier notification on our call list. When something triggers at 2am, you do not have to figure out the first hour. We are already in it.