Define Incident Commander (IC)
- One human, not a committee.
- Authorized to make shutdown decisions.
- Knows who to call without permission.
Checklist
Incident Response Quick-Start
60–90 minutes that determine survivability
Incidents do not begin with clarity. They begin with noise, confusion, and multiple stakeholders failing in parallel. This checklist exists so you can act quickly and defensibly in the first 60–90 minutes—before the blast radius expands and before irreversible mistakes are made.
containment
evidence
decisions
Command & communication
Who gets called, and on what channel
In the first 90 minutes, communication failure kills more companies than malware does.
Lock to a single comms channel
- No Slack across 6 threads.
- No email during email compromise.
- Use a trusted side-band channel (Teams IR, Signal, or response bridge).
Freeze stakeholder noise
- Execs: synced but not micromanaging.
- Techs: no “hero moves.”
- Legal/PR: alerted early, not “when it’s over.”
Evidence
What gets preserved and logged first
Data goes missing faster than you think—often by well-meaning responders.
Preserve the crime scene
- No “wipe and reimage.”
- No system restarts.
- No remediation scripts or AV nukes.
Capture volatile state
- Running processes.
- Network connections.
- Memory when possible.
Snapshot logs before rotation
- Auth logs (IdP / identity provider).
- Endpoint telemetry (EDR / XDR).
- Cloud admin actions.
Escalation
When and how to pull in outside help
You don’t get medals for suffering in silence. You get lawsuits.
Forensic partner
- They preserve data better than you can.
- They detect pivot paths you will miss.
- They protect chain of custody.
Legal counsel
- Privilege boundaries matter.
- Notification windows are real.
- “We didn’t know” is not a defense.
Insurance & PR
- Carriers have retained IR firms you may not.
- Public statements must be controlled.
- Containment ≠ disclosure.