The first hour of an incident sets the trajectory for everything that follows. Move too slowly and the attacker extends their foothold. React too aggressively and you might destroy forensic evidence or cause unnecessary business disruption.
This checklist is based on what we have seen work across hundreds of incidents. Adapt it to your environment, but the principles remain consistent.
Minutes 0–10: Confirm and classify
Validate the alert. Not every detection is an incident. Review the evidence, check for known false positive patterns, and confirm that the activity is genuinely malicious or suspicious.
Classify severity. Is this an isolated endpoint compromise, active lateral movement, or data exfiltration in progress? Your response intensity should match the severity.
Activate the response team. Notify the incident commander and relevant responders. For high-severity incidents, this includes leadership and legal.
Minutes 10–30: Scope and contain
Determine blast radius. Which systems are affected? What credentials may be compromised? What data could the attacker have accessed? Use your detection platform to trace the attack path.
Contain without destroying evidence. Isolate affected endpoints from the network, but avoid wiping or reimaging until forensic data is preserved. Disable compromised accounts, but log what you disable and when.
Preserve logs and artefacts. Ensure relevant logs are retained. If your log retention is short, export critical data immediately. Memory captures from affected systems are valuable if you can collect them safely.
Minutes 30–60: Stabilise and communicate
Verify containment is holding. Monitor for signs that the attacker is adapting: attempting to use other credentials, moving to systems you have not yet contained, or establishing new persistence mechanisms.
Draft initial communications. Prepare a factual summary for leadership: what happened, what you know, what you do not know yet, and what you are doing about it. Avoid speculation.
Document everything. Start an incident timeline. Record every action taken, every decision made, and every piece of evidence found. This documentation is critical for post-incident review and may be needed for regulatory reporting.
After the first hour
The initial response phase transitions into investigation and remediation. That work can take days or weeks. But the quality of your first 60 minutes determines whether you are investigating a contained incident or chasing an attacker who is still active in your environment.
Preparation matters most
The best incident response happens when the team has practised. Run tabletop exercises quarterly. Test your containment procedures. Verify that your detection platform gives you the visibility you need to scope an incident quickly.
SenseOn's correlated detection and response capabilities give teams the visibility to scope incidents in minutes rather than hours. Explore our platform to see how.
