What to do in the first hour of an incident

It is almost never a clean alert that tells you something is wrong. It is a finance manager asking why a supplier says they never received payment. It is a server that rebooted on its own. It is a staff member mentioning, almost in passing, that their mailbox sent emails they did not write. By the time a human notices, the attacker has usually been inside for a while.

What you do in the next hour matters more than almost anything that follows. We have run enough of these to see the same early mistakes turn a contained problem into a six-figure recovery. Here is how to spend that hour well.

Resist the urge to clean up

The strongest instinct, especially for a capable IT person, is to fix it. Delete the malware, reset the password, wipe the machine, get everyone back to work. That instinct is the single most expensive reflex in incident response.

When you wipe a compromised laptop, you destroy the evidence that tells you how the attacker got in, what they touched, and whether they are still inside elsewhere. You close one door while leaving three others open, and now you cannot even find them. Pulling power is just as bad, because a lot of useful evidence lives only in memory and vanishes the moment the machine goes dark.

There is one exception worth knowing. If a system is actively encrypting files in front of you, isolating it from the network is the right call. Disconnect the network cable or disable the adapter. Do not shut it down. Isolation stops the spread and preserves the state.

Write down what you know, with timestamps

Open a document and start a timeline. When was the first sign noticed, and by whom? What exactly did they see? What has anyone already done, including the well-meaning password reset someone did twenty minutes ago before they called you?

This sounds bureaucratic in the middle of a crisis. It is the opposite. The timeline becomes the spine of the entire response. Your insurer will want it. Legal counsel will want it. The responders you bring in will save hours because you can tell them what is already known instead of making them rediscover it. And memory degrades fast under stress, so capture it while it is fresh.

Contain without destroying

Containment and eradication are different steps, and rushing the second one is how reinfections happen. In the first hour you are trying to limit the blast radius, not win the war.

Isolate affected systems from the network. Disable rather than delete suspicious accounts, so you keep the ability to investigate them. If you believe credentials are compromised, prepare to rotate them, but think about order, because rotating the wrong account first can tip off an attacker who still has a foothold. For anything involving email or cloud identity, preserve the audit logs before you start changing settings, since some platforms age logs out faster than you would expect.

Make the calls you will be glad you made

Three phone calls belong in the first hour.

Your incident response partner, if you have one on retainer, comes first. This is the entire reason a retainer exists. The team already knows your environment, the rate is pre-negotiated, and you are not trying to find help on the open market at the worst possible moment.

Your cyber insurer, or your broker, comes next. Most policies have notification requirements with tight windows, and many require you to use approved vendors or risk the claim. Calling them early protects the coverage you are paying for.

Legal counsel comes third, and earlier if regulated data may be involved. Breach counsel shapes what gets documented and how, and in many cases brings the investigation under privilege. This is a conversation to have with a lawyer who does this work, not a general corporate attorney.

What not to do, briefly

Do not pay anything or even open negotiation with an attacker in the first hour. That is a deliberate decision made later, with data and counsel, not a panic move.

Do not announce the incident widely before you understand it. Internal rumor and premature customer communication both create problems that are hard to walk back.

Do not assume the obvious entry point is the only one. The phishing email that got reported is often not where the real access came from.

The honest reason this is hard

None of this is complicated to read. It is hard to execute because it runs against instinct, it happens at 2am, and the people on the scene are usually exhausted and afraid of being blamed. That is exactly why preparation matters more than knowledge. Knowing the steps is not the same as having rehearsed them.

If you take one thing from this, make it the first rule. When something goes wrong, your job in the first hour is to stabilize and preserve, not to fix. Slow is smooth, and smooth is fast.