Technology Cybersecurity Security Operations & Incident Response

Incident Response

High scrutiny and high blast radius; proof and governance matter.

Mandiant (Google) CrowdStrike Palo Alto Networks IBM
Inside this journey
  1. Customer Discovery

    Rapidly capture incident timeline, impacted assets, decision-makers, and immediate constraints to prioritize response.

    Discovery Questions

    Start: Tell Us What Happened — in your words

    • In a few sentences, how would you describe the incident as you understand it right now?
    • When did you first notice anything unusual or receive the first alert? Options: Within the last hour, 1–6 hours ago, 6–24 hours ago, 1–3 days ago, More than 3 days ago, Unsure
    • Who initially reported or detected the problem (role/team and channel)? Options: SOC alert/monitoring, End user report, IT/endpoint alert, Third-party vendor, Executive/board, Other
    • What immediate symptoms are you seeing (e.g., encryption notice, service outages, unusual outbound traffic)? Please be specific.
    • Is an internal team actively responding right now? Options: Dedicated security/IR team on incident, IT/operations only, No formal response team yet, Using external vendor already
    • Which executives or business owners are currently briefed (select all that apply)? Options: CISO/Security Lead, General Counsel, CEO/President, CFO, Business Unit Head, Board or Board Chair, Not yet briefed

    If This Were a Movie, Where's the Smoke?

    • If an attacker still has a foothold, what single asset or system would you be most afraid they'd control next? Options: Active Directory / Domain Controllers, Email/Microsoft 365/Exchange, Backups or backup infrastructure, Customer database/PII, Payment/ERP systems, Production/cloud workloads, Source code/repos, Other
    • Which systems or sites are already showing signs of compromise (list names, regions, or critical identifiers)?
    • Which data types may be exposed or at risk (select all that apply)? Options: Personally Identifiable Information (PII), Protected Health Information (PHI), Payment Card Data (PCI), Intellectual property / source code, Financial records, Employee data, Other / Unsure
    • Have you observed any indicators of exfiltration or large outbound transfers? Options: Yes — confirmed exfiltration, Suspicious large transfers (possible exfiltration), No evidence yet, Not sure / need investigation
    • Are there ransom or extortion messages, threats to publish data, or external claims tied to this incident? Options: Ransom/exfiltration demands present, Threat actors claiming responsibility publicly, No threats yet, Unsure
    • Roughly, what is the hourly estimated business impact if the affected systems remain impaired? Options: Under $10k/hr, $10k–$50k/hr, $50k–$200k/hr, Over $200k/hr, Do not know / need help estimating

    Who Holds the Keys — and Who Needs to Know?

    • Who in your organization can immediately grant the access our team needs to deploy sensors and collect forensic data? Options: CISO or Security Leader, IT/Infrastructure Director, Cloud Admin (AWS/Azure/GCP), Network Admin, No single person identified, Legal must approve
    • Please list the primary decision-makers and the best phone/email for urgent escalation (name, role, preferred contact).
    • Are there legal, regulatory, or contractual constraints that would limit what we can collect or where we can run tools? Options: GDPR / EU data restrictions, Sector regulation (e.g., HIPAA, FINRA), Customer NDAs or contracts, Law enforcement involvement required, No constraints identified, Unsure — legal must confirm
    • Is a cyber insurance carrier, panel firm, or outside counsel already engaged or expecting notification? Options: Insurer notified and managing, Insurer on standby (retainer), Outside counsel involved, Notified none yet, Unsure
    • Have you notified or do you intend to notify law enforcement at this time? Options: Yes — already notified, Plan to notify immediately, Do not plan to notify, Undecided / need guidance

    What Would a Containment Win Look Like — Fast?

    • If we removed the attacker within the next 4 hours, what exact systems, processes, or data would you expect to be protected or restored to call it a success?
    • Which systems absolutely must remain online during containment efforts (select all that apply)? Options: Customer-facing services, Payment/transaction systems, Critical production PLC/OT, Communication/email systems, Backups and disaster recovery systems, None — can be taken offline if needed
    • Are there blackout windows, release freezes, or high-risk business periods in the next 72 hours we must avoid interrupting? Options: Yes — provide details below, No critical windows, Unsure / need calendar check
    • Which containment actions are off-limits under any circumstance (e.g., disconnecting domain controllers, taking backups offline)? Options: Disconnecting domain controllers, Shutting down production clusters, Modifying immutable backups, Blocking external connectivity to business-critical partners, No hard restrictions, Other
    • What is the maximum acceptable downtime for your top three critical systems (list system and acceptable downtime)?

    What Evidence Do We Have — and What Might Disappear?

    • If we delay collecting volatile data (memory, packet captures) by one shift, what evidence do you fear will be lost?
    • Which telemetry sources are currently available and accessible to us (select all that apply)? Options: EDR (endpoint detection) — specify vendor below, SIEM / central logging, Network packet captures / taps, Cloud provider logs (AWS/Azure/GCP), Authentication logs (AD/AzureAD), Pre-staged forensic sensors present, None available
    • If you selected EDR or SIEM, can you provide credentials or a read-only access path now? Options: Yes — credentials available immediately, Yes — requires approval, No — credentials unavailable, Unsure
    • When were backups last performed, are they isolated/offline, and have they been validated recently? Options: Backups current and isolated, Backups current but online, Backups outdated or unvalidated, No backups available, Unsure
    • Has any system been restarted, reimaged, or patched since the incident began that might alter forensic evidence? Options: Yes — list systems below, No, Unsure

    How Have You Tried to Fix This — and What Worked?

    • What single mitigation action you took felt most effective at slowing or stopping the activity?
    • Which of the following containment/remediation steps have already been attempted (select all that apply)? Options: Isolated infected endpoints, Blocked IPs/domains, Reset privileged credentials, Applied emergency patches, Restored systems from backup, Engaged internal/external vendors, None
    • Who executed those steps (internal security, IT ops, third-party) and at what times?
    • Did any attempted actions unintentionally reduce visibility or complicate evidence collection? Options: Yes — please describe below, No, Unsure
    • On a scale, how confident are you that current measures fully removed the adversary? Options: Not confident (attacker likely present), Somewhat confident, Confident attacker removed, Unsure / need forensic validation
    • Have you preserved a timeline or incident log of actions taken, and can you share it with our team? Options: Yes — timeline available, Partial notes only, No log kept yet

    What Would Success Look Like for You — Beyond 'Back Online'?

    • When this is fully resolved, what outcome would make leadership say this was handled perfectly?
    • Which deliverables are critical for your acceptance of the engagement (select all that apply)? Options: Detailed forensic report, IOC list and detection rules, Executive incident summary, Malware reverse engineering, Regulatory disclosure-ready documents, Chain-of-custody evidence package, Post-incident remediation roadmap
    • Who must sign off on the final deliverables (roles/names)?
    • Do you anticipate needing support for external communications, regulator notifications, or customer disclosure? Options: Yes — immediate PR/legal support needed, Yes — legal only, No external communications expected, Unsure / need guidance
    • Are there KPIs or timelines (e.g., restore within X hours, report within Y days) by which the engagement will be judged?

    Practical Constraints — What Could Slow Us Down?

    • What single operational or policy limitation is most likely to push our response from hours to days? Options: No admin/root credentials available, Change control approvals required, Procurement/PO process for vendor engagement, Legal or compliance freeze, Dependence on third-party/cloud provider, Other
    • Do existing contracts, procurement rules, or corporate policies require additional approvals before we engage or deploy tools? Options: Yes — list required approvers, No, Unsure
    • Is there an active retainer or emergency access agreement that covers this work and surge capacity? Options: Active retainer covering immediate work, Retainer exists but limited scope, No retainer — emergency engagement required, Unsure
    • Are there budget limitations or PO requirements that could delay our deployment? Options: Yes — PO required before any work, Budget approved for emergency spend, Budget uncertain / needs approval
    • Are there other ongoing incidents or industry-wide waves that could strain responder availability and affect SLAs? Options: Yes — high global activity expected, No — capacity seems available, Unsure

    Next Steps — Who Owns What in the First 8 Hours?

    • If we proceed now, who will be the single empowered point of contact for decisions in the first 8 hours? Options: CISO/Security Lead, IT/Infrastructure Director, Designated Incident Commander (name below), Legal counsel (for approvals), Other
    • What is the preferred urgent communication channel for minute-by-minute updates? Options: Phone call (direct), Secure chat (e.g., Signal/Teams), Email (urgent threads), Incident war room (video), Ticketing system only
    • Are there time-zone constraints or specific hours when we are NOT permitted to act? Options: No constraints — 24/7 OK, Restricted to business hours (specify below), Night/weekend restrictions apply, Unsure — need calendar check
    • Do we need an NDA, written access authorization, or a formal PO before we begin any collection or sensor deployment? Options: NDA/access authorization required, PO/contract required, No formal docs required to start, Unsure — legal to advise
    • Would you like us to schedule an immediate 60-minute incident kickoff to align scope, access, and next steps? Options: Yes — schedule now, Yes — within next 4 hours, Not now — schedule later, No, handle via messages
  2. Solution Experience

    Show how our pre-staged sensors, forensic playbooks, and threat-intelligence graph will identify attacker presence, exfiltration channels, and containment options in this incident.

    Experience Meetings

    • Current State & Consequence Alignment
    • Forensic Sensor Evidence Walkthrough
    • Threat‑Intelligence Graph Mapping
    • Containment Playbook Options & Tradeoffs Workshop
    • Execution & Validation Checklist Alignment
    • Confirm legal and evidence-preservation actions required before/after containment.
    • Tie Graph Goals to Current/Business Risk
    • Map attacker infrastructure to observed artifacts and identify specific containment cut-points.
    • Provide prioritized list of nodes (network, host, cloud) to block with estimated effectiveness.
    • Agree on confidence levels and residual risk after each potential block.
    • Obtain explicit customer validation that the proposed cut-points align with their operational constraints.
    • Freeze the list of prioritized block/containment targets and produce a one-page recommended cut plan.
    • Update detection rules and firewall/IDS signatures for the IOCs identified in the graph.
    • Deliver a short threat actor profile and observed TTPs tied to the customer's artifacts.
    • Recap Proven Attacker Paths & Critical Assets
    • Select a containment playbook with explicit owner and authorization path.
    • Agree on the business-impact tolerance and rollback triggers for the chosen approach.
    • Define acceptance tests that must pass to consider the attacker eradicated.
    • Introductions and Objective
    • Customer to authorize selected containment playbook and name an approval authority.
    • Operations to prepare targeted playbook runbooks, including communications templates for execs and regulators.
    • Forensics to document chain-of-custody steps to be executed immediately prior to containment.
    • Confirm Chosen Containment Plan & Owner
    • Obtain explicit go/no-go authorization with named approver and execution start time.
    • Lock the validation checklist and acceptance tests that will be used to close the containment phase.
    • Ensure evidence preservation and chain-of-custody actions are assigned and scheduled.
    • Agree on communications cadence and escalation paths during execution.
    • Operator team to begin containment execution per approved playbook at the agreed start time.
    • Forensics to capture initial preservation artifacts and upload to the secure evidence repository.
    • Schedule the first post‑execution validation checkpoint and the executive summary delivery.
    • Produce and agree a single-sentence Current State that everyone can reference during the experience.
    • Surface concrete consequences (business, legal, operational) to create urgency for containment decisions.
    • Define a single-sentence measurable Future State that the Solution Experience must prove.
    • Confirm telemetry and access needed for live sensor and graph demonstrations.
    • Customer to deliver a 1-page incident timeline and list of impacted assets and decision-makers (by X hours).
    • Seller to draft and circulate the agreed Current State, Consequence summary, and Future State one-liners.
    • Technical owner to verify sensor access/read-only endpoints required for the walkthrough.
    • Force customer validation that the evidence maps to their observed issues.
    • Recap Current State & Future State
    • Prove attacker presence (or absence) with time-stamped forensic artifacts.
    • Identify initial indicators of exfil activity and which channels show data transfer.
    • Confirm sensor coverage is sufficient for next steps or list gaps requiring immediate remediation.
    • Export and circulate a signed IOC list (IPs, domains, file hashes, process names) from today's walkthrough.
    • Tag and preserve involved endpoints and disk images for chain-of-custody.
    • If gaps found, schedule immediate targeted captures or sensor redeployments.
    • Playbook A: Surgical Endpoint Containment
    • One‑Sentence Current State
    • Live Graph Reconstruction
    • Execution Timeline & SLA Windows
    • Sensor Topology & Data Sources
    • Evidence Preservation & Chain-of-Custody
    • Quantify Consequence
    • Playbook B: Network Segment Isolation (targeted)
    • Identify Exfil Channels & Pivot Nodes
    • Packet Capture Evidence
    • Define One‑Sentence Future State
    • Memory & Process Artifacts
    • Playbook C: Aggressive Network Cut / Quarantine
    • Confidence & Attribution Scoring
    • Validation Checklist: 'Attacker Eradicated' Criteria
    • Endpoint Telemetry Correlation
    • Impact & Legal/Regulatory Considerations
    • Forced Validation: Do these cut-points achieve the Future State?
    • Communication & Escalation Cadence
    • Evidence & Coverage Gaps
  3. Solution Scope

    Define investigation and containment boundaries, data collection requirements, SLA response windows, roles, and escalation paths.

    Scope Configuration

    • Deploy forensic sensor suite (packet, memory, endpoint)
    • Start continuous full-packet capture
    • Acquire live memory snapshots from endpoints
    • Image disks with verified chain-of-custody
    • Collect and centralize endpoint telemetry
    • Isolate and quarantine compromised systems
    • Block attacker C2 and exfiltration channels
    • Revoke compromised credentials and access tokens
    • Malware reverse engineering and IOC extraction
    • Threat infrastructure mapping via intelligence graph
    • Coordinate evidence transfer with law enforcement
    • Deliver forensic investigation report and disclosure package

    Scope Questions

    Deploy forensic sensor suite (packet, memory, endpoint)

    • Is pre-authorized deployment of sensors (agent or appliance) permitted under your current contracts/policies? Options: Yes, No, Pending Approval
    • Which environments should sensors be deployed to? Options: On-premises, Cloud IaaS (e.g., AWS/Azure/GCP), SaaS (limited telemetry), OT/ICS, Hybrid
    • Estimate the number of endpoints/hosts to target for initial sensor deployment Options: Less than 50, 50-250, 251-1000, 1001+, Unknown
    • What operating systems and device types require sensors? Options: Windows, Linux, macOS, Network Appliances, Virtual Machines, Other
    • Are privileged installer accounts, MDM access, or orchestration credentials available for sensor installation? Options: Yes - full access, Limited/temporary access, No - manual coordination required
    • Are there any maintenance windows, change-control constraints, or blackout periods that would restrict immediate sensor deployment? Options: No restrictions, Yes - provide windows, Unknown

    Start continuous full-packet capture

    • Do you have network taps or SPAN ports available at key egress/ingress points for packet capture? Options: Yes - multiple tap points, Yes - limited tap/SPAN, No - will require inline sensors
    • What capture retention policy is required (how long must full packets be retained for analysis)? Options: 24 hours, 72 hours, 7 days, 30 days, Custom
    • Are there any bandwidth, storage, or privacy constraints that would limit full-packet capture? Options: No, Yes - bandwidth limited, Yes - storage limited, Yes - privacy/regulatory constraints
    • Is decryption of TLS/encrypted traffic permitted for capture and analysis? Options: Yes - enterprise decryption available, No - cannot decrypt, Partial - some ingress points only
    • Which network locations should be prioritized for continuous capture (e.g., internet egress, datacenter core, VPN concentrators)?
    • What SLA is required for beginning packet capture after engagement start? Options: Within 1 hour, 1-4 hours, 4-12 hours, Next business day

    Acquire live memory snapshots from endpoints

    • Which endpoint classes require live memory capture (servers, workstations, cloud instances)? Options: Servers, Workstations/laptops, Cloud VMs/Instances, Network appliances, All of the above
    • Are live-forensics tools approved for your environment, or is additional authorization required? Options: Approved, Requires approval, Not allowed
    • How quickly must memory snapshots be acquired to meet investigative objectives? Options: Immediate (within 1 hour), Within 4 hours, Within 24 hours, Within 48 hours
    • Is persistent forensic agent pre-deployed (enabling remote memory capture) or will captures require manual on-host access? Options: Pre-deployed agent available, Manual access required, Mixed/partially available
    • Are there any endpoints with sensitive data or regulated workloads that require special handling during memory acquisition? Options: Yes - specify, No, Unknown
    • Specify any constraints on memory snapshot size, transfer method, or storage location (e.g., cannot transfer offsite)

    Image disks with verified chain-of-custody

    • Which systems require full disk imaging (priority list or categories)?
    • Is legal or internal compliance approval required before imaging systems? Options: Yes - requires legal signoff, No, Unknown
    • Do you require a court-admissible chain-of-custody process and evidence packaging for images? Options: Yes - formal chain-of-custody, No - investigative copies only, Undecided
    • Will imaging be performed onsite, via remote acquisition, or via cloud-provider snapshot? Options: Onsite forensic imaging, Remote/agent-based imaging, Cloud snapshot APIs, Mixed
    • Are there encrypted disks or self-encrypting drives that will require key retrieval or vendor assistance? Options: Yes - keys available, Yes - keys not available, No
    • How soon must imaging begin to preserve volatile evidence and minimize data loss risk? Options: Immediate (within 1 hour), Within 4 hours, Within 24 hours, Within 48 hours

    Collect and centralize endpoint telemetry

    • Which telemetry sources should be centralized (EDR, Sysmon, Windows Event, logs, application logs)? Options: EDR/Agent logs, Sysmon/Windows Events, Linux audit logs, Application logs, Cloud-native logs
    • Is there an existing SIEM or log-aggregation platform to centralize telemetry into? Options: Yes - provide access, No - require temporary centralization, Limited/partial access
    • What retention and indexing requirements do you have for centralized telemetry during the investigation? Options: 30 days, 90 days, Custom, Minimal (investigation only)
    • Are there licensing or ingestion limits (events/day) that could prevent full telemetry centralization? Options: No limits, Yes - limits exist, Unknown
    • Do you permit temporary elevation of telemetry collection (increased verbosity) for scope investigation? Options: Yes, No, Conditional - requires approval
    • List any specific telemetry fields or applications that are critical for this investigation (e.g., mail server logs, VPN logs)

    Isolate and quarantine compromised systems

    • Do you authorize network-level isolation (switch port shutdown, VLAN change) and/or host-level quarantine (EDR block) for suspected systems? Options: Network-level allowed, Host-level allowed, Both allowed, Neither allowed without approval
    • What is the acceptable impact threshold for isolation actions (e.g., tolerate downtime for critical systems?) Options: Low tolerance - avoid downtime, Moderate - some downtime acceptable, High - prioritize containment
    • Are there segmented environments or critical availability constraints (e.g., medical devices, OT) that restrict isolation methods? Options: Yes - list constraints, No restrictions, Unknown
    • Should quarantined systems remain available for remote evidence collection or be physically removed? Options: Keep online for remote forensics, Take offline and image, Case-by-case
    • Are rollback or failback plans required for any isolation action we might take? Options: Yes - provide plans, No, Unknown
    • Who must be notified/approve before isolation actions (roles or contact points)?

    Block attacker C2 and exfiltration channels

    • Do you allow proactive blocking of identified IPs/domains at perimeter and endpoint levels? Options: Yes - immediate block, No - requires approval, Conditional
    • Which control points are available for blocking (firewall, proxy, endpoint policy, DNS, cloud security groups)? Options: Firewall/NGFW, Proxy/ProxySG, Endpoint controls/EDR, DNS filtering, Cloud security groups
    • Are there concerns about false positives impacting business-critical traffic if broad blocks are applied? Options: Yes - high concern, Moderate, Low concern
    • Do you require staged blocking (alert -> soft block -> hard block) or immediate hard blocks? Options: Staged/approval-based, Immediate hard block, Case-by-case
    • Are egress filtering and data-loss prevention (DLP) systems integrated and available to assist with exfiltration detection/blocking? Options: Yes - integrated, No - not available, Partial/limited
    • List any third-party services or partner connections where blocking could disrupt operations and require special handling

    Revoke compromised credentials and access tokens

    • Do you permit immediate revocation/rotation of user and service credentials implicated in the incident? Options: Yes - immediate, No - requires approval, Conditional
    • Which identity systems must be updated (AD, Azure AD, IAM roles, API keys, cloud service accounts)? Options: Active Directory/AD, Azure AD/Entra, Cloud IAM (AWS/GCP/Azure), Service/API keys, Other
    • Are there privileged accounts or service tokens that cannot be rotated without maintenance windows? Options: Yes - provide list, No, Unknown
    • Do you require secret management or rotation automation as part of credential revocation? Options: Yes - use secret manager, No - manual rotation, Unsure
    • Should revocations be logged and reported for legal/compliance purposes (include audit trail)? Options: Yes - mandatory, Optional, No
    • Provide any exceptions or business-critical services where credential revocation must be avoided or scheduled

    Malware reverse engineering and IOC extraction

    • Do you require reverse engineering for binaries recovered from the environment to identify capabilities and persistence? Options: Yes - perform full RE, No - IOC extraction only, Undecided
    • Are samples permitted to be taken offsite or shared with third-party analysts for analysis? Options: Yes - offsite allowed, No - must remain onsite, Conditional with redaction
    • What turnaround time is required for IOC deliverables (hashes, YARA, network indicators)? Options: Within 24 hours, 48-72 hours, Within 7 days, Custom
    • Should extracted IOCs be automatically pushed to blockers/EDR/SIEM after validation? Options: Yes - automatic push, No - manual approval, Case-by-case
    • Are there specific analysis outputs required (behavioral summary, persistence mapping, deobfuscation steps)?
    • Do you require malware provenance (e.g., linking to known threat actor groups) as part of the RE report? Options: Yes, No, Optional

    Threat infrastructure mapping via intelligence graph

    • Do you want our intelligence graph integrated with your telemetry to map attacker infrastructure in real time? Options: Yes - full integration, No - deliver as separate report, Limited integration
    • Which external feeds or internal intel sources should be considered for correlation (provide list)?
    • Do you require active disruption recommendations (e.g., sinkholing, takedown coordination) based on the mapped infrastructure? Options: Yes - recommend disruption, No - detection only, Need discussion
    • How granular should mapping be (C2 IPs/domains, ASNs, infrastructure graphs, attacker TTP chains)? Options: C2 IPs/domains only, Full infrastructure graph + TTPs, High-level summary
    • Are there legal or disclosure constraints on sharing intelligence-derived indicators outside your organization? Options: Yes - restricted, No, Conditional
    • Do you want real-time alerting when intelligence graph identifies new infrastructure linked to this incident? Options: Yes, No, Email summary only
  4. Mutual Commit

    Finalize engagement terms, access authorizations, communication cadence with legal and execs, and assurances for surge capacity during attack waves.

    Agreement Modules

    • Non-Disclosure Agreement (NDA)
    • Master Services Agreement (MSA)
    • Statement of Work (SOW)
    • Service Level Agreement (SLA)
    • Access & Authorization Consent
    • Evidence Preservation & Chain-of-Custody Protocol
    • Data Processing Agreement (DPA)
    • Law Enforcement & Regulatory Coordination Consent
    • Communication & Executive Escalation Plan
    • Surge Capacity & Prioritization Assurance
    • Billing, Rates & Payment Terms
    • Change Order & Scope Modification
    • Termination, Suspension & Exit Plan
    • Roles, Responsibilities & RACI
    • Insurance, Indemnity & Liability Allocation
  5. Deployment

    Operationalize incident response with readiness checks, rapid sensor deployment, and validation of containment.

    1. Pre-Deployment Readiness

      Confirm accounts, network access, sensor targets, evidence preservation rules, and regulator/law-enforcement notification preferences before execution.

      Readiness Questions

      Tell Us What's Happening Right Now

      • Can you briefly describe the incident as you first noticed it—who reported it, what was seen, and roughly when?
      • Which specific alerts, logs, or symptoms first raised alarm (select all that apply)? Options: Ransom note / locker activity, Unusual outbound connections, Multiple failed logins / brute force, Anomalous privileged account activity, Mass file encryption or deletion, Unusual process or service behavior, Other
      • Which systems, applications, or datasets do you believe are impacted right now (list hostnames, apps, buckets, or business units)?
      • When did you first observe potential compromise? Options: Within the last hour, 1–6 hours ago, 6–24 hours ago, 24–72 hours ago, More than 72 hours ago, Unsure
      • How is this incident affecting operations at the moment? Options: Production systems down, Degraded performance, Customer-facing impact, Investigations only — no visible outage, Data exfiltration suspected, Unable to determine
      • Who inside the company is currently coordinating the response (names and roles)?

      If This Is Worse Than You Think, What Keeps You Up?

      • If an attacker is already persistent in your environment, what is the single worst operational or legal consequence you fear in the next 48 hours?
      • How confident are you that your existing telemetry would detect lateral movement and cloud compromise? Options: Very confident, Somewhat confident, Low confidence, Not sure / no visibility
      • Have you experienced a similar breach before? If so, what long-term impacts (regulatory, customer churn, recovery cost) persisted after that event?
      • Which regulatory or contractual notification deadlines are most pressing right now (select all that apply)? Options: GDPR / EU privacy, CCPA / state privacy, HIPAA, PCI-DSS, Sector regulator (e.g., FINRA), Contractual customer SLAs, No known deadlines, Unsure
      • Who from your executive team or board is actively demanding updates or influencing decisions on this incident? Options: CEO, CISO, General Counsel, CRO/COO, Board member, External counsel/insurer, Other

      What's Stopping Rapid Containment?

      • What specific access, credentials, or permissions do we not currently have that would prevent us from deploying sensors and taking containment actions immediately?
      • Which of these accounts or consoles can you provide for immediate access? Options: EDR/Endpoint console, SIEM/Log console, Cloud provider console (AWS/Azure/GCP), Domain admin / AD account, Network admin / firewall, VPN access, None available / need provisioning, Other
      • Are there network segments, cloud tenants, or data centers where sensor deployment is prohibited without executive or compliance approval? Options: Yes — require executive sign-off, Yes — require compliance/legal review, No restrictions, Unsure
      • Do encryption, proprietary hardware, or managed network configurations prevent packet capture or deep inspection on key links? Options: Yes — significant restrictions, Some limitations, No — full capture possible, Unsure
      • What internal policies (maintenance freeze, change windows, or critical business processes) would limit aggressive containment on affected systems?

      Who Holds the Keys, and How Do They Want to Talk?

      • If we recommend an urgent containment step, who has the true authority to approve it — and who has veto power?
      • Please provide the names, roles, and preferred secure contact method (phone, secure chat, PGP/email) for each approval owner.
      • What is your legal team's required involvement before we execute forensics or collect certain evidence? Options: Must approve all actions beforehand, Must be notified but can defer approval, External counsel must be involved, No legal pre-approval required, Unsure
      • Which third parties must be coordinated with prior to or during our engagement (insurer, MSSP, cloud provider, managed SOC, etc.)? Options: Cyber insurer, MSSP / managed SOC, Cloud provider support, Identity provider vendor, Law enforcement, Regulator, None, Other
      • Describe the escalation thresholds and who should be looped in at each stage (e.g., executive, board, legal, PR).

      Evidence, Privacy, and What We Can (and Can't) Touch

      • Which data types or systems are explicitly off-limits for imaging or export under policy, contract, or regulation?
      • Do you have an existing legal hold, preservation order, or regulatory inquiry in flight that changes how we handle evidence? Options: Yes — internal legal hold, Yes — court or regulator order, No, Unsure
      • Which of these sensitive data categories require special handling or redaction? Options: Personally Identifiable Information (PII), Protected Health Information (PHI), Financial data, Controlled research/IP, Customer confidential data, None / not applicable
      • Which chain-of-custody procedures or templates must we follow (or attach) for evidence to be admissible to your standards? Options: Your internal template (will provide), We accept vendor chain-of-custody, Court-ordered format required, No formal requirement, Other
      • Do you require internal witness or counsel presence for any on-site collection activities? Options: Yes — witness required, Preferred but optional, Not required, Unsure

      Where Should We Place Sensors and What Data Can We Collect?

      • If you could guarantee one environment we could fully instrument within four hours, which would you choose and why?
      • Which environments should be prioritized for our pre-staged sensors (select up to three)? Options: Production application servers, User endpoints / desktops, Cloud infrastructure (VMs, containers), Network core / edge, Identity / AD controllers, Email systems / M365, OT / ICS systems
      • Are there systems where memory capture, disk imaging, or packet collection is prohibited or requires elevated approval? Options: Memory capture allowed, Disk imaging requires approval, Packet capture prohibited, Depends on system — escalate to legal, Unsure
      • Do export or cross-border data rules restrict moving captures or images off-premises? Options: Can export offsite, Must remain on-premises, Encrypted exports allowed, No exports allowed, Unsure
      • Do you have an up-to-date asset inventory/CMDB we can use to target sensors? If so, what's the source and last update date?
      • Who approves sensor placement outside normal change windows (name and role)?

      How Will Success Be Measured Under Pressure?

      • If we had only 24 hours to demonstrate progress, what specific outcome would make you feel the engagement was a success?
      • Which of these outcome metrics matter most to your stakeholders (select all that apply)? Options: Attacker eradicated, Scope of exfiltration identified, Critical systems restored, Regulatory notification deadlines met, Chain-of-custody maintained, Clear executive updates delivered
      • What SLA windows are you expecting for initial containment, forensic collection, and final report delivery? Options: Initial containment <1 hour, Initial containment 1–4 hours, Containment 4–12 hours, Containment 12–24 hours, Final report in 3–5 business days, Custom SLA — discuss
      • In a broad attack wave, what minimum on-call team composition would you accept (roles and headcount)?
      • Are there fixed budget or contractual ceilings that would prevent surge or travel for our team? Options: Yes — strict cap, Yes — approval required per surge, No fixed cap, Unsure

      Telling the Story: Notifications, Regulators, and Public Messaging

      • If this incident were publicly disclosed tomorrow, what would be the biggest reputational or commercial impact to your organization?
      • Do you have pre-approved notification templates for customers, regulators, or partners? Options: Yes — templates ready, Partial templates exist, No templates available, Under legal review
      • Which authorities or agencies might we need to notify or coordinate with during the investigation (select all that apply)? Options: Local law enforcement, Federal cyber unit, Privacy regulator (e.g., ICO), Sector regulator (e.g., financial), Cyber insurer, None/undecided, Other
      • Do you want us to coordinate directly with law enforcement, or should we route contact through your internal or external counsel? Options: Coordinate directly with law enforcement, Coordinate via internal General Counsel, Coordinate via external counsel, Undecided — need guidance
      • Who is authorized to sign off on public statements, and what legal clearance process must be followed before any external communication?

      Practical Constraints: Logistics, Windows, and Travel

      • What times or maintenance windows are absolutely off-limits for any sensor deployment or host-based collection?
      • Are there recurring blackout periods we must avoid (payroll runs, month-end close, regulatory filings)? Options: Business hours only, End-of-month/quarter processes, Payroll runs, Critical backups / snapshots, No recurring blackouts, Other
      • Can our team perform actions outside normal business hours and who must be notified for out-of-hours activity? Options: Yes — no restriction, Yes — notify on-call, No — only business hours, Depends on system
      • If physical evidence collection is required, how quickly can on-site key-holders or facilities staff be made available? Options: Within 1 hour, 1–4 hours, 4–24 hours, More than 24 hours, Not available
      • Is travel approval or site-access clearance required for our personnel to enter datacenters or offices? Options: Pre-approved for the team, Approval required per visit, No travel required/virtual only, Unsure

      Final Check: What Keeps You From Saying Yes Right Now?

      • What concerns, internal approvals, or missing documentation would make you hesitate to grant immediate deployment rights?
      • Which of these assurances would most reduce friction for your stakeholders (select up to three)? Options: Proof of insurance / A-rated carrier, Technical playbook and runbook, List of prior engagements/references, Data handling and retention policy, Explicit SLA and escalation matrix, On-site shadowing by internal staff
      • If we proposed a minimally invasive 4-hour starter plan (rapid sensor deploy, triage, and one executive update), what must it include for you to approve it right now?
      • When would you like a short readiness call to finalize access, approvals, and the initial action plan? Options: Immediately / now, Within 1 hour, Within 4 hours, Same day, Next business day
    2. Deployment Enablement

      Deploy forensic sensors, collect memory/packet captures and endpoint telemetry, run containment playbooks, and coordinate live investigations.

    3. Validation Checklist

      Verify attacker eradication, confirm scope of exfiltration, validate system integrity, and document chain-of-custody and acceptance criteria.

      Validation Questions

      Tell Us What's Burning Right Now

      • In 1–2 sentences, describe the incident as you understand it right now (what happened, where you first saw it, and the number one thing keeping you awake)
      • When did you first notice unusual activity or receive an alert? Options: Within last hour, Within 24 hours, 1–3 days ago, More than 3 days ago, Unsure
      • What’s the highest-priority impact we should address first? Options: Ongoing attacker presence, Data exfiltration suspected, Ransomware encryption, Operational disruption, Regulatory exposure, Reputational/media concern, Other
      • Which systems, locations, or business units appear affected (list top 3)?
      • Has any containment or mitigation already been performed? If yes, what and when? Options: Network segmentation applied, Account/password resets, Endpoints isolated, Backups taken/offline, No containment yet, Other
      • Who initiated this engagement and who is our primary point of contact? Options: CISO, General Counsel, IT Director, Insurance coordinator, Other

      Are We Sure the Attacker Is Gone?

      • It’s easy to declare an incident contained—what would make you question that confidence right now?
      • What concrete signs of persistence have you seen (pick all that apply)? Options: New user accounts, Unusual privileged logins, Outbound connections to unknown IPs, Scheduled tasks or services created, New binaries or scripts, No signs yet, Other
      • When was the last confirmed adversary action logged (rough time/date or window)? Options: Within last hour, 24–72 hours ago, 3–7 days ago, More than 7 days ago, Unknown
      • Which telemetry sources are available for immediate analysis? Options: Endpoint/EDR, Endpoint protection (EPP), Network flows (NetFlow), Packet capture, SIEM/central logs, Cloud audit logs, None/limited
      • Are there active alerts or automated responses we should prioritize for triage right now?

      What Would Losing Control Actually Look Like?

      • If the attacker quietly exfiltrated your most sensitive data tonight, what would break first—and how would you notice it?
      • Which data types would cause the most legal, financial, or reputational harm if exposed? Options: Customer PII, Financial records/private ledgers, Health/PHI, Intellectual property / source code, Authentication credentials/secrets, Internal legal or HR records, Other
      • Which systems or repositories hold what you consider the organization’s 'crown jewels'?
      • What contractual, regulatory, or insurer notification requirements could be triggered by data loss? Options: GDPR/European laws, HIPAA, State data-breach laws (US), PCI DSS, Contractual SLAs with customers, Cyber insurance notification, Law enforcement reporting, Unsure
      • What are your practical RTO (recovery time objective) and RPO (acceptable data loss) expectations for critical systems? Options: RTO < 4 hours, RTO 4–24 hours, RTO 1–3 days, RTO > 3 days, RPO = zero, RPO < 24 hours, Unsure

      Who Actually Signs Off When Things Get Real?

      • When containment requires business-impacting actions, who has final authority to approve those steps and what drives their decisions?
      • Which stakeholders must be notified immediately? Please list name, role, and best contact method for up to 6 people.
      • Which teams are already involved or must be looped in for decisions (select all that apply)? Options: Communications/PR, Legal/GC, Executive leadership/CEO, Board/Directors, Insurance, Cloud/Platform owners, HR, Third-party vendors/managed services
      • Do you have standing retainer agreements, pre-approved budgets, or emergency procurement paths we can use immediately? Options: Yes — retainer/prepaid, Yes — fast-track procurement, No — approvals required, Unsure
      • Who is authorized to provide forensic access or approve sensor deployment (name or role)?

      What Evidence Will Make You Sleep at Night?

      • What specific artifacts or documentation would convince you the threat has been removed and evidence is defensible in court or to regulators?
      • Which chain-of-custody artifacts do you require as a minimum? Options: Forensic disk image hashes, Time-stamped collection logs, Signed chain-of-custody forms, Photographs/screenshots of process, Immutable storage proof, Third-party witness/attestation
      • Is evidence preservation currently required for an insurance claim, litigation hold, or regulator inquiry? Options: Yes — insurance claim expected, Yes — litigation expected, Yes — regulator inquiry expected, No immediate requirement, Unsure
      • How long must raw evidence and working copies be retained, and who owns custody decisions?
      • Are there internal or third‑party policies that limit moving data offsite or copying logs/images? Options: No restrictions — full transfer allowed, Some restrictions — redaction/approval required, Strict restrictions — no offsite copies, Unsure

      How Will We Know We're Done?

      • Declaring ‘eradicated’ is a big step—what measurable acceptance criteria would make you sign off on remediation and recovery?
      • Which of the following items must be demonstrably satisfied before you consider the incident closed? Options: No active C2/beacons, No new unauthorized privileged accounts, Integrity verified for critical systems, Scope of exfiltration identified and documented, Backups restored and validated, Business-process smoke tests passing, Formal acceptance signed by exec/legal
      • Do you require an external or independent validation step (e.g., third‑party attestation, regulator acceptance)? Options: Yes — external audit required, Yes — regulator acceptance required, No external validation required, Unsure
      • What timeline do you expect for validation activities after containment (select the fastest realistic expectation)? Options: Within 24 hours, 48–72 hours, Within 1 week, 1–2 weeks, Longer than 2 weeks
      • What residual risk level are you willing to accept to transition from incident mode to normal operations? Options: Zero tolerance — no risk, Low risk — monitored, Moderate risk — documented, High risk — temporary, Unsure

      What Could Stop Us From Reaching Closure?

      • If this engagement fails to achieve eradication, what practical obstacles will be blamed—and are any of those obstacles already present?
      • Which of these constraints worry you most right now? Options: Lack of access/privileges, Insufficient forensic telemetry/logs, Legal or contractual limits, Budget/approval delays, Concurrent incidents/surge capacity, Vendor or cloud cooperation issues, Other
      • Are there specific vendors, cloud providers, or partners we cannot touch or will require separate approvals? Options: AWS, Azure, GCP, Office 365 / Microsoft 365, Google Workspace, Managed Service Provider(s), None / full access, Other
      • Have you had previous IR engagements that failed or underperformed? If yes, what was the root cause?
      • How would you prefer we escalate and communicate trade-offs or bad news during the engagement? Options: Immediate phone call to execs, Encrypted email to legal/CISO, Secure portal updates + daily briefing, Executive-only updates, Ad-hoc as issues arise, Other

      Can We Get What We Need Right Now?

      • We can move within hours—what immediate permissions, credentials, or artifacts can you give us now to start validation and forensic collection?
      • Which of the following access items can you authorize immediately? Options: Domain admin credentials, EDR/Endpoint console access, Network device credentials, SIEM/central log access, Cloud admin role (AWS/Azure/GCP), Packet capture or span port, Physical access
      • Do you already have pre-staged sensors, forensic tooling, or a retainer that speeds deployment? Options: Yes — pre-staged sensors in environment, Yes — active retainer with pre-approvals, No pre-staging or retainer, Unsure
      • Who is the designated contact for evidence custody, and what is their preferred secure handoff method?
      • Do you want us to notify or coordinate with law enforcement now, preserve that option, or avoid notification unless legally required? Options: Notify law enforcement now, Preserve option and decide later, Do not notify law enforcement unless required, Undecided — consult legal first
  6. Success

    Review findings, remediation outcomes, disclosure obligations, and track open issues or follow-ups for continuous improvement.

    Success Reviews

    • Executive Incident Closure & Risk Brief
    • Technical Findings & Validation Review
    • Remediation Implementation & Validation Checkpoint
    • Legal, Compliance & Disclosure Coordination
    • Lessons Learned & Continuous Improvement Workshop

    Issues & Enhancements

    • Assemble privileged evidence bundle with documented chain‑of‑custody for legal counsel.
    • Confirm remediation tasks are completed to agreed acceptance criteria.
    • Resolve or escalate blockers and allocate required resources.
    • Schedule final verification and signoff for technical closure.
    • Complete outstanding patches/configurations and report verification evidence.
    • Run and document full restore/recovery tests where applicable.
    • Enable and tune detection rules derived from IOCs and confirm alerts cleared.
    • Confirm SLA adjustments or surge support scheduling if required.
    • Jurisdictional Notification Requirements
    • Agree on who will notify which regulators/customers and by what deadlines.
    • Ensure privileged materials and evidence are protected and documented for potential legal processes.
    • Confirm insurer requirements are met and public/customer messaging is approved.
    • Produce and file regulator notifications according to jurisdictional timelines.
    • Introductions & Objectives
    • Provide insurer with requested documentation and open claim contact.
    • Finalize and publish approved customer and public communications.
    • Root Cause & Contributing Factors
    • Produce a prioritized, time‑bound remediation and improvement plan owned by specific stakeholders.
    • Update IR playbooks, evidence handling procedures, and detection content based on findings.
    • Schedule and scope a follow‑up tabletop/exercise to validate implemented changes.
    • Publish updated incident response playbook and circulation list.
    • Implement top priority detection/enforcement changes and verify via test.
    • Assign owners and set deadlines for backlog items in the tracking tool.
    • Schedule a tabletop exercise within 60–90 days to validate improvements.
    • Ensure executives understand the incident impact, remediation status, and residual risk.
    • Obtain formal approval for disclosure recommendations and public statements.
    • Assign accountable owners and deadlines for unresolved remediation and communications.
    • Produce an executive one‑page incident summary for board and regulators.
    • Approve and send agreed regulator/customer notification drafts.
    • Assign owners and deadlines for each residual risk mitigation task.
    • Schedule follow‑up check to confirm remediation closures and communications.
    • One‑Sentence Current State & Investigation Scope
    • Validate the investigative findings and confirm the scope of systems and data impacted.
    • Confirm evidence that attacker persistence has been removed or identify remaining indicators.
    • Agree on technical acceptance criteria and next steps to remediate outstanding risks.
    • Deliver final forensic report, IOCs, and chain‑of‑custody package to stakeholders.
    • Publish IOC set to detection platforms and implement blocking rules.
    • Schedule targeted re‑scans and validation windows to confirm eradication.
    • Hand off long‑term monitoring and playbook updates to SOC with timeline.
    • Remediation Status Dashboard
    • Validation Test Results
    • Process, People & Tooling Gaps
    • Privileged Material & Evidence Handling
    • Forensic Evidence Overview
    • One‑Sentence Current State
    • Outstanding Blockers & Resource Needs
    • Timeline & Key Findings
    • Prioritized Improvement Backlog
    • Exfiltration Scope & Data Impact Validation
    • Regulator & Law Enforcement Coordination
    • Insurance Claims & Documentation
    • Eradication & Containment Validation
    • Owners, Timelines & Success Metrics
    • Business Impact & Consequences
    • SLA Compliance & Capacity Review
    • Plan Exercise & Verification
    • Schedule Final Verification & Closure Criteria
    • Remediation Outcomes & Residual Risk
    • Open Technical Risks & Acceptance Criteria
    • Public Statement & Customer Notification Drafts
First-Party AI

1-2 minutes please — Your AI agent is working

First-Party AI™ can make mistakes. Always check important information.