The first hour of an incident rewards calm more than cleverness. Restarting a service, deleting a suspicious file, or terminating a host may feel decisive, but each action changes the scene. Sometimes that trade is necessary. It should always be deliberate.
Establish the clock and the consequence
Write down when the issue was detected, the system time, who is coordinating, and what users or services are affected. A shared timeline prevents scattered observations from becoming contradictory memories.
Separate confirmed facts from working hypotheses. “Outbound traffic increased at 14:12” is a fact. “The host is exfiltrating data” is a hypothesis that should drive collection and containment decisions, not be recorded as a conclusion.
Preserve volatile context
Before changing state, capture what will disappear first: active processes and their ancestry, current network connections, logged-in sessions, open files, mounted filesystems, memory if the response plan supports it, and recent authentication and service events.
Record collection times and hash exported evidence. Avoid installing an unfamiliar toolkit directly on the affected host if a trusted response mechanism already exists. The goal is a defensible snapshot, not an exhaustive forensic image in the opening minutes.
Containment is a risk decision: balance the harm still occurring against the context an action will erase.
Compare the host to what should be true
A baseline gives observations meaning. Which services belong on the host? Which users should log in? Which packages and timers are expected? What changed in configuration management or deployment history?
Look for mismatches across process execution, authentication, persistence mechanisms, and network behavior. One odd artifact may be normal. Several artifacts aligned on the same timeline become a stronger explanation.
Contain with a return path
Isolation can stop active harm, but know how responders will retain access and how dependent services will behave. Rotate exposed credentials from a clean system, not from the suspected host. If a rebuild is the recovery plan, preserve the evidence and configuration context needed to understand the root cause before replacement.
Leave the next responder a clean handoff
At the end of the first hour, summarize impact, evidence collected, actions taken, open questions, and the next decision point. Include what has not been checked. A strong handoff keeps the investigation moving without turning assumptions into facts.
The first hour will not answer everything. It should make the second hour better: less uncertain, more coordinated, and grounded in evidence that still exists.