INCIDENT RESPONSE · 10 MIN
Incident Response: The First 24 Hours, Done Right
What happens in the first 24 hours of an incident determines whether it stays contained or becomes a board-level event. Here's the operational playbook QMasters' IR team runs — minute by minute.
What should an organization do in the first 24 hours of a cybersecurity incident?
The first 24 hours of an incident follow four phases: detect and confirm (0–60 min), contain and preserve (1–4 hours), eradicate and assess (4–12 hours), and stabilize and communicate (12–24 hours). The single biggest mistake in this window is destroying forensic evidence by powering off compromised hosts before imaging. The second biggest mistake is paying ransom before exhausting recovery options.

Incident Response: The First 24 Hours, Done Right
The first 24 hours of an incident determine almost everything that follows. Whether the breach stays inside one subnet or reaches the domain controller. Whether the regulatory clock starts at hour 4 or hour 18. Whether the board hears about a contained event or a recovery operation.
This post is the operational playbook our IR team runs when a customer calls the hotline at 3am. It assumes nothing about the maturity of your security stack — only that something has gone wrong and someone needs to make the next decision quickly.
The four phases that fit inside the first 24 hours are: detect and confirm, contain and preserve, eradicate and assess, stabilize and communicate. Get the order right and the rest is recoverable. Get it wrong — especially by powering off compromised hosts before imaging — and you will pay for it in the forensics phase.
Hour 0 — The trigger
The trigger comes in three flavors, in roughly this order of frequency:
- An MDR or SOC alert — a behavioral detection, a high-fidelity signature match, an intel-driven retrohunt hit.
- A user report — "my files have weird extensions," "I got a ransom note," "I think I clicked something."
- External notification — law enforcement, a vendor, a customer, or worst case a journalist.
The job in this minute is confirmation, not response. Acting on an unconfirmed signal — pulling the network cable on a server before knowing if it's actually compromised — creates downtime without containing anything. The first decision is: is this real?
A capable SOC confirms or rules out a high-severity signal in under 15 minutes. That's the QMasters StrongHold MCSS critical SLA. If your provider is slower, the rest of this playbook starts late.
Hours 0–1 — Detect and confirm
Three things happen in this phase, ideally in parallel:
1. Signal validation. Pull the originating telemetry — the EDR detection details, the SIEM event chain, the network capture if there's a sensor in path. Confirm the affected host or account, the technique observed, and whether there are signs of lateral movement.
2. Initial scope. Run a fast pivot across the same telemetry: same hash, same C2, same parent process, same compromised credentials. If the answer is "one host, one user, no movement," the response posture is different than "five hosts across two domains, three users, and outbound traffic to a known C2."
3. Stand up the IR channel. Open a dedicated chat (Slack, Teams), a war room, a documented incident ticket. Every action gets logged in a single timeline from this minute forward. This is the artifact your forensics report and any potential litigation will be built from.
The QMasters take: the single most expensive mistake we see customers make in this hour is acting from a place of panic. The second is not having a single source of truth for the incident timeline. We solve both by being on the call within 15 minutes — calm operator voice, structured questions, decisions documented in a shared timeline our customers can hand to legal six months later.
Hours 1–4 — Contain and preserve
This is where the wrong instinct kills evidence.
Do:
- Network-isolate affected hosts using your EDR's network-containment feature (Falcon's "Contain Host," for example) or your NAC. The host stays powered on; volatile memory and disk state are preserved; the host can no longer reach attacker infrastructure or pivot internally.
- Disable compromised credentials. Suspend, don't delete. Forensics still needs the account record. Force MFA on every privileged account that hasn't already been disabled.
- Preserve memory. Run a memory acquisition tool (Magnet RAM Capture, FTK Imager, Velociraptor) on isolated hosts before anything else.
- Snapshot virtual machines before any reboot. Full snapshots, not just disk — capture RAM state where the hypervisor allows.
Don't:
- Don't power off compromised hosts. You destroy memory artifacts that are often the only path to attribution and full timeline reconstruction.
- Don't restore from backup yet. Restoring before you understand the initial access vector is how organizations get re-encrypted within a week.
- Don't talk publicly. Internal communication is locked to a small need-to-know group: IR team, CISO, CIO, legal, and whoever has the authority to declare the incident.
By hour 4 you should have: confirmed scope (which hosts, which accounts, what tactic), forensic images of representative compromised systems, and a clear answer to "is this still spreading?"
Hours 4–12 — Eradicate and assess
Now the questions get harder.
Initial access vector. How did they get in? Phishing, exposed RDP, vulnerable VPN appliance, compromised software supply chain, valid credentials from a previous breach? You cannot close the door if you don't know which one was open.
Persistence mechanisms. Where else did they leave themselves a way back in? Scheduled tasks, registry Run keys, Active Directory backdoors (Golden/Silver Tickets, AdminSDHolder modifications), webshells, modified service binaries.
Lateral movement. What other systems did they touch? Authentication logs across the domain, EDR process trees, service account abuse — the picture forms slowly across these data sources.
Data exfiltration. This is the question that drives notification obligations. Outbound traffic volumes, large compressed archives staged before exfil, cloud storage uploads to attacker-controlled accounts, DNS tunneling — examine each path.
By hour 12 you ideally have: a documented initial access vector with a fix, an enumerated list of persistence mechanisms with a removal plan, a confirmed lateral-movement scope, and a defensible answer to "did data leave?"
A well-staffed MDR provider compresses this phase significantly — our SOC's 16 analysts plus IR retainer customers get parallel hunt threads running simultaneously across all four questions, instead of one analyst sequentially walking through each.
Hours 12–24 — Stabilize and communicate
Three workstreams, in parallel:
1. Recovery. Rebuild compromised systems from known-good images. Reset every credential touched by the threat actor. Force domain-wide password rotation for any case involving credential theft. Validate backups before restoring.
2. Hardening against the same vector. Patch the vulnerable appliance. Force MFA on the formerly-credentials-only access path. Implement application allow-listing on the workstation that ran the malicious payload. Tune the SIEM rule that should have caught this earlier.
3. Communication. Now — and not before — engage the broader stakeholders. Internal: executive team, broader IT, business unit owners with operational impact. External: legal counsel guides regulatory notifications (GDPR 72-hour clock, Israeli Privacy Protection Authority where applicable, sector-specific obligations). Customer notifications, if required, follow legal review.
By hour 24 you should be able to answer five questions for executives and the board:
- What happened?
- What's the current containment status?
- Was data exfiltrated, and if so, what?
- What's the recovery timeline?
- What's preventing this from happening again?
If you cannot answer these five, hour 24 is too early to communicate publicly. Buy time with legal, not by silence.
What the playbook does not solve
Three problems are operational, not procedural:
You can't run this playbook from cold. If you don't already know who your IR retainer is, where your forensic tooling lives, and which executive is empowered to declare the incident, you're inventing answers under stress. Tabletop exercises annually, IR runbooks reviewed quarterly, retainer in place — all before the call comes.
You can't run this playbook with the wrong tools. Network containment needs an EDR with that capability. Memory acquisition needs the right software pre-staged. Domain-wide log analysis needs a SIEM with at least 90 days of warm storage. The right time to procure these is not hour 2 of an active incident.
You can't run this playbook alone. A mid-market security team running an active ransomware event with three internal staff is going to make mistakes. The math on a 24/7 IR retainer is straightforward — the retainer cost over five years is less than the cost overrun on a single mishandled incident.
Soft CTA
If your incident response readiness assumes you'll figure it out when it happens, book an IR readiness assessment. We'll walk through your playbook against three realistic scenarios — ransomware, valid-credential abuse, and supply-chain compromise — and tell you exactly where the seams are.
FAQ
Q: What's the first thing to do when you suspect a breach?
A: Do not power off affected systems. Isolate them from the network instead — this preserves volatile memory and on-disk evidence. Then call your incident response team or MDR provider. Triage and confirmation come before any remediation action.
Q: How fast should detection happen?
A: For high-severity incidents, an MDR provider should detect, triage, and notify the customer within 15 minutes of the originating signal. Anything slower means the threat actor has already had time to move laterally. QMasters' StrongHold MCSS critical-severity SLA is 15 minutes.
Q: Should you pay a ransom?
A: Almost never as a first response. Paying funds further attacks, doesn't guarantee decryption, and may violate sanctions law. Engage IR specialists, law enforcement, and counsel before any payment decision. Most ransomware events are recoverable from backups if backups exist and are tested.
Q: When do you need a 24/7 IR retainer?
A: If your business operates outside normal hours, holds regulated data, or has experienced any security incident in the past 24 months — yes. The cost of a retainer is dwarfed by the cost of finding an IR team at 3am during an active event.
Q: What's the difference between IR retainer and MDR?
A: MDR is continuous detection and response across your environment, billed monthly. An IR retainer is reserved capacity for full-scale incident handling — forensics, eradication, recovery — billed for the engagement. The two are complementary; mature programs have both.
Call the IR hotline
If you're reading this during an active incident, stop reading. Call our 24/7 IR hotline [phone number to be wired in at launch] or email QMasters incident response and an analyst will be on the line in under 15 minutes.
If you're reading this proactively, that's the right time to be reading it. Book an IR readiness assessment and we'll show you what your first 24 hours look like before they happen.
For more context, start at QMasters, review our incident response retainer, or check out SIEM automation.
---
Author · QMasters SOC Team
Last updated · 2026-04-02
Reading time · 10 min
FAQ
Frequently asked questions.
Do not power off affected systems. Isolate them from the network instead — this preserves volatile memory and on-disk evidence. Then call your incident response team or MDR provider. Triage and confirmation come before any remediation.
For high-severity incidents, an MDR provider should detect, triage, and notify the customer within 15 minutes of the originating signal. Anything slower means the threat actor has already moved laterally.
Almost never as a first response. Paying funds further attacks, doesn't guarantee decryption, and may violate sanctions law in some jurisdictions. Engage IR specialists, law enforcement, and counsel before any payment decision.
If your business operates outside normal hours, holds regulated data, or has experienced any security incident in the past 24 months — yes. The cost of a retainer is dwarfed by the cost of finding an IR team at 3am during an active ransomware event.
ABOUT THE AUTHOR
Practitioners from the QMasters Security Operations Center. We run 24/7 monitoring, detection engineering, and incident response for organisations across regulated industries — and write here from the offense and defense work in front of us.