Incident Response — the first 15 minutes decide everything
Every breach has a golden hour: the window where the right decisions contain damage and the wrong ones allow attackers to entrench themselves deeper. Discover what separates organisations that recover in days from those that suffer for months, why most incident response plans fail when they are needed most, and how to ensure your team moves fast when every second counts.
By Xartrix Security Team9 min read
277 days
average time to identify and contain a breach, during which attackers remain undetected in your environment
IBM 2024 Cost of a Data Breach
$1.2M
additional cost per breach when response takes longer than 200 days versus faster containment
Ponemon Institute 2024
15 minutes
the golden window where isolation and containment decisions determine whether the incident escalates or remains contained
CISA & NIST IR Guidance
The reality The golden hour: why the first 15 minutes matter more than the next 15 days
Your SOC detects unusual activity at 2:15 PM on a Tuesday. A user account from the finance department logged in from three different countries in the past hour. Ransomware is being deployed across your file servers. An attacker has just created a new administrative account. In the next 15 minutes, your organisation will either contain the threat or allow it to spread unchecked.
This window is everything. The first 15 minutes determine whether:
• The attacker is isolated before they can move laterally ⢠Backups are protected before encryption begins ⢠Critical systems are taken offline before being compromised ⢠Evidence is preserved before logs are deleted ⢠Incident commanders take control or chaos ensues
Organisations that respond in minutes reduce breach containment time from 277 days to weeks. Those that respond in hours watch attackers establish persistence, move to critical systems, and steal data before anyone has even called a meeting. The financial impact is staggering: each day of additional dwell time adds approximately £50,000 to the final breach cost. The difference between responding in 15 minutes and responding in 4 hours is £10.5 million.
The framework The 6-phase incident response lifecycle: preparation through lessons learned
The NIST Cybersecurity Framework defines incident response in six phases. Every organisation should have a playbook for each phase. Most do not.
The NIST framework provides a structured approach to incident response. Organisations that excel in Preparation (Phase 1) move through Detection, Containment, and Eradication faster, reducing overall impact.
Phase 1: Preparation
Build the capability before you need it. Establish incident response teams, create playbooks for common attack scenarios, configure logging and monitoring, conduct tabletop exercises, and ensure tools are in place. 90% of incident response success depends on what you do before the breach occurs.
Phase 2: Detection & Analysis
Identify what is happening and assess scope. When an alert arrives, your team must triage it: is this a real breach or a false positive? How many systems are affected? What data is at risk? This phase determines whether you treat the incident as a minor issue or a critical emergency.
Phase 3: Containment
Stop the attacker from moving deeper or causing more damage. Containment happens in minutes and has multiple forms: isolate affected systems from the network, disable compromised accounts, block malicious IP addresses, kill processes running malware, revoke stolen credentials. This phase is where the golden hour matters most.
Phase 4: Eradication
Remove the attacker completely. Close the initial vulnerability, remove backdoors and persistence mechanisms, clean infected systems, revoke all credentials that may have been compromised. Eradication can take days or weeks, but it must be thorough. An incomplete eradication leads to re-compromise.
Phase 5: Recovery
Restore systems to normal operations. Bring systems back online from clean backups, apply patches to close vulnerabilities, rebuild compromised servers, restore data from unaffected backups. Recovery must be validated at each step to ensure the threat is gone.
Phase 6: Lessons Learned
Conduct a full post-mortem to improve future response. Document how the attacker gained entry, what you missed, what worked well, what failed. Update playbooks, patch vulnerabilities that were exploited, strengthen controls. This phase determines whether the same breach happens again.
The impact Slow response multiplies breach cost exponentially
The financial damage from a breach scales dramatically with response time. A breach discovered and contained in hours costs a fraction of one discovered days later. Here is why:
Visualization: Breach cost vs response time
Breach cost scales exponentially with response time. A breach contained in 2 hours costs approximately £650,000. The same breach left uncontained for 90 days costs £4.2M â a 6.5x difference. Response speed is the single most important factor in minimising breach cost.
Why does delay amplify cost? As hours pass, attackers have time to:
• Exfiltrate more data (£15,000+ per 1,000 records stolen) ⢠Move laterally to more systems (each compromised server = additional £100,000â£500,000 recovery cost) ⢠Install persistence backdoors (extending breach duration by weeks or months) ⢠Delete backups (forcing full data reconstruction) ⢠Cover tracks by deleting logs (complicating forensics and regulatory reporting)
The gaps Common failures that undermine incident response readiness
Most organisations have an incident response plan. Most of those plans fail catastrophically when a real breach occurs. Here is why:
Failure 1: Plans Are Never Tested
A plan that has never been executed is a plan that will fail. When the breach occurs, your team will fumble through procedures they have never performed under real pressure. Test your plan quarterly. Run tabletop exercises. Practice the full workflow from detection to containment to recovery. Every untested assumption will bite you.
Failure 2: No Clear Incident Commander
Without a clear decision-maker, coordination falls apart. When a breach occurs, your incident commander must have the authority to take actions immediately: isolate systems, block users, invoke the disaster recovery plan. If decision-making is distributed across multiple departments, response time doubles or triples.
Failure 3: Communication Breakdown
When a breach is detected, communication must flow instantly across teams. IT, security, legal, HR, and board must know within minutes. Yet most organisations have no established communication protocol. Who calls whom? How are conference bridges set up in seconds? What is the first message to the CEO? Leave this to chance and confusion reigns.
Failure 4: No Playbooks for Common Attacks
Generic incident response plans are too slow. When ransomware is detected, you need a specific playbook: identify affected systems in seconds, isolate network segments immediately, protect backups, contact the incident response team. If your team has to “figure out” what to do, attackers are already spreading.
Failure 5: Isolated IR Tools
If your incident response tools cannot communicate, response time suffers. Your SIEM must automatically alert your EDR, which must trigger containment actions, which must notify the incident response platform. Manual handoffs lose minutes. Automation saves hours.
The preparation Tabletop exercises: how to stress-test your incident response capability
A tabletop exercise is a structured simulation of an incident where your team walks through their response procedures without actually triggering an incident. Think of it as a fire drill for your security team. Done well, tabletop exercises reveal which parts of your plan work and which will fail under real pressure.
Why Tabletop Exercises Matter
Most organisations discover that their incident response plan is flawed only during an actual breach. Tabletop exercises reveal problems safely: communication bottlenecks, missing escalation procedures, unclear decision authority, tools that do not integrate. Fix these problems now, not when your network is actively under attack.
How to Run a Tabletop Exercise
1. Assemble the team: incident commander, IR lead, IT ops, security team, legal, communications, and board representation (if possible). 2. Define a realistic scenario: “Ransomware detected on a file server at 3 PM. Encryption is spreading. Backups are at risk.” 3. Walk through the response: incident commander makes decisions, team executes them (on paper or in isolated test environments). 4. Document gaps: what assumptions failed? What information was missing? What decisions took too long? 5. Improve the plan: update playbooks, close gaps, retest quarterly.
What Tabletop Exercises Reveal
Most organisations discover: their incident commander was unclear, their communication protocol was broken, their tools could not talk to each other, their backup strategy was flawed, and critical team members did not know their role. These problems are fixable before a real breach. Ignore them and you will pay millions.
The playbook Five critical components of an effective incident response plan
An effective incident response plan covers five foundations. If any are missing, your response will be slower and more chaotic:
1. Incident Response Team Structure
Define roles clearly: incident commander (decision authority), incident manager (logistics and tracking), technical lead (investigation and containment), communications lead (internal and external messages), legal/compliance advisor (regulatory obligations). Each role must know their responsibilities before a breach occurs.
2. Escalation Procedures
Define when to escalate to executive leadership and the board. What severity triggers a board notification? Who calls the CEO? When does the organisation enter crisis mode? Clear escalation prevents either no board notification or premature panic.
3. Attack-Specific Playbooks
Develop detailed procedures for common attack types: ransomware (isolate, protect backups, involve law enforcement), data breach (identify exfiltration, legal notification), insider threat (disable account, preserve evidence, involve HR), and supply chain compromise (identify affected systems, coordinate with vendors). Generic procedures are too slow.
4. Communication Protocol
Establish how teams will communicate during an incident: a dedicated Slack channel or conference bridge that is established in seconds, a list of phone numbers for key personnel (with backups), pre-drafted message templates for employees and customers. When a breach occurs, communication must be automatic.
5. Tools and Integration
Ensure your tools work together: SIEM feeds into EDR, EDR triggers automated containment, incident response platform integrates with both, legal and compliance receive immediate notification. Manual handoffs slow response. Automation saves hours.
For the boardroom Five critical questions about incident response readiness
If you are a CEO, CFO, or board member, ask these questions to test your organisation’s incident response capability:
Question 1
Who is our incident commander, and do they have the authority to take immediate action? In a real breach, the incident commander must isolate systems, revoke credentials, and invoke disaster recovery without waiting for approvals. If your incident commander has to “ask permission,” response time will be hours instead of minutes.
Question 2
When are we notified, and how quickly can we assemble the incident response team? Can your incident response team be in a war room (physical or virtual) within 15 minutes? If it takes an hour to assemble, you have already lost the golden hour. Test this. Time it.
Question 3
When would we notify the board of a breach? Your IR plan should define severity thresholds: minor incident (reported in daily email), significant incident (immediate board call), critical incident (board call within 15 minutes, external comms within 1 hour). Ambiguity leads to either over-notification or dangerous delays.
Question 4
When was our incident response plan last tested? If the answer is “several years ago” or “never,” your plan is outdated and untested. Tabletop exercises should happen quarterly. Full-scale simulations should happen annually. A plan that has never been tested will fail.
Question 5
Can we contain a breach in the golden hour? If it would take your organisation more than 15 minutes to isolate systems and revoke credentials, you need to redesign your IR capabilities. Speed is everything. Slow response multiplies cost exponentially.
Next steps Three ways to accelerate incident response immediately
Building an effective incident response capability takes time. But you do not have to build it alone. Here are three paths:
Option 1: Managed Incident Response Service
Engage an external IR provider to respond on your behalf. When a breach is detected, the provider takes over: investigates, contains, eradicates, and leads recovery. Your team is freed to run the business. Cost: £50,000â£150,000 annually. Best for organisations without mature internal IR capability.
Option 2: Build Internal Capability with Tabletop Exercises
Hire or designate an IR leader and conduct quarterly tabletop exercises. Run simulations every three months with different attack scenarios. Your team learns through practice. Cost: £100,000â£300,000 annually (staff + exercises). Takes 6â12 months to mature. Best for organisations with time to invest.
Option 3: AI-Augmented Incident Response Platform
Deploy an automated IR platform like Xartrix that detects, triages, and contains incidents in minutes. The platform isolates compromised systems, revokes credentials, and alerts your team with full context. Your incident commander focuses on decisions, not firefighting. Cost: £40,000â£100,000 annually. Provides immediate capability.
Critical action: Schedule an incident response plan review within the next 30 days. Identify your current gaps (untested plans, no incident commander, unclear escalation, missing playbooks). Prioritise closing them. The cost of remediation is far less than the cost of a breach.
AI
Xartrix Automates Incident Response: From Hours to Minutes
When a breach is detected, every minute counts. Xartrix automates the first response: detects the threat, identifies affected systems, isolates compromised hosts from the network, revokes compromised credentials, and alerts your incident response team with full context. What would take your team 4 hours (detection, investigation, initial containment) Xartrix accomplishes in minutes. Your incident commander focuses on strategic decisions while the platform executes containment. Real-time threat containment. 24/7 SOC coverage. AI-augmented response.
Every minute counts during a breach. Be ready before it happens.
Build an incident response capability that can contain threats in the golden hour. From preparation and playbooks to 24/7 response and AI-augmented containment, Xartrix helps you recover faster and minimise breach impact.