Field Guides · After · any

Immediate aftermath (24 to 72h)

The incident has stopped moving. The work is not over. Preserve, restore trust, and stabilise the team before anything else. Most second-incidents start here.

24-72h

The hours after an incident contains is the most dangerous moment for two things: evidence and people. Evidence gets overwritten because someone restarts a host. People burn out because the adrenaline is gone but the work feels endless. Most second-incidents start here, not in the next attack.

Restored is not recovered.

Bringing the system back online is the smallest part of the work. The identity plane needs to be re-verified, not assumed. Persistence has to be searched for, not hoped against. Trust gets restored in a sequence, not a moment. Identity before workload. Workload before data. Data before access.

Preserve first. Anything that touched the incident is a candidate for archive. Rotate every credential the attacker could have touched. Assume persistence until you have searched for it. Tell engineering not to redeploy or reimage anything in scope until forensics has signed off.

Then stabilise. The team has been on for hours. They need sleep. They need food. They need someone who will tell them to go home. The post-mortem can wait a week. The work in front of you now is to make sure no one falls over and no one quietly decides the incident is over before the recovery is real.

Checklist

0/360/29 critical

Preserve what happened

Final pass on the incident timelineCriticalTimes, decisions, and the people involved. Written, not remembered.
Logs, memory captures, disk images archived to a write-once locationCritical
Incident chat channels and bridge recordings exportedCritical
Decision log captured with the reasoning, not just the outcomeCritical
Final scope document signed off (systems, data, accounts, time window)Critical
Legal hold confirmed with counsel for relevant artefacts and communicationsCritical

Confirm containment

Active monitoring continues for at least 14 days after containmentCritical
All known indicators of compromise blocked across the estateCritical
All credentials, tokens, and keys in scope rotatedCritical
Persistence mechanisms checked (scheduled tasks, services, OAuth grants, mailbox rules, app passwords)Critical
New detection rules raised for the techniques used
Federation and SSO trusts audited for any additions during the suspect windowCritical

Trust restoration

IdP state confirmed clean (admin grants, federation, app consents, conditional-access policy)Critical
Cloud control plane confirmed clean (IAM, roles, service principals, key material)Critical
Break-glass accounts rotated if they were used or potentially exposedCritical
Trust restoration sequence executed in the documented orderCriticalIdentity before workload. Workload before data. Data before access.
Vendor recovery interactions are closed and documented per platform
Shared secrets (API keys, signing keys, SSH keys, integration tokens) rotated across the estateCritical

Stabilise the team

Formal handover between responders on shift changeCritical
Anyone who worked over 16 hours is off rotation for the next shiftCritical
Food, water, and somewhere to sleep are organised, not assumedCritical
External help available named and contactable
No blame discussions, no performance discussions, no post-mortem yetCritical
Non-incident work is paused or reassigned. Responders are not expected to catch up.Critical

What actually breaks

The organisation is not pretending it is back to normal because the system is back onlineCriticalRestored is not recovered.
Engineering has been told not to restart, redeploy, or reimage anything in scopeCritical
Internal rumour control still in place. Staff are getting one version of events, on cadence.Critical
External communications are still on the legal-approved timeline. Not earlier because someone wants closure.Critical
No responder is alone on the recovery. Someone is checking on each of them.Critical
Post-mortem is scheduled for 7 to 14 days out. Not tomorrow. Not "while it is fresh."Critical
Lessons are not all "add another control". Some of them are "do less of this work."

External obligations

Required regulator notifications filed within the legal clockCritical
Customer communications sent on the agreed timelineCritical
Insurer kept current with documented status updates
Law enforcement engagement aligned with counsel's position
Affected vendors and counterparties notified where required

Accepted operational risks

29 of 29 critical items unchecked.

Every unchecked critical item is an accepted operational risk. Make sure someone senior is consciously accepting it.

Final pass on the incident timelinePreserve what happened
Logs, memory captures, disk images archived to a write-once locationPreserve what happened
Incident chat channels and bridge recordings exportedPreserve what happened
Decision log captured with the reasoning, not just the outcomePreserve what happened
Final scope document signed off (systems, data, accounts, time window)Preserve what happened
Legal hold confirmed with counsel for relevant artefacts and communicationsPreserve what happened
Active monitoring continues for at least 14 days after containmentConfirm containment
All known indicators of compromise blocked across the estateConfirm containment
All credentials, tokens, and keys in scope rotatedConfirm containment
Persistence mechanisms checked (scheduled tasks, services, OAuth grants, mailbox rules, app passwords)Confirm containment
Federation and SSO trusts audited for any additions during the suspect windowConfirm containment
IdP state confirmed clean (admin grants, federation, app consents, conditional-access policy)Trust restoration
Cloud control plane confirmed clean (IAM, roles, service principals, key material)Trust restoration
Break-glass accounts rotated if they were used or potentially exposedTrust restoration
Trust restoration sequence executed in the documented orderTrust restoration
Shared secrets (API keys, signing keys, SSH keys, integration tokens) rotated across the estateTrust restoration
Formal handover between responders on shift changeStabilise the team
Anyone who worked over 16 hours is off rotation for the next shiftStabilise the team
Food, water, and somewhere to sleep are organised, not assumedStabilise the team
No blame discussions, no performance discussions, no post-mortem yetStabilise the team
Non-incident work is paused or reassigned. Responders are not expected to catch up.Stabilise the team
The organisation is not pretending it is back to normal because the system is back onlineWhat actually breaks
Engineering has been told not to restart, redeploy, or reimage anything in scopeWhat actually breaks
Internal rumour control still in place. Staff are getting one version of events, on cadence.What actually breaks
External communications are still on the legal-approved timeline. Not earlier because someone wants closure.What actually breaks
No responder is alone on the recovery. Someone is checking on each of them.What actually breaks
Post-mortem is scheduled for 7 to 14 days out. Not tomorrow. Not "while it is fresh."What actually breaks
Required regulator notifications filed within the legal clockExternal obligations
Customer communications sent on the agreed timelineExternal obligations