Cybersecurity

Cyber: First 90 Seconds: How Early Decisions Shape Incident Response...

2026-02-04 0 views admin
Cyber: First 90 Seconds: How Early Decisions Shape Incident Response...

Many incident response failures do not come from a lack of tools, intelligence, or technical skills. They come from what happens immediately after detection, when pressure is high, and information is incomplete.

I have seen IR teams recover from sophisticated intrusions with limited telemetry. I have also seen teams lose control of investigations they should have been able to handle. The difference usually appears early. Not hours later, when timelines are built, or reports are written, but in the first moments after a responder realizes something is wrong.

Those early moments are often described as the first 90 seconds. However, taken too literally, that framing misses the point. This is not about reacting faster than an attacker or rushing to action. It is about establishing direction before assumptions harden and options disappear.

Responders make quiet decisions right away, like what to look at first, what to preserve, and whether to treat the issue as a single system problem or the beginning of a larger pattern. Once those early decisions are made, they shape everything that follows. Understanding why those choices matter (and getting them right) requires rethinking what the “first 90 seconds” of a real investigation represents.

One of the most common mistakes I see is treating the opening phase of an investigation as a single, dramatic event. The alert fires, the clock starts, and responders either handle it well or they do not. That is not how real incidents unfold.

The “first 90 seconds” happens every time the scope of an intrusion changes.

You are notified about a system believed to be involved in an intrusion. You access it. You decide what matters, what to preserve, and what this system might reveal about the rest of the environment. That same decision window opens again when you identify a second system, then a third. Each one resets the clock.

This is where teams often feel overwhelmed. They look at the size of their environment and assume they are facing hundreds or thousands of machines at once. In reality, they are facing a much smaller set of systems at a time. Scope grows incrementally. One machine leads to another, then another, until a pattern starts to emerge.

Strong responders do not reinvent their approach each time that happens. They apply the same early discipline every time they touch a new system. What was executed here? When did it execute? What happened around it? Who or what interacted with it? That consistency is what

Source: The Hacker News

🏷️ Tags

attack

More from Cybersecurity

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

2026-02-24 0
Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

2026-02-24 0
Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

2026-02-24 0
Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

2026-02-24 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views