At 9:14 PM on a Tuesday, a controller at one of our managed clients clicked a link in what looked like a DocuSign notification. By 9:15, a malicious payload was running. By 9:16, our EDR had isolated the machine and our team was on the phone.
Total damage? One laptop reimaged. Half a day of productivity lost for one employee.
Now let me tell you about a company that wasn’t our client at the time. Similar attack. Similar entry point. But they didn’t have monitoring in place. The attacker had free run of their network for nine days before anyone noticed. By then, 40,000 client records had been exfiltrated, their backups had been encrypted, and they were staring at a seven-figure recovery.
Same type of attack. Wildly different outcome. The difference was what happened in the first 60 minutes.
Emergency medicine has a concept called the “golden hour.” The idea is that the actions taken in the first 60 minutes after a traumatic injury have a disproportionate impact on whether the patient survives.
Cybersecurity works the same way.
In the first hour of a breach, the attacker is establishing a foothold. They’re escalating privileges, mapping your network, identifying valuable data, and setting up persistence mechanisms so they can come back even if you kick them out.
Every minute you don’t respond is a minute they’re digging deeper.
If you contain the threat in the first 60 minutes, you’re typically looking at a localized incident. Manageable. Recoverable. Maybe even invisible to your clients.
If you don’t? That’s when things get expensive.
The very first thing that needs to happen is detection. You can’t respond to something you don’t know about. This is where having proper cybersecurity monitoring makes all the difference.
Once the alert fires, here’s what should happen immediately:
Minute 0-5: Triage and validation. Is this a real threat or a false positive? Your security team (whether internal or managed) needs to assess the alert, determine severity, and make a call. This should take minutes, not hours. If your current setup requires someone to check their email, see a ticket, log into a console, and then start investigating, you’ve already burned critical time.
Minute 5-10: Containment decision. Based on the initial triage, a decision needs to be made: isolate the affected endpoint, disable the compromised account, block the malicious IP, or some combination. This is where predefined playbooks are essential. Your team shouldn’t be debating options during an active attack.
Minute 10-15: Execute containment and activate the response team. The compromised system gets isolated. The incident commander gets notified. The response process kicks into gear with clear roles and responsibilities.
Fifteen minutes. That’s how fast a well-prepared organization can go from “something is wrong” to “the threat is contained.”
Once containment is in place, the next 45 minutes are about understanding scope and preventing escalation.
Scope assessment. Did the attacker access other systems? Are there signs of lateral movement? Which accounts or credentials might be compromised? Your security team needs visibility across your entire network, through security audits and real-time monitoring tools, to answer these questions.
Evidence preservation. Before you start cleaning things up, you need to preserve evidence. Memory dumps, log files, network captures. This data is critical for understanding the full attack chain, for compliance reporting, and potentially for law enforcement.
I’ve seen businesses lose their entire forensic trail because someone panicked and reimaged the affected machine. Don’t do that.
Stakeholder notification. Your incident commander should be briefing leadership with what’s known so far, what’s been done, and what the next steps are. This doesn’t need to be a detailed report. A 60-second verbal update is fine. But leadership needs to be in the loop.
Secondary containment. Based on scope assessment, additional containment measures may be needed. Forced password resets for potentially compromised accounts. Additional network segments isolated. Backup systems verified to be clean and disconnected from the network.
The reason most businesses can’t execute a 60-minute response isn’t because the technology doesn’t exist. It’s because they haven’t prepared for it.
Three things kill you:
No monitoring in place. If you don’t have real-time detection, you don’t even know the clock has started. The average time to detect a breach without proper monitoring is 197 days. That’s not a golden hour. That’s six and a half months of an attacker living in your network.
No playbooks. When people are panicking, they make bad decisions. Unplugging the wrong server. Accidentally tipping off the attacker. Destroying evidence. Playbooks prevent panic. They give your team clear, rehearsed steps to follow when the pressure is on.
No practice. Even the best playbook is useless if your team has never walked through it. Tabletop exercises, simulated incidents, regular drills. These aren’t optional. They’re what separates a team that responds from a team that freezes.
Let me put real numbers on this.
According to IBM’s Cost of a Data Breach report, organizations that contain a breach in under 200 days save an average of $1.12 million compared to those that take longer. And that’s just the measurable costs.
What about the client who leaves because they lost trust? The contract that doesn’t get renewed? The potential client who googles your name and sees a breach notification?
Speed isn’t just about minimizing direct costs. It’s about protecting the relationships and reputation that took you years to build.
Having solid disaster recovery in place means even when containment is handled, you can restore operations quickly. And making strategic decisions about your security posture ahead of time is what separates businesses that survive from businesses that don’t.
You don’t need to build a security operations center in your office. But you do need a few things in place:
24/7 monitoring and detection. Whether it’s an internal team or a managed provider, someone needs to be watching, always. Prevention is your first layer, but detection is what catches what prevention misses.
Documented, tested playbooks. Specific to your environment, your tools, and your team. Not a generic template downloaded from the internet.
Clear authority and decision-making. Your incident commander needs the power to make containment decisions without calling a board meeting.
Regular testing. At least two tabletop exercises per year, plus a full simulation annually.
The right partnerships. If you don’t have a 24/7 internal security team (and most businesses don’t), you need a managed security partner who can be on the phone in minutes, not hours.
The golden hour is real. The question is whether you’ll be ready when it starts.
Related: Learn more about what to include in your incident response protocol, why MFA is important, and how to prevent data breaches.
We’re here for you every step of the way, ready to guide, connect, and protect your IT ecosystem. Get in touch with us today, and let us help you thrive in the digital landscape.