Checklist Incident response • containment • evidence
The first 30 minutes.
A fast checklist for the first 30 minutes of an incident. The goal is calm containment, clear comms, and preserved evidence so you can investigate without guesswork.
Checklist
First 30 minutes checklist
Use this in incidents and in tabletop exercises.
0-5 minutes: Declare and assign
- Declare an incident and start a timeline log.
- Assign incident commander and communications lead.
- Open the incident channel and restrict who can post decisions.
5-15 minutes: Contain
- Disable suspicious accounts and revoke tokens/keys.
- Block risky IPs or access paths (WAF, firewall, VPN).
- Stop active data export paths if suspected.
- Preserve “do not touch” systems if forensics is required.
15-25 minutes: Preserve evidence
- Snapshot logs: identity provider, cloud audit, application audit.
- Capture key identifiers: user IDs, request IDs, IPs, tokens, hostnames.
- Record what containment actions were taken (and by whom).
25-30 minutes: Decide next steps
- Is customer data at risk? If unsure, define what “proof” would confirm it.
- Do we need to notify customers or regulators? Identify decision makers.
- Assign owners for investigation, remediation, and comms updates.
Want IR playbooks and a tabletop drill report?
We help teams build playbooks, validate logging coverage, and run tabletop exercises. Lex supports teams in India and globally.