Executive Cyber Incident Guide: The First 48 Hours

This executive guide is the leadership-focused companion to your operational incident response documents. It explains what decisions leadership will face, when to escalate, and how to coordinate without making the situation worse.

• Incident response plan template provides the operational roles, escalation paths, and containment authority that this guide references. The plan is the "who does what"; this guide is the "what decisions will leadership face."
• Tabletop exercises are how leadership practices the decisions described in this guide. A tabletop gives executives a safe environment to experience the coordination pressure they'll face during a real incident.
• Ransomware preparedness covers the specific controls and recovery capabilities that reduce impact when ransomware is the scenario. This guide provides the decision framework; ransomware preparedness provides the technical readiness.
• SIEM and SOC provide the detection and containment capabilities that this guide assumes are in place. Without detection, leadership won't know an incident is happening until someone reports it.

The first hours set the tone for the entire response. The priority is coordination: getting the right people connected, making sure someone is in charge, and ensuring containment actions are authorized. Technical perfection is less important than organized action.

• Name an incident commander: one person drives updates and records decisions. This doesn't have to be the most technical person; it has to be someone who can coordinate and communicate under pressure.
• Pick a primary and backup comms channel: assume email may be compromised. If the attack started with a compromised email account, you can't use email to coordinate the response to it.
• Authorize containment: define what IT can do immediately vs what requires leadership approval. The faster containment happens, the less damage the attacker can do. Pre-approved containment authority is one of the most valuable things an IR plan provides.
• Start a timeline: capture who did what and when (it becomes evidence). This timeline is critical for insurance claims, legal review, and post-incident analysis.

Related: incident response plan template.

Speed matters, but chaos makes containment harder. Coordinate identity actions, isolation decisions, and evidence handling. The goal is to stop the bleeding without destroying the forensic trail that investigators need to understand what happened.

• Identity first: revoke sessions, reset credentials, and protect admin access paths. Most modern attacks involve compromised credentials. Containing the identity layer stops the attacker's ability to move through your environment.
• Log and preserve: confirm what logging exists and keep it safe from deletion or tampering. Your SIEM logs are the forensic evidence that will support investigation, insurance claims, and legal proceedings.
• Decide on shutdowns: if systems are actively being encrypted or exfiltrated, partial isolation may be required. This is a leadership decision that weighs business impact against containment benefit.
• Engage counsel and insurance early: align actions with your policy and obligations. Many insurance policies have specific notification and coordination requirements. Engaging them early preserves your coverage options.

Related resources: Multi-Factor Authentication (MFA), SIEM, and cyber insurance readiness.

By hour 24, the immediate crisis should be contained. The focus shifts to recovery planning, stakeholder communications, and capturing lessons learned while the experience is fresh.

• Recovery path: decide whether you are restoring from backups, rebuilding systems, or operating in a degraded mode. This decision depends on the scope of the compromise and the reliability of your backup recovery process.
• Communications cadence: schedule internal updates and prepare external statements if needed. Controlled, consistent communication prevents misinformation and maintains trust with customers, partners, and regulators.
• Scope triage: what systems, users, and data types are involved? Understanding the full scope takes time, but leadership needs a working picture to make informed decisions about recovery priorities and external notifications.
• After Action Report (AAR): start capturing gaps and owners for fixes. The AAR is the output that converts a bad experience into an improvement plan. Without it, you'll make the same mistakes next time.

Related: backup testing and tabletop exercises.

# Executive Cyber Incident Checklist (First 48 Hours)

## First 0-4 hours
- [ ] Assign incident commander and decision approver
- [ ] Choose primary + backup communications channel
- [ ] Confirm containment authority (what IT can do immediately)
- [ ] Start a timeline and decision log
- [ ] Identify key contacts: insurance, legal counsel, critical vendors

## 4-24 hours
- [ ] Confirm identity containment steps (sessions revoked, admins protected)
- [ ] Confirm logging and evidence preservation (no wiping without a plan)
- [ ] Decide on isolation/shutdown actions based on active attacker activity
- [ ] Establish internal update cadence and ownership

## 24-48 hours
- [ ] Choose recovery approach (restore, rebuild, degraded operations)
- [ ] Confirm backup restore feasibility and priorities
- [ ] Determine external communications plan (customers, regulators, partners)
- [ ] Capture gaps and owners for an improvement plan

Related scenarios: ransomware and business email compromise.