The First 24 Hours.
Unfiltered.
What should happen vs. what actually happens when a security incident hits. This isn't a playbook—it's a reality check. Based on 35 years of being in the room when everything goes wrong.
Every organization thinks they're prepared until the incident happens. Then reality sets in: the playbook you wrote two years ago doesn't match your current infrastructure. The vendor contact you have is for sales, not emergencies. And nobody knows who's supposed to tell the CEO.
We've been in hundreds of these rooms. The pattern is always the same: communication fails first. Technical recovery is hard, but it's predictable. Human coordination under pressure? That's where organizations fall apart.
Below is an honest timeline of the first 24 hours. Click on each phase to see what actually happens—and the communication breakdown that causes it.
The Reality Check
The First 24 Hours
Click each phase to see what should happen versus what actually happens—and the communication breakdown behind it.
Detection & Triage
What Should Happen
Alert triggers, on-call confirms it's real, escalation path activates within 15 minutes.
What Actually Happens
Alert gets buried in noise. Junior tech isn't sure if it's a false positive. Waits to 'gather more info' before bothering anyone.
The Breakdown
"No clear answer to: 'Who decides if this is serious enough to wake someone up?'"
Prevention
Define escalation thresholds in writing. If X happens, call Y. No judgment calls at 2am.
Initial Containment
What Should Happen
Affected systems isolated. Scope assessed. Incident commander designated.
What Actually Happens
Debate over whether to 'pull the plug' or 'wait and see.' Technical team wants to investigate; leadership wants it fixed. No one's in charge.
The Breakdown
"Technical staff and leadership speak different languages. 'Lateral movement' means nothing to your CFO."
Prevention
Pre-designate an incident commander. One person makes containment calls. Everyone else advises.
Internal Notification
What Should Happen
Executive team briefed. Legal notified. HR and PR looped in. Clear communication cadence established.
What Actually Happens
CEO finds out from an employee's spouse who 'heard something.' Legal asks why they weren't called first. Everyone's getting different information.
The Breakdown
"No pre-built notification tree. People improvise, and improvisation creates chaos."
Prevention
Build your notification matrix NOW. Who gets told, in what order, by whom. Practice it.
Vendor & External Engagement
What Should Happen
Insurance carrier notified. Forensics firm engaged. Emergency vendor contacts activated.
What Actually Happens
You're on hold with your insurance's general line. Your 'vendor contact' left the company. The forensics firm you Googled has a 48-hour intake process.
The Breakdown
"Emergency contacts aren't actually emergency contacts. They're business-hours contacts."
Prevention
Verify emergency response contacts quarterly. Know the actual after-hours process, not the marketing promise.
Investigation & Staff Communication
What Should Happen
Forensics underway. Staff informed with consistent messaging. Questions routed to designated spokesperson.
What Actually Happens
Rumors spread faster than facts. Someone posts on LinkedIn. Three different managers give three different explanations. Staff panics.
The Breakdown
"Internal messaging is treated as an afterthought. Your employees become a liability instead of an asset."
Prevention
Draft template employee communications NOW. Have a single source of truth. Update it every 2 hours minimum.
Recovery & External Communication
What Should Happen
Recovery plan activated. Customer notification strategy executed. Regulatory reporting initiated if required.
What Actually Happens
Legal and PR disagree on what to say. Customer service has no script. You miss a regulatory reporting deadline because no one knew it existed.
The Breakdown
"Cross-departmental alignment was never established. Everyone's protecting their piece, not the whole."
Prevention
Tabletop this scenario. Get legal, PR, IT, and leadership in a room BEFORE the crisis. Align on authority and messaging.
Alert triggers, on-call confirms it's real, escalation path activates within 15 minutes.
Alert gets buried in noise. Junior tech isn't sure if it's a false positive. Waits to 'gather more info' before bothering anyone.
"No clear answer to: 'Who decides if this is serious enough to wake someone up?'"
Define escalation thresholds in writing. If X happens, call Y. No judgment calls at 2am.
Affected systems isolated. Scope assessed. Incident commander designated.
Debate over whether to 'pull the plug' or 'wait and see.' Technical team wants to investigate; leadership wants it fixed. No one's in charge.
"Technical staff and leadership speak different languages. 'Lateral movement' means nothing to your CFO."
Pre-designate an incident commander. One person makes containment calls. Everyone else advises.
Executive team briefed. Legal notified. HR and PR looped in. Clear communication cadence established.
CEO finds out from an employee's spouse who 'heard something.' Legal asks why they weren't called first. Everyone's getting different information.
"No pre-built notification tree. People improvise, and improvisation creates chaos."
Build your notification matrix NOW. Who gets told, in what order, by whom. Practice it.
Insurance carrier notified. Forensics firm engaged. Emergency vendor contacts activated.
You're on hold with your insurance's general line. Your 'vendor contact' left the company. The forensics firm you Googled has a 48-hour intake process.
"Emergency contacts aren't actually emergency contacts. They're business-hours contacts."
Verify emergency response contacts quarterly. Know the actual after-hours process, not the marketing promise.
Forensics underway. Staff informed with consistent messaging. Questions routed to designated spokesperson.
Rumors spread faster than facts. Someone posts on LinkedIn. Three different managers give three different explanations. Staff panics.
"Internal messaging is treated as an afterthought. Your employees become a liability instead of an asset."
Draft template employee communications NOW. Have a single source of truth. Update it every 2 hours minimum.
Recovery plan activated. Customer notification strategy executed. Regulatory reporting initiated if required.
Legal and PR disagree on what to say. Customer service has no script. You miss a regulatory reporting deadline because no one knew it existed.
"Cross-departmental alignment was never established. Everyone's protecting their piece, not the whole."
Tabletop this scenario. Get legal, PR, IT, and leadership in a room BEFORE the crisis. Align on authority and messaging.
This doesn't have to be your story.
We've lived through hundreds of incidents. We can help you build the communication frameworks that prevent chaos before it starts.
Let's Talk Incident Preparedness
Why communication always
fails first.
Click each pattern to see the data behind the failure.
Plans are written in calm
Incident response plans are written in conference rooms, not war rooms. They assume rational actors with clear heads. Reality is chaos, adrenaline, and 3am phone calls.
💡 Insight: Most plans haven't been tested against real scenarios in 2+ years
Based on incident response data from 200+ organizations over 10 years.
We don't just write plans.
We test them.
Tabletop exercises with your actual team. Real scenarios based on threats in your industry. The uncomfortable conversations about who calls the shots and what gets said publicly.
We've sat in enough war rooms to know: the organizations that recover fastest aren't the ones with the fanciest tools. They're the ones who practiced the hard conversations before they mattered.
What we build with you:
- Notification matrices — Who gets called, in what order, by whom
- Escalation thresholds — Clear triggers that eliminate guesswork
- Communication templates — Pre-drafted for staff, customers, and media
- Vendor emergency contacts — Verified quarterly, not annually
- Tabletop exercises — Practice the chaos before it's real
How ready is your
organization?
7 questions. 2 minutes. Honest answers only. Your results aren't stored or shared—this is for you.
Does your organization have a written incident escalation policy?
Is there a designated incident commander who makes containment decisions?
Do you have a notification matrix showing who gets contacted, in what order?
Are your emergency vendor contacts (forensics, legal, insurance) current?
Do you have pre-drafted communication templates (staff, customers, media)?
When did you last run a tabletop exercise or incident simulation?
Have IT, Legal, HR, and Leadership aligned on incident response roles?
Incident Readiness Score
Complete the assessment to see your results.
Recommended Next Step
Complete the assessment to get personalized recommendations.
View score breakdown by category
Your answers are not stored or shared. This is a self-assessment tool.