Incident Response: A Human's Guide

Start a Slack thread.

Title it "#incident-2026-04-01." Post "hey team, looks like something might be happening — can someone take a look?" This message will receive three 👀 reactions and no replies for 22 minutes.

Send a calendar invite for a bridge call.

Title it "Quick sync — incident." Set it for 15 minutes. It will run 90. The first person to join will say "can everyone hear me?" four times. The answer, the fourth time, will be yes.

Begin the bridge call.

The first 20 minutes will be spent establishing who is on the call, what the call is about, and whether the right people are on the call. They are not. The right person is on PTO. They will be Slacked anyway.

Someone will share their screen.

It will be the wrong screen — their email. They will close it, share the right screen, and then the right screen will show a spreadsheet that is too small to read. They will zoom in on the wrong column.

Manually block the offending IP.

"Just to feel useful," someone will say, "I'm going to block that IP." They will block the IP. The attacker stopped using that IP 40 minutes ago. Exabot Respond would have blocked it — and the 14 subsequent IPs — automatically, before the bridge call started.

Draft the containment steps in the call.

By committee. Every step will be debated. "Should we isolate the host?" "Let's not do anything drastic." The host should absolutely be isolated — it is still on the network, and the attacker is aware of this.

Send the all-clear.

At hour three. Write "we believe the incident has been contained — more details to follow in the post-mortem." The post-mortem will be scheduled for two weeks from now. It will be rescheduled twice.