Many incident response failures are not due to a lack of tools, intelligence, or technical skills. They result from what happens immediately after detection, when pressure is high and information is incomplete.
We’ve seen IR teams recover from advanced intrusions with limited telemetry. I’ve also seen teams lose control of investigations they could have handled. Differences usually appear early. Not hours later when a timeline is constructed or a report written, but in the first moments after responders realize something is wrong.
Those early moments are often referred to as the first 90 seconds. But if taken too literally, that framework misses the point. This is not about reacting or acting faster than the attacker. It’s important to establish a direction before your assumptions become set and you run out of options.
Responders quickly make quiet decisions about what to look at first, what to save, and whether to treat the problem as a single system problem or the beginning of a larger pattern. Once these initial decisions are made, everything that follows is determined. To understand why these choices are important (and how to make them correctly), we need to reconsider what the “first 90 seconds” of an actual investigation represent.
The first 90 seconds are a pattern, not a moment.
One of the most common mistakes I see is treating the opening stages of an investigation as a single dramatic event. An alert is raised, a clock is started, and responders either manage it or they don’t. That’s not how events actually unfolded.
The “first 90 seconds” occurs every time the intrusion range changes.
You will be notified about systems that may be involved in the intrusion. you access it. You decide what’s important, what to save, and what this system reveals about the rest of the environment. Identifying the second system and then the third system opens the same decision window again. Each resets the clock.
This is where teams often get overwhelmed. They consider the scale of their environment and assume they are facing hundreds or thousands of machines at once. In reality, they are faced with much smaller systems at once. The range will expand in stages. One machine leads to another, which leads to another, and a pattern begins to emerge.
Strong responders don’t reinvent their approach every time a problem arises. They apply the same discipline early on every time they touch a new system. What was executed here? When was it executed? What happened around it? Who or what interacted with it? This consistency allows you to expand your range without losing control.
This is also why early decisions are so important. When responders initially treat affected systems as isolated issues and rush to “fix” them, they end up closing tickets instead of investigating the intrusion. If we fail to preserve suitable artifacts early on, the rest of the investigation will be spent in speculation. As the scope expands, these mistakes can become even worse.
How is the investigation hampered?
When initial investigations go awry, it’s tempting to blame training, hesitation, or lack of communication. These problems do appear, but they are usually symptoms and not the root cause. An even more consistent failure is that teams do not fully understand their environment when an incident begins.
Respondents are forced to answer basic questions under pressure. Where does the data exit the network? What logs exist on critical systems? How far back does the data go? Was it saved or overwritten? These questions should already have answers. Otherwise, responders will learn critical components of the environment until it is too late.
This is why logging that starts after detection is so harmful. Forward visibility without backward context limits what you can prove. You can reconstruct parts of the attack, but the whole conclusion becomes weaker. Gaps turn into assumptions, and assumptions turn into mistakes.
Another common mistake is prioritizing evidence. In the early stages, teams jump between deliverables without a clear anchor because everything feels important. It creates activity without progress. In most investigations, the quickest way to recover the truth is to focus on evidence of execution. Nothing meaningful happens in a system where nothing is running. Malware is executed. PowerShell will run. Native tools are abused. There are still traces of people living off the land. Understanding what was done and when it was done helps you understand intent, access, and movement.
From there, context becomes important. This could mean which systems were accessed during that time, who connected to them, and where their activity went next. Those answers don’t exist in isolation. They form a chain, and the chain points outward into the environment.
The final mistake is quitting early. In the interest of time, teams often reimage the system, restore service, and move on. However, if the investigation is incomplete, small accesses may remain unnoticed. Secondary implant. Alternative credentials. Quiet tenacity. Subtle signs of compromise may not immediately rekindle, creating the illusion of success. When an incident resurfaces, it feels new, even though it really isn’t. It’s the same one that was never fully repaired.
Join us at SANS DC Metro 2026
Teams that can capture the right moment of initiation make difficult investigations more manageable. Effective incident response is about discipline under uncertainty and is applied in the same way each time a new intrusion comes into scope. However, it’s important to give yourself grace. No one is good at this from the beginning. All of the responders you trust today learned by making mistakes and how not to repeat them the next time.
The goal is not to avoid incidents completely. That’s unreal. The goal is to avoid repeated mistakes under stress. This can only happen if your team is prepared before an incident causes a problem. Because once they understand their environment, they can identify practices, preserve evidence, and intentionally expand scope while the risks are still low.
When an investigation is conducted with that level of discipline, the first 90 seconds feel more familiar than frantic. The same questions are asked and the same priorities guide the work. This consistency allows your team to move quickly later with confidence rather than guesswork.
For responders who face these challenges in their own investigations, this is exactly the mindset and methodology taught in the SANS FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics class. I will be teaching FOR508 at SANS DC Metro from March 2nd to 7th, 2026 for teams who are practicing this field and want to put their insights into action.
Note: This article was professionally written and contributed by Eric Zimmerman, Principal Instructor at the SANS Institute.
Source link
