Decrypting Incident Response: 90-Minute Containment Framework

The Escalation That Changed My Playbook During a midnight call for a ransomware outbreak, our containment succeeded not because of exotic tooling but because of a disciplined timeline. The first 90 minutes determined everything: what we preserved, what we isolated, and how we briefed executives.

Minute 0–30: Stabilize and Verify The on-call responder validated the alert, collected volatile evidence, and escalated to the incident commander. We leveraged EDR snapshots, pulled firewall session tables, and confirmed the encryption process was still running. The mantra was simple—preserve first, isolate second.

Minute 30–60: Isolate With Surgical Precision We segmented affected subnets via SDN, revoked high-privilege credentials, and disabled outbound traffic to known command-and-control domains. Every change was logged in a shared response doc so the forensics crew could retrace steps later. Communication leads kept stakeholders informed with plain-language updates.

Minute 60–90: Prepare for Eradication Once lateral movement stopped, we kicked off memory captures and snapshot exports. We engaged legal early to document notification requirements. By the 90-minute mark, we had an actionable picture of patient zero, privileged misuse, and encrypted assets. That clarity allowed eradication to proceed without guesswork.

Lessons You Can Apply Today - Drill your containment timeline quarterly - Assign explicit owners for evidence, communications, and remediation - Maintain pre-approved isolation scripts to avoid improvisation - Capture executive-friendly status snippets for rapid briefings

Final Reflection Containment is a race you win before the incident begins. Codify your 90-minute plan now and practice it until it feels routine.