The NIST framework is good for understanding the theory. But real incidents are messy. Let’s walk through what actually happens when your organization gets hit.

It’s 6 AM. The SOC analyst sees a spike in process termination events. Then they see it: files with .locked extension appearing on shared drives. Ransomware.

Hour 0-1: Detection and Initial Response. Confirm it’s real, escalate to incident commander, assemble IR team.

Hour 1-2: Scope Determination. Check SIEM for when the attack started.

Part of the free Intro to Cyber course by Cover6 Solutions.