Containment under fire: leading an identity breach in the first hour

When the compromised layer is identity itself, the incident is different in kind from a single breached server. Containment can mean isolating domain controllers or pausing hybrid sync, with real business impact, while the attacker is still active. That is a leadership moment, not just a technical one.

The first hour is not about restoration

The pull will be to fix and restore. Resist it long enough to do three things: stand up a command structure and an incident bridge, get a preliminary and fact-checked scope before any external communication, and authorize containment with a clear owner, the resources to execute, and a rollback plan. Restoration comes after you understand what you are restoring.

The decision that is yours

Containment that hurts the business versus dwell time that expands the damage. Every hour an identity attacker stays active widens the blast radius, so the cost of delay usually exceeds the cost of containment. But that is a risk decision with business consequences, which is why it needs an executive to own it, not the incident-response lead acting alone without authority.

What not to do

Do not brief the board on guesses, because early numbers are usually wrong and inaccuracies are remembered. Do not delegate the whole call to the technical lead without giving them authority and resources. And do not freeze the response while you over-analyze, because the attacker is using that time.

Keep the record

The board will later ask two questions: when did you know, and what did you do. A timestamped log of your containment decisions and the tradeoffs you weighed is both better governance and your defensible record.

Practice it

We built this as an identity-breach pressure test in GraphLattice Range, so leaders rehearse the command-and-containment decisions before a real incident forces them.