The initial signs of a security incident are rarely black and white. The first questions CISOs must ask are “Is this a real incident?” and “How should I respond?” Stephen Gilmer and Mike Buratowski lead this discussion on the first and most critical hours of a potential incident response. While removing the attacker is obviously the end goal, security teams must first understand the nature and scope of the incident to identify the course of action that will be most effective while balancing the risk to the organization and the disruption that the response can cause.