The initial signs of a security incident are rarely black and white. The first questions CISOs must ask are “Is this a real incident?” and “How should I respond?” This discussion addresses the first and most critical hours of a potential incident response. While removing the attacker is obviously the end goal, security teams must first understand the nature and scope of the incident to identify the most effective action while balancing the risk and disruption the response can cause.