What the First 48 Hours of Incident Response Actually Look Like

The call came on a Tuesday morning. A professional services firm with roughly 80 employees couldn’t access their files. Shared drives were encrypted, desktops showed ransom demands, and the office was at a standstill. We’ve handled incidents like this before. Every one plays out differently, and every one is messier than the playbook suggests. This is what the first 48 hours actually looked like.

Hour Zero: The Call

The first conversation isn’t about technology. We need answers to three questions fast: what can you still access, what can’t you access, and has anything changed in the last 24 hours?

The firm’s office manager told us the file server was encrypted and several workstations were locked with ransom notes. Email was still working. That detail mattered because it meant the attackers hadn’t reached the Microsoft 365 environment yet.

We assembled our response team and got on the phone with the firm’s managing partner. The first mistake most businesses make during an incident is trying to fix things before understanding the scope. Rebooting machines, pulling cables at random, running antivirus scans on encrypted systems. None of it helps, and some of it destroys forensic evidence we need later. Our first instruction: don’t touch anything we haven’t cleared.

Hours 1-4: Containment

Containment means stopping the spread without destroying evidence. We isolated the affected network segments, disabled compromised accounts, and shut down VPN access to prevent the attackers from maintaining their foothold.

This is where the investigation started to tell a story. The attackers hadn’t come through a phishing email or a vulnerability in the firewall. They had entered through personal devices.

Several employees at the firm used their own laptops and home computers to connect to the company VPN for remote work. Those personal devices had full access to internal resources through RDP and shared file systems. The firm had invested in endpoint protection for every company-owned machine, but the personal devices connecting through VPN had no managed security software and no patching requirements. Nobody was monitoring what those machines were doing on the network. From the attacker’s perspective, those unprotected personal devices were an open door into an otherwise defended network.

We see this pattern repeatedly in SMB environments. A company spends real money on firewalls, endpoint detection, and managed security, then allows unmanaged personal laptops to tunnel straight past all of it through VPN. The security investment protects the perimeter while the VPN creates a bypass that nobody audits.

Hours 4-12: Tracing the Attack

Once containment was in place, the forensic work began. We deployed SentinelOne across every reachable endpoint and used its AI-powered threat hunting capabilities to reconstruct the attack timeline.

The picture that emerged was straightforward but effective. An employee’s personal laptop had been compromised through a separate, unrelated infection, likely from browsing or a downloaded application outside of work. The attackers found VPN credentials stored on that machine, connected to the firm’s network, and moved laterally through RDP sessions until they reached the file server. From there, they deployed ransomware across every accessible system.

SentinelOne’s forensic data gave us the full chain: initial access point, lateral movement path, credential usage, and the exact timestamp when encryption began. We also used AI-driven log analysis to correlate events across multiple systems and confirm that the attackers hadn’t established persistence beyond the original entry vector. That confirmation was critical because it meant we could proceed with recovery without worrying about a second wave.

The forensic detail mattered for another reason. The firm needed a complete incident timeline with evidence for their cyber insurance claim and for meeting notification requirements under Texas law. Telling your insurer “we got hit with ransomware” is very different from presenting a documented attack chain with timestamps and indicators of compromise.

Hours 12-24: Recovery

This is where our backup strategy earned its keep. The firm had both local backups and immutable cloud backups in place, configured and tested as part of their disaster recovery plan. Immutable backups are stored in a way that prevents anyone, including administrators and ransomware, from modifying or deleting them for a defined retention period.

We began restoring systems from the immutable cloud backups immediately after confirming containment. The file server came back first because it was the operational bottleneck. Workstations were reimaged and restored from clean backups in parallel. Email and cloud services continued running normally throughout since the attackers never reached them.

By hour 20, the firm’s managing partner could access critical client files. Not everything was back, but the most urgent operational needs were met. In legal work specifically, missing a court deadline or failing to respond to a client carries consequences that go well beyond IT inconvenience.

Hours 24-48: Full Recovery and Hardening

Over the next 24 hours, we completed the restoration of all systems. Every workstation, every shared drive, every application. The firm lost no data. Total downtime for critical systems was under 20 hours, and complete recovery was finished within 48.

Recovery alone doesn’t close the incident. We spent the second half of this window hardening the environment against the exact weakness the attackers had exploited:

• Personal device policy overhaul. Any device accessing company resources now requires managed endpoint protection, current patching, and compliance verification before VPN access is granted.
• Conditional Access enforcement. VPN and RDP access is restricted to compliant, enrolled devices. A personal laptop without the firm’s security stack simply cannot connect.
• Network segmentation. RDP access from VPN connections was restricted to specific, monitored jump servers rather than allowing direct connections to any desktop.
• Extended monitoring. SentinelOne and 24/7 SOC monitoring were deployed across the full environment, including any approved personal devices.

The Blind Spot Every Business Owner Should Check

The lesson from this incident is not complicated, but most small and mid-sized businesses still get it wrong. If a device touches your network, your files, or your email, it needs the same level of protection as the laptop sitting on a desk in your office. It doesn’t matter whether it’s an employee’s personal tablet, a contractor’s home computer, or a partner’s phone checking email on the weekend.

VPN access without device compliance requirements is one of the most common gaps we find during security assessments. The fix requires a clear policy, endpoint protection on every connecting device, and Conditional Access rules that enforce compliance before granting access. The firm we helped had all the right security tools on their company-owned equipment. The gap was a policy decision, not a technology failure.

If you’ve been through a ransomware scare, or if you want to test how your organization would respond before a real incident forces the question, a tabletop exercise is the most practical next step. We run them regularly with clients, walking through realistic attack scenarios with your leadership team so everyone knows their role when the phone rings.

The difference between a 48-hour recovery and a weeks-long crisis usually comes down to two things: whether your backups are truly immutable and whether every device on your network is actually protected. If you aren’t sure about either one, that’s worth a conversation with your IT provider this week.