Define roles before you need them: incident lead, communications, forensics, and business owner.
Preserve evidence early: volatile logs, endpoint triage, and a timeline of key actions.
Prioritize recovery: what must come back first, and what can stay offline longer.
After stabilizing, invest in root cause — it is the only durable fix.