Running Incident Response When You Are the Entire Security Team

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
When a serious security incident hits and you are the only security person, the most dangerous failure mode is not technical incompetence -- it is context collapse. The incident demands your full technical attention for investigation, but simultaneously demands communication with leadership, coordination with IT and legal, and decisions about containment that have organizational consequences. The solo security responder who has not prepared for this specific challenge becomes the bottleneck for all of it.
The organizations where solo security incidents are handled well are not the ones with the most technically capable security person. They are the ones that prepared for the incident before it happened: a runbook with the first 30 actions pre-written, external relationships that can provide surge capacity within hours, pre-drafted communication templates that can be adapted in minutes, and a pre-defined delegation model that moves non-security tasks to non-security staff.
This guide covers the preparation that makes solo incident response viable, the first-hour prioritization framework, the delegation model, and the communication cadence that manages stakeholder needs without consuming investigation time.
Pre-Incident Preparation: The Three Relationships You Need Before the Incident Happens
Relationship 1: IR retainer or on-demand IR firm. An incident response retainer is a contract with a security firm that guarantees response capacity within a defined SLA (4 hours, 8 hours, or next business day, depending on the retainer level). The retainer means that when the incident happens, you call a named account team who knows your environment, your tooling, and your contacts -- rather than spending the first hour of an incident explaining your stack to a firm that has never seen it. The cost of an IR retainer is significantly lower than the cost of an unretained emergency response engagement, which typically carries a premium for the same capabilities.
For organizations that cannot justify a formal retainer: establish a relationship with a smaller boutique IR firm or an independent consultant who can work on an hourly basis with a pre-established statement of work. The goal is to have a phone number you can call at 2am and a person on the other end who will pick up and start helping within the hour.
Relationship 2: Legal counsel with data breach experience. General corporate counsel is not the right resource for a data breach. Data breach-experienced legal counsel knows the notification timeline requirements (GDPR's 72 hours, HIPAA's 60 days, SEC's 4 business days for material incidents), can provide attorney-client privilege protection over the investigation when required, and can coordinate with state attorneys general and regulators if notification is required. Identify this counsel before the incident -- searching for specialized legal counsel during a breach introduces delay in the notification timeline.
Relationship 3: Communications or PR contact. For incidents that may require external communication (customer notification, regulatory disclosure, press inquiries), a PR professional or communications consultant who has handled data breach communications should be identified in advance. They can turn around customer notification letter drafts in hours and manage press inquiries in a way that limits reputational damage. This is particularly important for companies with consumer-facing products.
The First-Hour Runbook: 30 Actions That Prevent Decision Paralysis
The first hour of an incident is when the decisions made under the most stress have the most lasting impact. A runbook with the first 30 actions pre-defined means you are executing a plan rather than improvising one.
The runbook structure for the most common incident type (credential compromise / unauthorized access):
Actions 1-5: Establish incident scope (first 15 minutes)
- Preserve the triggering alert or report exactly as received (screenshot, export, or copy). Do not dismiss or close any original alerts.
- Open the incident documentation log (a dated document in your notes, not just a mental model). Every action taken, who took it, and when.
- Identify the affected account, system, or endpoint from the alert details.
- Query authentication logs (Okta, Azure AD, Google Workspace, AWS CloudTrail) for all activity by the affected account in the last 24 hours.
- Identify whether any lateral movement indicators are present: logins from new IPs, access to systems the account does not normally reach, new OAuth application grants.
Actions 6-10: Initial notification (first 20 minutes) 6. Notify your manager or the highest-available leadership contact (CEO, CTO, or designated incident escalation contact) with one sentence: "We have a potential security incident involving [what]. I am investigating. I will update you in 30 minutes." 7. Open your IR retainer or on-demand contact line. Provide them the same one-sentence summary and your ETA for a detailed briefing. They begin preparing. 8. Do not notify the potentially compromised user or any suspected insider threat at this stage. 9. Start a timer for your 30-minute leadership update. 10. If the incident involves a cloud account: confirm you still have administrative access to your cloud console. Attackers who compromise cloud credentials sometimes modify the compromised account's access to lock out the legitimate owner.
Actions 11-20: Evidence collection (first 40 minutes) 11. Export the authentication log for the affected account (last 7 days). Download to a local storage location -- do not rely on the log remaining available in the cloud console. 12. Check for new rules, delegations, or role assignments created by the affected account. 13. Check for any data exports, downloads, or email forwarding rules created by the affected account. 14. Capture the current session state for the affected account (active sessions, OAuth tokens, active API keys). 15. [And so on through the remaining 15 actions tailored to your specific environment and tooling.]
The runbook should have scenario-specific variants: credential compromise, ransomware, insider threat, cloud misconfiguration. The first 10 actions are largely the same across scenarios; actions 11 through 30 diverge based on the incident type.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Containment Decisions: Who Has Authority When You Are the Only Security Person
Solo security responders regularly face a containment dilemma: isolating a compromised system is the correct security action, but it may interrupt business operations, and you are not empowered to make that business continuity trade-off unilaterally.
The solution is pre-authorized containment decisions -- a document, agreed upon before any incident occurs, that specifies which containment actions you can take immediately without seeking approval and which require authorization from a named executive.
Pre-authorized actions (you can take these immediately):
- Disabling a single user account or OAuth token
- Blocking a specific IP address in the firewall or cloud security group
- Revoking a specific API key
- Enabling MFA enforcement for an individual account
- Suspending a cloud account or service account (with immediate notification to the affected team)
Actions requiring executive authorization (call the named contact before acting):
- Isolating an endpoint or server that is actively processing transactions or running critical services
- Revoking credentials for a service account used by production systems
- Taking down a public-facing service for security remediation
- Initiating external notification (customer notification, regulatory notification)
- Engaging law enforcement
Having this document agreed upon and signed before an incident means you are not spending 20 minutes during the first hour of a breach seeking approval for the authority to disable a compromised account. You already have it. You are calling the executive to inform, not to request.
Delegation: Extending Capacity by Moving Non-Security Tasks to Non-Security Staff
The single biggest leverage available to a solo security responder is delegation. Many incident response tasks do not require security expertise -- they require organizational access, communication skills, or administrative coordination that other team members can provide.
Four categories of delegatable tasks:
Evidence collection from known locations. If you need IT to collect specific log files from servers you cannot directly access, or to export specific reports from a SaaS system, you can brief a trusted IT administrator in 5 minutes and they can execute that task independently. Provide them with exact instructions: "Log into the Okta admin console, go to Reports > System Log, filter by user email X, date range Y to Z, and export the CSV. Send it to me encrypted via [method]." This frees you to run parallel investigations.
Communication with affected teams. If a specific business unit needs to be notified that a system they use is under investigation, a business unit liaison or operations manager can deliver that notification and collect information about their system use. You brief the liaison on what to say and what to ask; they handle the communication.
Vendor and partner notification. If the incident requires notifying vendors (your payment processor, your cloud provider's abuse team, a software vendor whose product is involved), a capable IT or operations team member can make those calls following your provided script. This is particularly valuable when the notification calls are routine (notifying a vendor that you are investigating their integration) rather than sensitive (asking a vendor to preserve logs related to your incident).
Regulatory notification document drafting. Your legal counsel or a general counsel paralegal can draft the initial regulatory notification document from a template you provide, requiring your review and approval rather than you drafting from scratch. This is a 2-hour paralegal task that would otherwise consume 2 hours of your investigation time.
Stakeholder Communication: The 15-Minute Cadence That Manages Leadership Without Consuming You
Leadership communication during an incident is a genuine requirement -- executives making business continuity decisions need security information. But unmanaged stakeholder communication becomes a context-switching tax that destroys investigation effectiveness.
The 15-minute cadence: commit to a specific update interval (every 30 minutes in the first 2 hours, every 60 minutes thereafter). At each interval: send a structured 5-sentence update. Do not take questions -- invite questions via a separate call at a defined time (at the top of the next hour). Use a pre-drafted template.
Template for the 30-minute update: "Security Incident Update -- [Time]
Current status: [One sentence on what we believe is happening.]
What we know: [Two sentences on confirmed facts -- what systems are affected, what data may be involved.]
What we are doing: [One sentence on current investigation focus.]
What we need from leadership: [Specific ask or 'No action required at this time.']
Next update: [Time of next planned communication.]"
Send this as an email or Slack message to a defined distribution list (CEO, CTO, General Counsel, Head of Operations). No calls unless a decision is required. The structured format allows leadership to extract what they need without requiring you to be on a call explaining it.
If leadership demands more frequent calls: designate a non-security proxy (often the COO or CTO) who absorbs the ad-hoc questions from other executives and consolidates them for your scheduled updates. This one-to-one interface protects your investigation time while ensuring leadership receives answers.
Recovery and Post-Incident Review: What a Solo Responder Must Document
Solo incident response produces an additional risk: if the incident leads to litigation, regulatory investigation, or a post-incident review, the incident timeline and actions taken exist only in the solo responder's memory and notes. Documentation discipline during the incident is not optional -- it is the evidence trail that demonstrates competent, timely response.
The incident log must include: every action taken (what, who, when, why), every query run (specific query text, time range, data source), every communication sent or received (with timestamps), every containment action and the authorization basis, and every decision point where alternatives were considered and the reasoning for the chosen action.
Post-incident review structure for a solo team: Conduct the review within 5 business days of incident closure while memory is fresh. The review document covers: incident timeline (start to containment to full resolution), root cause analysis (what specific control failure or attacker action enabled the incident), what detection occurred versus what was missed (and why), what the response did well, what the response would improve with a second incident of the same type, and what specific control or process changes will prevent recurrence.
Share the post-incident review with leadership and legal counsel. For regulated data incidents: the review document may be requested by regulators as evidence of your incident response capability. A thorough review that documents what was done and what will be improved is better received by regulators than a cursory summary.
Pre-populate the next incident's runbook. After each incident, update the runbook with the specific queries, tool steps, and decision points that were most useful. The runbook after 3 incidents is significantly more useful than the runbook written from theory before the first one.
The bottom line
Solo security incident response is a resource constraint, not a technical constraint -- the security knowledge required to investigate and contain most incidents is within reach of any experienced security professional. The constraint is capacity: doing the investigation, communication, containment, and documentation simultaneously without a team to delegate to. The preparation that makes it viable is not complicated: a runbook with the first 30 actions pre-defined, pre-established relationships with IR, legal, and communications contacts, pre-authorized containment decisions that remove approval bottlenecks, a delegation model that moves non-security tasks to non-security staff, and a 15-minute structured communication cadence that manages stakeholders without destroying investigation focus. The organizations that handle solo incidents well built this infrastructure before they needed it.
Frequently asked questions
How do you run incident response with only one security person?
The key is preparation before the incident happens. Three elements make solo incident response viable: a runbook with the first 30 actions pre-defined for your most likely incident types (so you are executing a plan rather than improvising one under stress), pre-established relationships with an IR retainer firm, legal counsel experienced in data breach, and a communications contact (so you can activate surge capacity within hours), and pre-authorized containment decisions agreed on with leadership before any incident occurs (so you are not seeking approval for account disabling during the first hour of a breach).
What should a solo security team incident response runbook contain?
A runbook for the most likely incident type (credential compromise, ransomware, insider threat) should contain 30 pre-defined actions covering the first hour. The first 15 minutes: preserve the triggering alert exactly as received, open the incident documentation log, identify the affected account or system, query authentication logs for recent activity, check for lateral movement indicators. The first 20 minutes: notify leadership with one sentence and a 30-minute update commitment, activate your IR retainer contact. The first 40 minutes: collect and export evidence from authentication logs, check for new rules or data exports, capture current session state. Scenario-specific variants should diverge after the first 10 shared actions.
What containment actions can a solo security person take without executive approval?
Pre-authorize a set of immediate containment actions before any incident occurs, documented and agreed upon with leadership. Typically pre-authorized without approval: disabling a single user account or OAuth token, blocking a specific IP address, revoking a specific API key, enabling MFA enforcement for an individual account, suspending a service account with immediate notification to the affected team. Typically requiring named executive authorization before acting: isolating a production endpoint, revoking credentials for production service accounts, taking down a public-facing service, initiating external notification, engaging law enforcement. Document this pre-authorization in writing so the approval is granted in advance rather than sought during the incident.
How do I manage leadership communication during an incident without stopping the investigation?
Use a structured 15-minute template on a scheduled cadence (every 30 minutes in the first 2 hours, every 60 minutes thereafter) sent as an email or Slack message to a defined distribution list. The template: current status (one sentence), confirmed facts (two sentences), current investigation focus (one sentence), specific ask from leadership or 'no action required,' next update time. Do not take unscheduled calls -- designate a non-security executive proxy (COO or CTO) who absorbs ad-hoc questions from other executives and consolidates them for your scheduled updates. The structured format gives leadership what they need without requiring you to be on a call explaining it.
What tasks can non-security staff handle during a security incident?
Four categories of delegatable incident response tasks do not require security expertise: evidence collection from known locations (briefing an IT administrator to export specific log files or SaaS reports with exact instructions), communication with affected teams (a business unit liaison notifying affected teams and collecting usage information), vendor and partner notification (an IT or operations team member making routine vendor notification calls from your provided script), and regulatory notification document drafting (legal counsel or a paralegal drafting the initial notification document from a template for your review and approval). Each of these can be briefed in 5 minutes and run independently, freeing you for the technical investigation.
Do solo security teams need an IR retainer?
Yes -- an IR retainer is more valuable to a solo security team than to a team with multiple security staff, because it provides the surge capacity that a larger team would provide internally. An IR retainer guarantees response capacity within a defined SLA (4-8 hours depending on retainer level), from a team that knows your environment, tooling, and contacts before the incident starts. The cost of a retainer (typically $20,000 to $50,000 annually depending on SLA and firm) is significantly lower than an unretained emergency response engagement, which carries a premium for the same capability. For organizations that cannot justify a formal retainer: establish a relationship with a boutique IR firm or independent consultant who can work hourly with a pre-established statement of work.
What should a solo security team's post-incident review include?
Conduct the review within 5 business days of incident closure. The review document should cover: the complete incident timeline from first detection to full resolution, root cause analysis specifying the exact control failure or attacker action that enabled the incident, what detection did and did not catch (and why the missed signals were missed), what the response did well, what would be done differently for a second incident of the same type, and specific control or process changes that will prevent recurrence. Share with leadership and legal counsel. For regulated data incidents, regulators may request the review as evidence of response capability. After each incident, update the runbook with the specific queries, tool steps, and decision points that were most useful.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
