// first 10 minutes

quick-start checklists

single-page incident sheets — containment steps, primary tools from the case-type taxonomy, and links to the full methodology and reference proof. print-friendly. more launch-tier guides ship as the program expands.

available guides

pick a case type for the printable first-10-minutes checklist.

account takeover (ATO)credential stuffing → SIM swap → password reset chain → exfil. evidence lives in identity-provider logs, mailbox rules, and session artifacts.
ransomware responseencryption onset → lateral movement → exfil → ransom note. the first 48 hours are about scoping, finding patient-zero, and preserving evidence before the actor wipes logs.