THE First 90 Seconds: How Early Decisions Shape Incident Response Investigations argues that most IR failures stem from what happens in the immediate moments after detection, when pressure is high and telemetry is incomplete. It emphasises that the opening decisions—what to look at first, what to preserve, and whether to treat an issue as a single-system problem or the start of a broader pattern—shape every subsequent action.
The piece warns that treating the first 90 seconds as a single dramatic moment misses the pattern of how scope expands, and that responders must apply consistent early discipline as new systems come into view. It also highlights common failures such as insufficient logging context, poor evidence prioritisation, and premature closure, offering guidance on preserving execution evidence and building a clear chain of context.
The article promotes discipline under uncertainty and points readers toward learning opportunities, including SANS FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics, with a session at SANS DC Metro 2026 on 2–7 March 2026. According to The Hacker News, the author, Eric Zimmerman, notes that the goal is to establish direction early, not merely to react faster than an attacker.