# Initial Response Procedure

## 1. Detection & Analysis

1. Verify the incident is not a false positive
2. Document initial findings
3. Determine severity level

## 2. Initial Containment

- Isolate affected systems from the network
- Preserve evidence (do not power off if possible)
- Document system state

## Severity Levels

| Level | Description | Response Time |
|-------|-------------|---------------|
| Critical | Active breach, data exfiltration | Immediate |
| High | Confirmed malware, unauthorized access | 1 hour |
| Medium | Suspected intrusion, investigation needed | 4 hours |
| Low | Policy violation, minor anomaly | 24 hours |