The first four hours of an incident — without inventing the playbook in real time.
A free in-browser triage for businesses and product teams handling an incident — or preparing for one. The assessment branches two ways: an infrastructure path for general security incidents, and a product-vulnerability path for teams answering a security researcher's disclosure. With it comes a tactical toolkit: runbooks, communication trees, log-capture priorities, and regulator-ready templates.
The triage runs in your browser. Your answers never leave your device.
Three tiers — one battle-card for individuals, one infrastructure-incident kit, one vendor-side PSIRT kit.
Each tier serves a different incident-responder identity. Buy the tier that matches the kind of incident you handle (or expect to handle next).
- Printable First 4 Hours Battle-Card
- First-hour runbook (decision order, contact tree, capture list)
- Ten Commandments of first-response poster
- Incident log template
- Pocket reference card
- Escalation tree template
- Everything in Solo
- Infrastructure incident-response runbook
- Log-capture priority sheet
- Communication-tree templates (customers, staff, regulators, insurer)
- Managed-Service-Provider delegation playbook
- Cyber-insurance worksheet (what to send the carrier in hour one)
- Everything in Commander
- PSIRT first-24-hours runbook
- CVE Numbering Authority (CNA) decision tree
- Common Security Advisory Framework (CSAF) sample advisory
- PSIRT advisory drafting checklist
- Worked sample: first vulnerability report at a 14-person startup
- European Union Cyber Resilience Act Article 14 templates
- NIS2 Article 23 notification templates
- Researcher-embargo communication templates
Two paths into the toolkit.
1. Take the free triage
A short branching assessment. First question decides whether you are handling an infrastructure incident or a product-vulnerability disclosure. The triage returns a priority-action sequence for the next four hours, a do-not-touch list, and the regulatory clocks that may apply to your situation. About five minutes. Runs in your browser — no email required, no data transmitted.
Start the free triage →2. Download the free Battle-Card
A one-page printable reference that summarises the first four hours of any incident: the decisions to make in the first 30 minutes, the people to call in the first hour, the artefacts to capture before they're lost. Keep one printed copy near the place you'd be standing when an incident is reported.
Get the free Battle-Card →Build the readiness side, too
First 4 Hours is the tactical product. When the dust has settled, build readiness with the matching strategic product so the next incident is less chaotic.
SMB Security Assessment
The readiness counterpart to the Commander tier. Twelve-question security assessment plus the toolkit that prevents most of the incidents First 4 Hours responds to.
PSIRT Response
The readiness counterpart to the PSIRT CRA-Ready tier. Seventeen-question Product Security Incident Response Team readiness assessment plus the cross-functional toolkit teams use on calm days.
GDPR Breach Response
The privacy-domain sibling of First 4 Hours. For the first 72 hours of a personal-data breach under the General Data Protection Regulation.