Question
A **canary/honeyfile** on a file server is read and modified at 02:50 — an alert you've never seen fire before. EDR then shows a signed-but-uncommon binary staged in `C:\ProgramData` on 14 hosts and a scheduled task created on each to run it at 06:00. Nothing is encrypted yet; users are asleep; ops looks normal. Threat intel matches the staging pattern to a ransomware affiliate that detonates fleet-wide on a timer. You have ~3 hours before the scheduled tasks fire. How do you triage, contain before detonation, and avoid tipping off an attacker who may still be watching?
Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.