It was a peaceful day in the international company’s computer operations centre until, at 13.07, the monitoring services detected that there were several simultaneous attempts to probe a non-existent workstation. Four minutes later, a VHDL server attempted to access a Google search. And, four minutes after that, external friends confirmed that they were seeing potential broadcasts from the company to known bad sites. (External friends are other companies who mutually monitor sites.) At 13.20 – 13 minutes after the first recorded incident – instructions were issued that all the company’s sites should close down their IT activities. By 13.25 all external connections, including landline telephones, were closed down and all named machines were locked down. By 13.40 all on-site networks and machines were shut down – including printers and other intelligent peripherals – and remote users were being instructed to shut down. At 13.45 all the named representatives of a pre-defined Incident Response Team (IRT) left their remote sites for the central location and by 15.50 it was clear that all remote users were shut down.