Since infosec.exchange allows real long posts (yay! Thank you!) I'll share some incident commander tips here that are harder to do in short character limits.

ASSUMPTION OF COMMAND:

Here's a secret trick. Whenever I assume command of an incident, within a very short time frame, I like to get the whole existing team to stop and listen to me re-state what I believe are the objectives & facts.

Usually it's like this:

"OK Everybody, here's what I understand is going on. 7 hours ago, the confabulator in the parrot service was attacked by FlipseyTurvey. We detected it and this was escalated 2 hours ago, and we aren't sure whether it succeeded and there was lateral movement. Right now we have Ops Lead X running Forensics and Y looping in Comms and Legal, who aren't attached yet.

Our next objective is collecting artifacts from the seedtray machines and finding indicators to search for elsewhere, and samples to get to the reversing team. After that we're going to get a meta-timeline going with Timesketch. I'l be updating executive leadership in 30 minutes and our next operational sync is in 2 hours."

Then, here's the key part:

"Does that sound accurate to everyone? Did I miss anything or get anything wrong?"

Here's why I think that's the best approach to assuming command. If the team I'm assuming command of didn't have a plan, then they do NOW, and I look like a solid leader taking charge.

If they HAD a plan already and somehow I missed it, or if my plan is messed up in some way I didn't anticipate, then someone corrects me and I stay wrong for the absolute least amount of time necessary before I have the facts I need to be right.

People often won't just speak up and say "You're wrong about X" or "You're missing something" unprompted, so I like to explicitly prompt for that.