As cyberattacks continue to proliferate and grow more damaging and disruptive, it becomes increasingly important to conduct tabletop exercises to run through and fine-tune incident response plans. In-house and outside counsel, public relations specialists and cyber forensics experts from Hunton, Joele Frank, Mandiant and News Corp. recently conducted a mock tabletop exercise based on a cyberattack and extortion demand on a fictional company during a Practising Law Institute program. The exercise focused on the detection and immediate response to the intrusion, the implementation of the company’s incident response plan in the critical first few days following the attack, and its response to subsequent developments. This first article in a two-part series covering the key practical details from the presentation addresses how things unfold on day one. Part two will examine day two and beyond. See our two-part series on a ransomware tabletop’s 360‑degree incident response view: “Days One to Four” (Jan. 4, 2023), and “Day Five Through Post-Mortem” (Jan. 11, 2023).