An MSP partner called us at 11:47pm on a Tuesday. By 12:03am we had isolated the affected tenant, by 12:21am we had identified the entry vector, and by 12:48am we had a rollback plan in motion.
What made this work wasn't tooling. It was that the partner had run a tabletop with us four months earlier and knew exactly who to call. The technical work was the easy part.
If your IR plan lives in a SharePoint folder nobody has opened this year, it isn't an IR plan.