The plan I would have in place, and if you do not, you need to get it in place, is one to immediately mitigate the compromise. Don't necessarily turn everything off, because you can lose valuable forensics that way, but segment and mitigate it. Have defined roles ahead of time so people know their job in an incident response situation, and they're not left guessing or checking with somebody else to see if they need to do this, that or the other.
If critical infrastructure is involved, communicate with federal-level authorities early on, very quickly, to see if you need to do anything to help their investigation. If they are investigating an advanced, persistent state actor, and you were to turn off systems immediately and lose some valuable forensics, it would be a tragedy.
I would do those things.