In the real world, you're never going to know that you have a "state level adversary on your network, using your software to attack DHS and the Treasury" until after all the damage has already been done, and you've had enough time to assess the total impact. That's presuming you're even alerted to it in a timely manner. In that scenario, the appropriate response almost certainly not going to be "turn off the business" and even if it is, it's not going to matter whether you can do it in 5 minutes or 5 hours.
The only scenarios in which you'll have enough information to justify activating this plan, are scenarios where you'll also have enough information to respond to the actual threat, rather than just shutting everything down.
It's something that might sound impressive to people who aren't experienced with incident response, but it's practical uses are so close to non-existent, that any time that was spent developing this solution was most certainly wasted in lieu of doing something actually useful.
The only scenarios in which you'll have enough information to justify activating this plan, are scenarios where you'll also have enough information to respond to the actual threat, rather than just shutting everything down.
It's something that might sound impressive to people who aren't experienced with incident response, but it's practical uses are so close to non-existent, that any time that was spent developing this solution was most certainly wasted in lieu of doing something actually useful.