What to Do After a Security Incident
If you've just discovered a security incident, take a breath. What you do in the next few hours matters. This guide walks you through the critical first steps to contain damage, preserve evidence, and start recovery.
Need immediate help with an active incident?
We can help you contain, investigate, and recover.
Immediate Steps (First 24 Hours)
1. Don't Panic - Document Everything
Before taking any action, start documenting. Note the time you discovered the incident, who discovered it, and what you observed. Screenshots are valuable. This documentation will be critical later.
Critical: Start a shared document or incident channel immediately. Time-stamped records matter.
2. Contain the Threat
Stop the bleeding without destroying evidence. This might mean: disabling compromised accounts, isolating affected systems (don't wipe them), revoking access tokens, blocking malicious IPs, or taking services offline.
Critical: Don't immediately delete or wipe anything. Evidence preservation is crucial for investigation and potential legal action.
3. Preserve Evidence
Capture logs, system images, and any artifacts before they rotate or are overwritten. If you have cloud infrastructure, logs may have retention limits. Export what you need now.
Critical: Many logs auto-delete after 30-90 days. Secure them immediately.
4. Assess the Scope
What systems were affected? What data might have been accessed or exfiltrated? How did the attacker get in? You won't have complete answers immediately, but start forming a picture.
Critical: Assume the worst until you can prove otherwise. Better to over-respond than under-respond.
5. Assemble Your Response Team
Bring together the people who need to be involved: IT/engineering, legal, communications, executive leadership. Establish clear roles and communication channels.
Critical: Keep the circle small initially to prevent information leaks that could complicate response.
Who to Notify (and When)
Legal Counsel
ImmediatelyLegal should be involved from the start to preserve privilege, advise on notification requirements, and guide communications. If you don't have in-house counsel, engage outside counsel experienced in cyber incidents.
Cyber Insurance Provider
Within 24-48 hoursYour policy likely has notification requirements and may provide access to incident response resources, legal support, and forensics. Failing to notify promptly could affect coverage.
Executive Leadership / Board
As soon as scope is understoodLeadership needs to know about material incidents. They may need to make decisions about public disclosure, customer notification, and resource allocation.
Regulators (if required)
Per regulatory requirementsGDPR (72 hours), HIPAA (60 days), state breach notification laws, and industry regulations may require notification to regulators within specific timeframes.
Affected Customers
After scope is clear, per legal guidanceIf customer data was compromised, you likely have legal obligations to notify. Work with legal on timing, content, and method. Don't rush this - get it right.
Common Mistakes That Make Things Worse
Wiping systems before preserving evidence
Impact: Destroys forensic evidence needed to understand the attack, prove scope, and potentially pursue legal action. Insurance and legal proceedings may require this evidence.
Instead: Image or snapshot systems before wiping. Preserve logs and artifacts first.
Communicating too early without facts
Impact: Premature public statements often need correction later, damaging credibility. Speculation can create legal liability.
Instead: Wait until you understand the scope. Say less until you know more. 'We are investigating' is acceptable.
Failing to involve legal early
Impact: Communications may not be privileged. You may miss notification deadlines. Response decisions may create liability.
Instead: Legal counsel should be your first call. They help protect the organization throughout response.
Not notifying cyber insurance in time
Impact: Late notification can void coverage or limit reimbursement for response costs, which can be substantial.
Instead: Check your policy immediately. Most require notification within 24-72 hours of discovery.
Assuming the incident is over
Impact: Attackers often maintain persistence. A quick cleanup may miss backdoors, leading to re-compromise.
Instead: Conduct thorough investigation. Assume persistence until proven otherwise.
Going it alone when you need help
Impact: Internal teams may lack incident response experience. Mistakes during response can make things worse.
Instead: If this is your first significant incident, bring in experienced help early.
When to Bring in Outside Help
Consider bringing in experienced incident responders if any of these apply:
This is your first significant security incident and you're unsure how to proceed
You don't have experienced incident responders on staff
The scope appears large or you can't determine the scope
Sensitive data (PII, PHI, financial) may have been compromised
You suspect a sophisticated attacker or nation-state involvement
You need forensic evidence for potential legal action
Your cyber insurance requires use of approved vendors
You're overwhelmed and need additional capacity
Prepare before an incident happens
Our tabletop exercises help your team practice incident response so you're ready when it matters.
Learn about incident response tabletopsFrequently Asked Questions
How do I know if we've had a security incident?
Common indicators include: unexpected system behavior, unauthorized access attempts in logs, customer reports of suspicious activity, ransomware demands, data appearing in places it shouldn't, or alerts from security tools. If you're unsure whether something is an incident, treat it as one until you can rule it out.
Should we shut down all systems immediately?
Not necessarily. Wholesale shutdown can destroy evidence and may not stop an attacker who has already exfiltrated data. Instead, focus on targeted containment: isolate affected systems, disable compromised accounts, block malicious IPs. Preserve evidence before taking destructive action.
When do we have to notify customers about a breach?
Notification requirements depend on what data was compromised, where affected customers are located, and what regulations apply to your business. GDPR requires notification within 72 hours for certain breaches. US state laws vary. HIPAA has specific requirements. Work with legal counsel to determine your obligations.
How long does incident response typically take?
Initial containment should happen within hours. Investigation and remediation typically take days to weeks depending on scope. Full recovery and hardening may take months. The key is balancing speed with thoroughness - rushing can leave you vulnerable to re-compromise.
What should we tell employees during an incident?
Keep internal communications factual and limited to what people need to know to do their jobs. Instruct employees not to discuss the incident externally. Provide clear guidance on any actions they need to take (password changes, etc.). Consider that internal communications may become public.
Need Help With an Incident?
We help companies contain, investigate, and recover from security incidents. We also help you build the capabilities to handle future incidents.
Or learn how to prepare your team with tabletop exercises.