Resources

What to Do in the First 24 Hours After a Breach

A calm, step-by-step guide for when something has gone wrong.

Discovering a breach is stressful. The decisions you make in the first 24 hours can determine whether you contain the damage or make it worse. Follow these steps in order — don't skip ahead.

Hour 0–1: Contain, don't panic

  1. Don't shut everything down immediately. Pulling the plug can destroy forensic evidence you'll need for insurance, legal, and recovery. Instead, isolate affected systems — disconnect them from the network without powering them off.
  2. Activate your incident response plan. If you have one, follow it. If you don't, assign roles now: one person leads, one handles communications, one documents everything.
  3. Contact your MSP or security provider immediately. Don't wait until morning. A managed security team can begin containment and assessment while you focus on business continuity.

Hour 1–4: Assess and secure

  1. Identify what's affected. Which systems, accounts, and data are involved? Work with your security team to map the scope before making broader changes.
  2. Reset credentials on unaffected systems. Change passwords and revoke sessions on accounts that haven't been confirmed compromised — especially admin, email, and financial accounts.
  3. Enable or verify MFA everywhere. If MFA wasn't already enabled, turn it on now on every account you can access.
  4. Preserve evidence. Don't delete logs, emails, or files related to the incident. Screenshot suspicious activity. Your insurance company and potentially law enforcement will need this.

Hour 4–12: Communicate and comply

  1. Notify your cyber insurance provider. Most policies require notification within a specific timeframe. Call them before you make public statements or major system changes.
  2. Determine legal notification obligations. Depending on your industry and the data involved, you may have legal requirements to notify regulators or affected individuals within specific timeframes (HIPAA, state breach notification laws, etc.).
  3. Prepare internal communication. Tell your team what happened, what you're doing, and what they should and shouldn't do. Clear communication prevents rumours and secondary mistakes.

Hour 12–24: Recover and learn

  1. Begin recovery from clean backups. Only restore from backups confirmed to predate the breach. Verify backups are clean before reconnecting systems to the network.
  2. Document everything. Timeline of events, actions taken, systems affected, people notified. This documentation is essential for insurance claims and post-incident review.
  3. Schedule a post-incident review. Within a week, review what happened, how you responded, and what needs to change. The goal isn't blame — it's making sure this doesn't happen the same way again.

If you don't have an MSP or incident response partner, that's the first thing to fix after this is resolved. The cost of 24/7 monitoring is a fraction of what a single breach costs.

Want a professional assessment?

We'll review your environment and give you an honest picture of where you stand — no sales pressure.

Get a Security Assessment