Critical: Do NOT

• Delete any files or logs (destroys evidence)
• Turn off affected systems before forensic imaging (loses volatile memory)
• Publicly disclose before consulting legal counsel
• Pay ransom without expert consultation
• Attempt to "clean up" before investigation

0-4

HOURS

CONTAIN

Your immediate priority is stopping the breach from spreading while preserving evidence. Every action must be documented with precise timestamps.

Isolate affected systems from network

Disconnect network cables. Do NOT power off. Isolate but preserve.

Preserve all logs immediately

Firewall, server, application, authentication logs. They may auto-rotate.

Activate incident response team

IT Lead, CISO, Legal Counsel, CEO/Executive, Communications.

Document everything with timestamps

Who discovered it, when, what was observed, actions taken. Be precise.

Secure physical evidence

Lock server rooms. Restrict access. Preserve chain of custody.

4-24

HOURS

INVESTIGATE

Now you assess the scope and engage experts. This phase determines your notification obligations and recovery path.

Engage external IR firm

Professional forensic analysis. Objective investigation. Expert testimony if needed.

Notify legal counsel immediately

Establishes attorney-client privilege. Critical for litigation protection.

Assess breach scope

Which systems? What data types (PII, PHI, financial)? How many records? Entry point?

Determine notification obligations

GDPR: 72 hours. HIPAA: 60 days. State laws vary. Check all applicable jurisdictions.

Check cyber insurance policy

Notify carrier within required timeframe. Understand coverage limits and requirements.

24-48

HOURS

COMMUNICATE

Based on investigation findings, prepare and execute your notification strategy. Transparency builds trust; delay damages reputation.

Prepare regulatory notifications

GDPR: 72-hour deadline. File with supervisory authority. Document the process.

Draft customer notification

Clear, factual, actionable. What happened, what data, what they should do.

Prepare internal communications

Employee awareness. What they can/cannot say. Point of contact for questions.

Engage PR/communications firm (if needed)

For public-facing breaches. Media training. Statement preparation.

Set up support infrastructure

Dedicated hotline. FAQ page. Credit monitoring vendor (if offering).

48-72

HOURS

REMEDIATE

With investigation insights, begin fixing vulnerabilities and hardening systems. This prevents reinfection and demonstrates due diligence.

Patch exploited vulnerabilities

Apply security patches. Update outdated software. Close attack vector.

Reset all potentially compromised credentials

User passwords. Service accounts. API keys. Admin credentials. Force resets.

Deploy enhanced monitoring

Increased logging. Alert thresholds. Watch for reinfection or lateral movement.

Schedule post-incident review

What happened? What worked? What failed? Document lessons learned.

Update incident response plan

Incorporate lessons. Update contacts. Improve procedures.

Get Expert Help Now

If you're experiencing an active breach, don't try to handle it alone. We'll connect you with qualified incident response specialists within 2 hours.

Response Time

Contact within 2 hours maximum

24/7 Availability

Specialists available around the clock

Global Coverage

Support in US, UK, Europe, and worldwide

Featured IR Firms

Mandiant (Google Cloud)

Alexandria, Virginia • 24hr response

CrowdStrike Services

Austin, Texas • 24hr response

IBM X-Force

Armonk, New York • 24hr response

Get Emergency Help Now

We'll connect you with incident response specialists within 2 hours.

Data Breach Emergency Response

Critical: Do NOT

72-Hour Response Timeline

CONTAIN

INVESTIGATE

COMMUNICATE

REMEDIATE

Get Expert Help Now

Featured IR Firms

Get Emergency Help Now

Why Speed Matters