Security Guide

Incident response planning

When a breach happens, the first 24 hours determine whether it's a manageable incident or a business-ending catastrophe. This guide shows you exactly what to do.

Get an Incident Response Plan All Guides

Critical Window

The first 24 hours

Every minute matters. Here's the timeline your team should follow when a breach is confirmed.

0-1 hours

Confirm the incident is real (not a false positive). Activate the incident response team. Begin documentation.

1-4 hours

Contain the threat — isolate affected systems, block malicious IPs, disable compromised accounts. Preserve evidence.

4-8 hours

Assess scope — determine what data and systems are affected. Notify legal counsel and cyber insurance carrier.

8-12 hours

Begin eradication — remove malware, close the attack vector. Start recovery planning for critical systems.

12-24 hours

Begin restoring critical systems from clean backups. Determine regulatory notification obligations. Draft communications.

Framework

The 5 phases of incident response

Based on the NIST Incident Response framework — the industry standard used by organizations of all sizes.

Preparation

Build your incident response team, define roles and responsibilities, establish communication channels, and create playbooks for common scenarios before an incident occurs. Preparation is the most important phase — the middle of a breach is the worst time to figure out your plan.

Designate an incident response lead and backup

Create contact lists for team members, legal counsel, insurance, law enforcement

Document your network topology, critical assets, and data flows

Establish secure out-of-band communication channels

Define severity levels and escalation procedures

Schedule tabletop exercises at least annually

Detection & Analysis

Identify that an incident has occurred, determine its scope and severity, and collect initial evidence. The faster you detect and classify an incident, the more options you have for containment and the less damage you sustain.

Monitor EDR, firewall, and SIEM alerts for indicators of compromise

Establish baselines so anomalies are detectable

Document everything — timestamps, affected systems, observed behavior

Classify the incident type: ransomware, data theft, unauthorized access, etc.

Determine which data and systems are affected

Preserve forensic evidence before making changes

Containment

Stop the bleeding. Isolate affected systems to prevent the incident from spreading while maintaining enough evidence for investigation. There are two containment strategies: short-term (stop it now) and long-term (keep it stopped while you investigate).

Isolate affected systems from the network immediately

Block malicious IPs, domains, and accounts at the firewall

Disable compromised user accounts and reset credentials

Capture memory dumps and disk images before remediation

Implement temporary firewall rules to restrict lateral movement

Communicate status to stakeholders — do not use compromised email

Eradication & Recovery

Remove the threat from your environment completely, restore affected systems from clean backups, and verify that the attacker has no remaining access. Rushing recovery without complete eradication leads to re-infection.

Identify and remove all malware, backdoors, and persistence mechanisms

Patch the vulnerability that was exploited for initial access

Rebuild compromised systems from known-good images or backups

Reset all credentials — not just those confirmed compromised

Monitor restored systems closely for signs of re-infection

Gradually restore services in order of business priority

Post-Incident Review

Conduct a blameless post-mortem to document what happened, what worked, what failed, and what changes will prevent recurrence. This phase turns every incident into an improvement to your security posture.

Hold a post-incident review within 72 hours

Document a complete timeline of the incident

Identify root cause and contributing factors

Update your incident response plan based on lessons learned

Implement new controls to address identified gaps

Brief leadership and relevant stakeholders on findings

Compliance

Breach notification requirements

HIPAA

Notify HHS within 60 days of discovery for breaches affecting 500+ individuals. Notify affected individuals without unreasonable delay.

IRS / FTC

Tax preparers must notify the IRS, state tax agencies, and affected clients. FTC Safeguards Rule requires a written incident response plan.

State Laws

Most states require notification within 30-60 days. Some require notification to the state attorney general. Requirements vary by state.

PCI-DSS

Notify your acquiring bank and payment card brands within 24-72 hours. Engage a PCI Forensic Investigator.

Don't wait for a breach to write your plan

We build custom incident response plans for businesses of all sizes. Compliant, actionable, and ready when you need them.

Book a Free Call (800) 492-6076