The first 24 hours of a cyber incident are not just about firefighting. They’re about acting fast, staying clear-headed, and following a structured plan. Whether you’ve just spotted a problem or you’re preparing in advance, this checklist will walk you through the exact steps to take once a breach is discovered, from isolation and containment to communication and compliance.
This guide walks you through a clear, actionable checklist to help you take control early, limit the fallout, and meet your legal and regulatory obligations. If you don’t have an incident response plan in place yet, this is the next best thing.
Table of Contents
Why the First 24 Hours Matter
Cyber incidents rarely follow a neat script. They’re chaotic, fast-moving, and often confusing in the early stages. In that short window after discovery, organisations must:
- Contain the threat before it spreads
- Protect sensitive data
- Preserve evidence
- Notify the right people (internally and externally)
- Meet regulatory deadlines (such as GDPR’s 72-hour breach notification rule)
Stumbling at this stage can lead to greater financial losses, reputational damage, and even legal action. That’s why having a well-practised checklist is essential, not just for cyber security teams, but for business leaders and operational staff too.
Before You Start: Preparation Is Everything
If you’re reading this during a live incident, skip ahead. But if you’re here proactively, good on you. Here’s what should already be in place before something goes wrong:
- A documented incident response plan
- Key internal and external contacts identified
- Access to a trusted incident response partner
- Regular tabletop exercises to rehearse your process
Need help building this out? That’s exactly what we do at 3B Data Security — from technical playbooks to full response retainers.
Cyber Incident Response Checklist: First 24 Hours After a Breach
Here’s a step-by-step guide of what to do when a cyber security incident is confirmed or suspected:
1. Confirm There’s a Real Incident
Before raising alarms, take a moment to verify:
- Are you seeing unusual system behaviour, strange logins, or alerts from monitoring tools?
- Has a user reported something that could indicate a compromise (e.g. suspicious email, unexpected file access)?
- Have critical systems gone offline or data become inaccessible?
Don’t panic, but don’t delay. Gather as much initial context as possible and escalate it to the appropriate people.
2. Contain The Threat Quickly And Quietly
This step is about limiting the damage:
- Isolate affected machines or accounts (unplug, disable, block — don’t delete)
- Stop lateral movement by segmenting the network if possible
- Lock down admin accounts or VPN access if credentials are suspected to be stolen
Importantly, do not reformat systems or wipe logs. You’ll need those for forensic analysis.
3. Notify the Right People
Communication is key in a crisis. Get the right people involved — fast:
- Internal IT/security team (or your MSP, if outsourced)
- Executive leadership (they’ll need visibility and approval powers)
- Legal & compliance teams (especially for reporting requirements)
- Incident response partner (ideally already on retainer — like 3B Data Security)
Avoid blanket announcements. Communication should be controlled, secure, and based on verified facts.
4. Assess the Scope and Impact
Within hours, you’ll need to start understanding:
- What systems were affected?
- Was data accessed, modified, or exfiltrated?
- Does the incident involve personally identifiable information (PII), cardholder data, or business-critical IP?
- Is this a reportable breach under regulations like GDPR, PCI DSS, or DORA?
Work closely with digital forensic teams to begin establishing a timeline and root cause.
5. Begin Regulatory & Insurance Notification Processes
Certain regulations require fast action:
- GDPR: Report qualifying data breaches to the ICO within 72 hours
- PCI DSS: Breaches involving payment card data must be reported to acquirers and banks
- Cyber insurance: Early notification is often a policy condition
If in doubt, notify cautiously. Most regulators prefer early transparency over late disclosures.
6. Coordinate External Communications
If customers, suppliers, or the media are likely to find out, get ahead of it:
- Draft a holding statement: factual, calm, non-speculative
- Assign a single spokesperson or comms lead
- Do not confirm details that haven’t been verified
- Keep messages consistent across channels
Trust can survive an incident, but not a chaotic or misleading response.
Common Incident Response Mistakes to Avoid in the First 24 Hours
Even experienced teams can get tripped up under pressure. Watch out for:
- Wiping or restoring systems too soon, destroying forensic evidence
- Failing to involve legal/compliance early, missing regulatory deadlines
- Underestimating the incident, leading to late escalation
- Communicating inconsistently, which damages internal trust and public perception
- Not having an external expert on call, leading to avoidable delays
How We Can Help You Act Fast
At 3B Data Security, we don’t believe in panic-driven incident response. We work with you to take control of the situation, stabilise systems, and guide your team through every step.
Our services include:
- 24/7 Incident Response Retainers
- Digital Forensic Investigations
- Regulatory Reporting Support
- Ransomware Containment & Negotiation
- Tabletop Simulation Exercises
- Cyber Insurance Readiness Assessments
We’re trusted by everyone from local authorities to FTSE-listed enterprises, and we’re always ready when the worst happens.
Our Incident Response Retainer Service gives you guaranteed access to expert support, tailored response plans, and proactive tools like threat monitoring, dark web scanning, and regular cyber risk reviews. It’s not just about reacting faster; it’s about being prepared before the threat even appears.
With flexible packages built around your needs, it’s a smart, strategic way to strengthen your response capability, and sleep a little easier.
