Incident Response · First 24 Hours · June 2026

Your Company Just Got Hacked: The Hour-by-Hour Action List for the First 24 Hours

The moment you realize you have been breached, every instinct you have is wrong. You want to wipe the infected machine, call your IT vendor, and email the affected customers. Do those three things in that order and you destroy the forensic evidence, void your cyber insurance, and turn a contained incident into a public crisis. This is the calm, sequenced action list we walk clients through when the call comes in at 2am, broken into the decisions that actually matter in hours zero to two, two to six, six to twelve, and twelve to twenty-four.

Key Takeaways

• Contain, do not erase. Isolating a compromised machine from the network preserves the attacker's footholds for analysis; wiping or rebuilding it destroys the evidence you need to scope the breach and the proof your insurer and any regulator will ask for. Pull the network cable or disable the port, do not power the machine down and do not reimage it.
• The order of your phone calls decides whether your claim gets paid. The first call is to whoever can isolate systems. The second is to breach counsel or your cyber insurer's hotline, not your regular IT vendor and not the affected customers. Counsel hires the forensic firm so the investigation sits behind legal privilege.
• Several legal and regulatory clocks start the moment you have a reasonable belief a breach occurred, not when you finish investigating. GDPR gives 72 hours to notify a supervisory authority, many US state laws and contracts impose their own windows, and a delayed notification is itself a finding. Start the clock log in hour one.
• Do not pay, promise, or negotiate a ransom in the first 24 hours. That is a deliberate decision made later with counsel, your insurer, and sanctions-screening advice. Paying can be unlawful if the actor is on a sanctions list, and a rushed payment rarely restores data cleanly anyway.
• A company with a written incident response plan and a retainer contains a breach in hours and pays a fraction of what an unprepared company pays. The unprepared company spends the first six hours deciding who to call while the attacker is still moving.
• The single most expensive mistake is silence followed by a clumsy disclosure. Customers, regulators, and insurers forgive a breach that was handled with discipline far more readily than one that was hidden, mishandled, or disclosed in a panic three weeks later.

A breach triggers the same fight-or-flight response as any sudden threat, and under that pressure people reach for the actions that feel like progress: make it go away, get the expert on the phone, warn the people who matter. In a cyber incident, all three of those reflexes are traps, because they optimize for feeling in control rather than for the two things that actually determine the outcome - preserving evidence and stopping the spread.

The first reflex is to clean up. Wipe the machine, restore from backup, reimage the laptop, delete the suspicious files. This feels decisive and it is the worst thing you can do in the first hour. The compromised systems hold the only record of how the attacker got in, what they touched, and whether they are still inside. Destroy that record and you cannot scope the breach, which means you cannot tell a customer or a regulator what was and was not affected, which means you have to assume the worst about everything. Cleaning up early does not shrink the incident; it makes the entire estate suspect.

The second reflex is to call your regular IT support first. They are who you call when the email is down, so they are who you call now. The problem is that general IT support is not incident response, and their natural instinct is exactly the cleanup that destroys evidence. Worse, if they start remediating before counsel is involved, the work is not protected by legal privilege, which means every message, every note, and every half-formed theory they produce can later be demanded in litigation or by a regulator. The right early calls go to people whose job is containment and to counsel who can shield the investigation.

The third reflex is to warn people - customers, partners, the wider team - immediately. Transparency is right, but speed without accuracy is a liability. A breach notification is a statement of fact that you will be held to. Send it in hour one, before anyone has scoped what happened, and you will almost certainly say something that turns out to be false: that data was not accessed when it was, or that the incident is contained when it is not. The disciplined move is to prepare to communicate, control the channel, and notify the legally required parties on the legal clock, while holding public statements until you can make them accurate.

The goal of the first two hours is narrow: stop the bleeding and protect the evidence, without destroying either. You are not trying to understand the whole breach yet, and you are not trying to fix anything. You are trying to deny the attacker further movement while keeping everything they touched intact for analysis.

Confirm it is real, then assume it is bigger. Verify that what you are seeing is an actual incident and not a false alarm, but the moment it is confirmed, work on the assumption that the attacker has been inside longer and reached further than the first symptom suggests. The visible ransom note or the one alerting machine is rarely the whole story; intruders typically move laterally for days or weeks before they are noticed. Treat the known-bad machine as the tip, not the iceberg.

Isolate the affected systems. Remove compromised machines from the network while leaving them running. If you have endpoint protection with a network-isolation feature, use it. If not, physically disconnect: unplug the network cable, disable the port, disconnect from wireless. For cloud and SaaS, the equivalent is to revoke the attacker's access: disable suspected-compromised user accounts, revoke active sessions and refresh tokens, and rotate the credentials and API keys you have reason to believe are exposed. Containment in the cloud is about sessions and tokens, not cables.

Protect your lifelines: identity, backups, and communications. Three assets decide whether you recover quickly or not at all. Your identity system (the directory or identity provider that controls who can log in) is the master key; if the attacker holds privileged access there, isolating one laptop accomplishes nothing. Your backups are your way home, and modern attackers hunt for and destroy backups before they trigger encryption, so confirm your backups are intact, offline or immutable, and out of the attacker's reach. And your normal communications may be compromised, so assume email and chat are being read and move incident coordination to an out-of-band channel.

Start the log now. Open a simple document - on a clean device, not the network you are investigating - and timestamp every observation, decision, and action from this point forward. Who saw what, when, what was isolated at what time, who was called. This log is not bureaucracy; it is the backbone of the regulator notification, the insurance claim, and any later legal defense, and it is impossible to reconstruct accurately after the fact. The teams that keep a clean timeline have a dramatically easier next three weeks.

By the two-hour mark the immediate spread should be contained and the evidence intact. Now the incident needs structure, because the most common failure mode from here is not technical - it is the chaos of ten people taking uncoordinated actions, contradicting each other on calls, and nobody owning the decisions. The fix is to establish command and to make a short series of phone calls in a deliberate order.

Name an incident commander. One person owns the response, makes the calls that need making, and is the single point of coordination. This is usually not the most senior person in the company and usually not the most technical; it is the person who can run a calm process under pressure. Everyone else has a defined role: technical lead, communications lead, legal liaison, and a scribe who keeps the timeline log. Decisions route through the commander so the response moves in one direction.

The order of calls is the part people get wrong. The first call is to whoever can isolate and contain - internal IT, your managed security provider, or your incident response retainer. The second call is to breach counsel or, if you have cyber insurance, the insurer's 24-hour incident hotline, which will route you to approved counsel and forensics. Counsel matters here for a specific reason: when counsel engages the forensic firm, the investigation and its findings are generally protected by legal privilege, which keeps your own internal theories and the raw forensic detail out of an opponent's hands later. Call the forensic firm directly, without counsel, and you may waive that protection.

Take the forensic image before anyone remediates. Once counsel and the responders are engaged, the team captures forensic images of the affected systems - a complete, verifiable copy of the disk and, where possible, memory - before any cleanup begins. This image is the evidence base for scoping the breach, satisfying the insurer, and answering the regulator. It is also what lets the team safely rebuild later, because you can analyze the copy while restoring the live system. Remediating before imaging is the irreversible mistake that the first-hour discipline was protecting against.

Decide who does not need to act yet. Part of establishing command is preventing well-meaning people from making things worse. The sales team does not email customers. The marketing team does not post anything. Individual engineers do not start "checking" or "cleaning" systems on their own initiative. Everyone is told, clearly and early, that the only actions taken are the ones the incident commander has authorized. Uncoordinated helpfulness during an incident is a leading cause of destroyed evidence and contradictory public statements.

While the technical team scopes the breach, a parallel set of clocks is running, and most of them started the moment you had a reasonable belief that an incident occurred - not when the investigation finishes. Missing a notification deadline is its own violation, independent of how well you handled everything else, so the legal liaison's job in this band is to map every clock that applies to you and calendar each deadline against the timeline log.

Data-protection law. If you hold personal data on people in the EU or UK, the GDPR gives you 72 hours from becoming aware of a personal-data breach to notify the relevant supervisory authority, unless the breach is unlikely to result in a risk to individuals. The notification can be made in stages as you learn more, which is precisely why an early, honest "we are investigating and will update you" beats waiting for certainty. In the United States, all states have breach-notification laws with their own definitions and timelines, and sector rules like HIPAA add their own. The point is not to memorize every statute; it is to identify in hour six which regimes apply to your data and what each one demands.

Contractual obligations. Your customer contracts almost certainly contain breach-notification clauses, often stricter than the law - 24 or 48 hours is common in enterprise agreements. These are easy to forget in the moment and expensive to miss, because a missed contractual notification is a breach of contract on top of the security incident. The legal liaison pulls the relevant contracts and adds each notification window to the clock map. If you process data on behalf of other businesses, you likely have a duty to notify them quickly so they can meet their own obligations.

Regulators and law enforcement. Depending on your sector and country, you may have additional regulators to notify (financial, health, critical-infrastructure) and a decision to make about involving law enforcement. Reporting to law enforcement does not usually slow your recovery and can help later, but it is a decision made with counsel, not a reflex. In the EU, NIS2 and DORA impose their own incident-reporting timelines on the entities they cover, frequently including an early warning within 24 hours. Know before the incident whether these apply to you, because reading the regulation for the first time at hour eight is not a good place to be.

Insurance conditions. Beyond the initial notification, your policy has conditions you must keep meeting: using approved vendors, getting consent before incurring major costs, preserving evidence, and not admitting liability publicly. The legal liaison and the incident commander keep these front of mind, because the difference between a paid claim and a denied one is often a procedural condition that was easy to satisfy and easy to forget under pressure.

The final band of the first day is where the work shifts from holding the line to taking back control. By now the forensic team should have an emerging picture of how the attacker got in and where they went, and that picture drives three activities that must happen in order: finish scoping, eradicate the attacker's access completely, and only then begin recovery from clean sources.

Finish scoping before you declare anything. Scoping answers the questions everyone is asking: how did they get in, what did they reach, was data taken, and are they still inside. You cannot communicate accurately or notify completely until you have defensible answers, which is why the customer email that felt urgent in hour one was a trap. The forensic timeline, built from the images and logs, is what turns "we think" into "we have determined," and that distinction is the whole difference in how a regulator and a court read your response.

Eradicate, do not just clean the obvious. Eradication means removing every foothold the attacker established: the malware, yes, but also the backdoor accounts they created, the legitimate credentials they stole and are still using, the persistence mechanisms they planted, and any access they retained through your remote-access tools or VPN. This is why scoping has to come first - eradicate only what you can see and the attacker walks back in through the access you missed. Reset credentials broadly, force re-authentication everywhere, and rebuild compromised systems from known-good images rather than trying to disinfect them in place.

Begin recovery from confirmed-clean sources. With the estate eradicated, restore systems and data from backups you have verified are untouched, bringing the most critical business functions back first. Re-enable accounts only after their credentials are reset and multi-factor authentication is confirmed. Monitor the restored environment closely, because the period right after recovery is when a missed foothold reveals itself. The goal of the first 24 hours is not full recovery - that often takes days or weeks - but to have a contained incident, a clean understanding of scope, an eradication plan in motion, and the first critical systems coming back safely.

Communicate, finally, and accurately. Now you can do what your hour-one instinct wanted: tell people. With scope established and counsel's input, you notify regulators on their clock, inform affected customers and partners with accurate information, and brief your team. The message is calmer and far more credible than anything you could have sent at the start, because it says what happened, what was and was not affected, and what you are doing - all of it true. Discipline in the first hours is what earns you a credible voice on the first day.

Across the incidents we respond to, the companies that suffer the worst outcomes rarely suffer because the attack was unusually sophisticated. They suffer because of a handful of avoidable mistakes made in the first hours, each one turning a contained problem into a compounding one.

6.1 Wiping or rebuilding before imaging

The instinct to clean the infected machine destroys the only evidence of how the breach happened and how far it reached. Without that evidence you cannot scope the incident, which forces you to assume the worst about everything, which makes the notification, the claim, and the recovery all larger and more expensive. Isolate and image first; clean later, from the copy.

6.2 Paying or promising a ransom in a panic

A rushed ransom decision in the first hours is almost always wrong. Payment may be unlawful if the actor is subject to sanctions, it can void insurance if made without the insurer's involvement, and it frequently fails to restore data cleanly or stop a second extortion demand. Whether to pay is a deliberate decision made later with counsel, the insurer, and sanctions screening - never a reflex in hour two.

6.3 Notifying customers before you know the scope

A premature public statement commits you to a version of events that the investigation often contradicts. Saying "no data was accessed" and then discovering it was is far more damaging than an initial "we are investigating and will update you within 24 hours." Notify on the legal clock, but make public statements only once you can make them accurately.

6.4 Letting everyone "help" without coordination

Uncoordinated action during an incident is a leading cause of destroyed evidence, contradictory statements, and missed steps. Engineers cleaning systems on their own initiative, salespeople reassuring customers, managers posting updates - each well-meaning action can undo the disciplined response. One incident commander, defined roles, and a rule that nothing happens without authorization keep the response coherent.

6.5 Restoring before eradicating

The pressure to resume operations pushes teams to restore systems while the attacker still holds access, which simply hands back the recovered environment. Recovery is the last step, after scoping and verified eradication, from a restore source confirmed to be clean. Companies that skip this step often find themselves re-encrypted within days, this time with depleted backups and exhausted goodwill.

A well-run first 24 hours does not end with the company fully recovered. It ends with a set of concrete outputs that make the next three weeks survivable and that prove, to everyone who will later ask, that the incident was handled responsibly. If you have these by the end of day one, you are in a strong position regardless of how serious the breach turned out to be.

A contained incident. The attacker no longer has active access, the spread has stopped, and the most critical systems are either safely isolated or beginning clean recovery. Containment is the single most important deliverable of the first day, because every hour the attacker retains access is an hour the damage grows.

A timestamped incident log. A clean, contemporaneous record of what was observed, decided, and done, by whom and when. This log is the backbone of the regulator notification, the insurance claim, and any legal defense, and it is the artifact that most distinguishes a professional response from a scramble.

Forensic images and a working scope. Verifiable copies of the affected systems and an emerging, evidence-based understanding of entry point, lateral movement, data access, and persistence. This is what lets you say what happened with confidence rather than guessing, and it is impossible to recreate if the evidence was destroyed in hour one.

A clock map with deadlines calendared. Every legal, regulatory, and contractual notification window identified and tracked, with the relevant ones already actioned or scheduled. Nothing is more avoidable than a missed deadline that becomes its own violation, and nothing is easier to miss in the chaos without a deliberate map.

An engaged team of the right people. Counsel retained and the investigation under privilege, the insurer notified and conditions being met, forensic responders working, and an incident commander running a coordinated process. The breach is no longer happening to you; you are managing it.

The reason this action list is worth reading before you need it is that the single biggest factor in how a breach plays out is how prepared you were when it started. The prepared company executes the sequence above because someone wrote it down and practiced it. The unprepared company spends the first six hours - the most valuable hours - deciding who to call, while the attacker keeps moving.

The unprepared path. Discovery, then confusion. Hours lost debating whether it is real, who owns it, and what to do. The instinctive mistakes get made: a machine wiped, a vendor cleaning systems, a panicked email sent. Counsel and the insurer are brought in late, after privilege is muddied and coverage conditions are already at risk. Scoping is harder because evidence is gone, so the company over-notifies and over-assumes. The incident drags for weeks, the claim is contested, and customer trust erodes with every contradictory update.

The prepared path. Discovery, then a plan. The incident commander is named in minutes because the role was assigned in advance. The first calls go to a retainer number that collapses containment, counsel, and forensics into one engagement. The clocks are known because someone mapped them before the incident. Containment happens in the first band, scoping in the third, and the first day ends with the situation managed rather than spiraling. The same attack, the same data, a fraction of the cost and disruption.

Preparation does not have to be elaborate. The minimum that changes the outcome is a one-page incident response plan that names the incident commander and their backup, lists the first three phone numbers (containment, counsel or insurer, forensics), states the rule "isolate, do not wipe," and points to where the contracts and the cyber policy live. Pin it somewhere reachable without the network, because the network may be exactly what is down. A retainer with a response firm turns those first three calls into one and guarantees someone experienced answers at 3am.

The figures above are the cost of being ready. The cost of not being ready is measured in lost claims, regulatory penalties, prolonged downtime, and lost customers, and it dwarfs every line in the table. Preparation is the cheapest security spending a company ever makes, precisely because it converts the most expensive hours of a breach - the first six - from wasted time into contained progress.

Next step

In the middle of an incident, or want a plan before you ever are?

If you are responding to a live breach right now, reach out immediately and we will walk you through containment without destroying the evidence or your insurance claim. If the dust has settled, we build the one-page incident response plan, test your backups, run a tabletop exercise, and put a retainer in place so the next call is a single number answered in minutes. The cheapest hour you will spend on security is the one that prepares you for the worst day.