The First 24 Hours of a Security Incident — What to Do (and What Not to Do)

Why the first day matters most

The first day determines blast radius, legal exposure, and customer trust. Teams that improvise usually lose time and lose evidence. Teams with a playbook contain faster and recover cleaner.

Hour-by-hour playbook

Hours 0–2: Confirm and contain

Validate signals, isolate affected systems, and freeze high-risk access paths.

Hours 2–6: Preserve evidence and scope impact

Collect logs and snapshots before major changes. Identify impacted assets and possible data exposure.

Hours 6–12: Coordinate communications

Assign one decision owner and one communications owner. Align legal, leadership, and customer teams.

Hours 12–24: Stabilize and plan recovery

Patch root causes, rotate credentials, monitor for recurrence, and define next 72-hour priorities.

What not to do

• Do not wipe systems before collecting evidence.
• Do not delay containment while waiting for perfect certainty.
• Do not communicate assumptions as facts.
• Do not treat incident handling as purely technical.

Pair this playbook with operations platform guidance and startup security planning.

Frequently Asked Questions

What are the first five critical moves?

Containment, evidence preservation, ownership assignment, impact analysis, and controlled communication.

Should we announce instantly?

Communicate quickly, but only with verified facts and a clear remediation path.

How do we prepare before incidents?

Run tabletop exercises, define ownership, and document a practical incident workflow.