Blog: DFIR

The first 24 hours of a cyber incident. A practical playbook 

Ekom Ibiok 24 Mar 2025

TL;DR

  • The first 24 hours after a cyber incident are critical for containment and recovery. 
  • Small and medium-sized businesses (SMBs) often lack resources, but swift action is still possible. 
  • This playbook provides clear steps to follow in the heat of a breach: who to contact, what to do, and how to communicate. 
  • Preparation ahead of time will make or break your response. 

Introduction 

It’s every organisation’s worst nightmare: you find out you’ve been breached. Whether it’s ransomware locking you out, an unauthorised transfer of funds, or sensitive data leaving your network, what you do next will define the outcome. The first 24 hours are vital—not just for limiting the damage but for setting the tone with regulators, customers, and staff. 

For small and medium-sized businesses, incident response can feel overwhelming. Maybe you don’t have a dedicated security team or a slick playbook. That’s okay. This article gives you a clear, no-nonsense plan for what to do in those critical early hours. 

Why the first 24 hours are critical in incident response 

Incidents are chaotic. Decisions made under pressure can either help or hinder your recovery. Respond well, and you contain the breach, keep stakeholders informed, and minimise reputational and financial damage. Respond poorly, and you risk regulatory fines, lost customers, and even operational collapse. 

Many guides assume you have a 24/7 Security Operations Centre (SOC). But what if you don’t? SMBs often rely on overworked IT teams juggling multiple roles. This playbook offers practical, achievable steps for organisations without a big security budget or an in-house IR team. 

Immediate actions to take

1. Confirm the breach and activate the IR plan

Don’t panic. First, make sure there’s an actual incident. False positives happen. Once confirmed, activate your incident response (IR) plan—even if it’s a simple checklist taped to the wall. If you don’t have a plan, start here.

2. Contain the threat. Isolate affected systems

Pull the plug—sometimes literally. Disconnect compromised systems from the network. Isolate endpoints showing signs of malware, encryption, or data exfiltration. If you’re dealing with ransomware, DO NOT power systems off unless advised by IR experts; doing so could complicate recovery.

3. Gather evidence without contaminating it

It’s tempting to jump in and fix things, but you need evidence: 

  • Take forensic disk images if possible. 
  • Capture volatile memory (RAM) if you can. 
  • Preserve logs, including firewall and VPN activity. 
  • Document everything: what you saw, when you saw it, what you did next. 

If you’re not comfortable doing this, call an IR specialist. Don’t tinker and destroy evidence by accident. 

Who to contact

1. Internal stakeholders

Tell the right people—quickly. Who needs to know immediately? 

  • Senior leadership / decision-makers. 
  • Legal counsel. 
  • HR (depending on the nature of the breach). Make sure everyone understands this is confidential and time critical.

2. External IR providers (if contracted)

If you already have a contract in place with an IR partner, call them now. This is why you picked up the phone months ago and got them on retainer—right? If not, you’ll need to act fast and find one. Ideally, have this sorted before an incident.

3. Regulatory bodies e.g. GDPR, ICO if applicable

If personal data is involved, you may have to notify the Information Commissioner’s Office (ICO) within 72 hours. Start drafting the notification. Get legal involved before you press send.

4. Law enforcement

Consider notifying law enforcement, particularly if you’ve been hit by ransomware or suffered financial fraud. They won’t always swoop in and save the day, but they may offer advice or open an investigation. 

Communications strategy 

Crafting internal and external messaging

Prepare a short, fact-based internal communication. Staff need to know what’s happening (and what they shouldn’t do, like talking to the media). 

For external comms: 

  • Be clear, concise, and avoid speculation. 
  • Don’t downplay or overstate the situation. 
  • If you don’t know something, say so, and promise updates. 

Avoid common communication pitfalls

  • No knee-jerk emails or rushed statements. 
  • Don’t blame anyone—internally or externally. 
  • Work with legal and PR before going public. 

Initial technical steps

1. Network segmentation

Once the immediate threat is contained, segment the network to prevent further spread. Lock down VPNs, disable remote desktop protocols (RDP), and restrict admin access.

2. Reviewing and disabling compromised credentials

Change passwords on affected accounts. Implement multi-factor authentication (MFA) if it wasn’t in place already. Disable accounts you suspect are compromised until you can investigate.

3. Log collection and preservation

Secure logs from: 

  • Firewalls 
  • Authentication systems (Active Directory, etc.) 
  • VPNs 
  • Cloud services Keep them safe for future investigation and potential legal action. 

Non-technical considerations 

Legal implications

Get legal advice immediately. Data breaches come with legal obligations, particularly under GDPR. Document everything—transparency is key if regulators come knocking. 

PR response

Have a plan for public communications. If customers or the public are impacted, it’s better they hear it from you first. Be transparent about what you know and what you’re doing to fix it. 

Employee support and mental wellbeing

Cyber incidents are stressful. People make mistakes under pressure. Look after your team. Provide clear guidance, and make sure they take breaks. Recognise the emotional impact. 

24-Hour retrospective 

What have you learned so far?

At the 24-hour mark, take stock. What’s the status of: 

  • Containment? 
  • Impact assessment? 
  • External notifications? 

Start thinking about the longer-term plan: eradication, recovery, and lessons learned. 

Planning for the next phases. Eradication and recovery 

  • Eradicate malware from systems. 
  • Patch vulnerabilities. 
  • Monitor for signs of reinfection. 
  • Begin restoring from backups (verified clean ones). 
  • Plan post-incident reviews and improvements. 

Conclusion 

Preparation is everything. If you’ve read this far and thought, “We’re not ready for this,” then now’s the time to change that. Create an incident response plan, have a IR provider, and run tabletop exercises. If you are scratching your head, we can help you. 

Our Incident response services: 

The first 24 hours are your best shot at controlling the damage and setting up a strong recovery. React well, and you’ll survive. React poorly, and you could be out of business.  

Checklist for the first 24 hours

  • Confirm the breach 
  • Contain the threat 
  • Gather and preserve evidence 
  • Notify internal stakeholders 
  • Contact external IR providers 
  • Notify regulators (if applicable) 
  • Craft internal / external communications 
  • Segment the network 
  • Disable compromised accounts 
  • Secure and preserve logs 
  • Seek legal advice 
  • Support your team 
  • Plan the next steps