The first 24 hours of a confirmed breach are where most of the lasting damage — financial, legal, and reputational — either gets contained or gets amplified. In my experience, the defining characteristic of organizations that come through well is not the size of their security team. It is whether they followed a calm, sequenced playbook instead of panicking into a series of avoidable mistakes.

This is the playbook. It is intentionally ordered. Do not skip ahead.

Hour 0-2: Verify, Then Isolate

Before you do anything destructive, confirm the incident is real. An EDR alert is a signal, not a finding. Look for corroborating evidence: a second source, outbound traffic to a known-bad IP, a user reporting something consistent. False alarms happen and "panic declarations" damage trust with leadership you will need later.

Once you have corroboration:

  • Isolate the affected assets at the network layer, not the host. Network isolation preserves RAM and running processes for forensics. Do not shut down or reimage.
  • Disable — do not delete — the credentials you suspect are compromised. Deletion loses logs you need.
  • Open an incident bridge on a channel you know the attacker cannot read. If you suspect email or Slack is compromised, move to Signal group or phone.

Hour 1-3: Engage Legal BEFORE Talking to Outsiders

This one is non-negotiable. Your first call after activating the IR team is your general counsel or outside breach counsel. Not the CEO. Not the PR firm. Not the cyber insurance carrier directly.

Why: counsel establishes attorney-client privilege and attorney work-product protection over the investigation. Conversations and reports generated under that umbrella are much harder to subpoena later. The same conversations, held without counsel in the loop, are often discoverable in litigation.

Counsel will then help you contact:

  • Your cyber insurance carrier (most policies require notification within 24-72 hours).
  • An approved forensics firm (Mandiant, CrowdStrike, Stroz Friedberg, Kroll, etc.) working under a privilege agreement.
  • Any regulatory body you have a statutory duty to notify at this early stage.

Hour 2-6: Out-of-Band Communications

Assume the adversary has read your Slack, Teams, and email going back months. Many of them have.

  • Move the core IR team onto a dedicated Signal group with disappearing messages turned off for the duration.
  • Use a clean laptop that has not been attached to the corp domain. Not the CISO's daily laptop.
  • If you must call internal people, use their personal phone numbers, not DID extensions that route through systems that may be compromised.
  • Document in a dedicated incident binder (physical or a separate cloud drive the adversary does not have access to).

Hour 4-12: Evidence Preservation

Your forensics vendor will want full-disk and RAM captures of anything in scope. Either they will do it or your team will under their direction. Key points:

  • Preserve volatile memory first — running processes, network connections, recently used credentials. Once you reboot, it is gone.
  • Extend log retention immediately. Cloud logs (CloudTrail, Azure Activity, Okta System Log) often default to 90 days or less — bump to max and export to cold storage.
  • Preserve the EDR timeline exports. Many EDRs rotate detailed telemetry after 30 days.
  • Chain of custody: who touched what, when, with what tool, logged to a dedicated notes file.

Hour 6-24: Scope, Don't Fix

Resist the urge to "clean up." Every deleted file, every reimage, every password rotation before scoping is complete destroys evidence of the attacker's trail. First understand:

  • Where did they enter?
  • How long have they been in?
  • What did they touch? What did they exfiltrate?
  • Do they still have persistence?

Only after you can answer those do you plan eradication and recovery. Premature remediation is one of the most common mistakes in IR, and it usually results in the attacker coming back through a second backdoor you never found.

What Not To Do

  • Do not wipe or reimage before forensics captures are done.
  • Do not pay a ransom without executive and counsel authorization. Payment to OFAC-sanctioned groups is a federal crime.
  • Do not publicly attribute the actor in the first 24 hours. You will be wrong and you will get sued.
  • Do not notify customers in the first 24 hours unless regulation requires it. You do not yet know enough to be accurate.
  • Do not tweet. Do not post a "we are aware" blog. Counsel will tell you when.

The Mindset

Breaches feel like emergencies. They are crises, but rarely true emergencies in the ER sense — the building is not on fire, people are not dying, and the decisions that matter are measured in hours, not seconds. The teams that do this well slow down, follow the sequence, and let professionals do their work. The teams that panic make decisions they spend the next year explaining to regulators and plaintiffs.

Calm first. Then the playbook.