This is written for IT managers at mid-size companies who find themselves dealing with a suspected breach and do not have a dedicated incident response team or a retainer with an IR firm. That is the majority of the organisations we work with. The situation is disorienting, the pressure is immediate, and the decisions made in the first few hours have lasting consequences.
I spent several years doing incident response before moving into offensive security. This is not a comprehensive IR playbook — those exist and are worth having. This is the short version of what matters most in the first 48 hours when you are handling it largely alone.
The most common mistake in the first hour
Shutting down affected systems immediately, before preserving any logs or evidence. I understand the impulse — you want to stop whatever is happening. But powering off a machine destroys volatile memory, which may contain the only record of what the attacker did and how they got in. If the system is actively exfiltrating data, isolate it from the network rather than shutting it down. If you must shut it down, note the time and document as much as you can about its running state first.
The second common mistake is telling too many people before you have basic facts. Announcement before clarity creates pressure to communicate, speculation travels faster than investigation, and word sometimes reaches the attacker before containment is complete.
Contain before you investigate
Containment first, investigation second. This is the sequence that matters. Containment means: isolate affected systems from the network, reset credentials for accounts that may be compromised, and identify whether the attacker has other footholds. Investigation — understanding exactly what happened — can follow once the immediate bleeding has stopped.
A common failure is spending hours in the first day investigating root cause while the attacker still has active access. How they got in is important, but it is less urgent than whether they are still in.
The GDPR clock starts when you become aware
Under the GDPR, if personal data is involved in a breach, you have 72 hours from when you become aware of it to notify the relevant supervisory authority — the Bundesdatenschutzbehörde for German organisations. The 72-hour clock runs from awareness, not from confirmation. If you suspect a breach involving personal data, the clock has started.
This does not mean you need to have all the answers within 72 hours. It means you need to make the initial notification within that window, even if it is an incomplete notification that is supplemented later. Failing to notify in time because you were waiting for certainty before reporting is a common and avoidable compliance mistake.
"The 72 hours is not time to investigate. It is time to notify. Those are different tasks."
What external help is actually for
If you call in external IR support, what you are paying for is primarily forensic capability — the ability to preserve and analyse evidence in a legally defensible way, experience with the attacker techniques they are likely to see, and the bandwidth to investigate in parallel with your own containment work. You are also paying for someone to talk to who has done this before.
What external help is not for: replacing the need for your own clear communication chain, making decisions about who to notify and when, or managing stakeholder relationships. Those remain yours to manage.
After containment: documentation before memory fades
Once the immediate situation is contained, spend time documenting the timeline before details blur. When was the first indicator noticed? Who noticed it? What actions were taken and in what order? What systems were affected? This documentation becomes the basis for the post-incident review and any regulatory reporting. It is much easier to create it while events are fresh than to reconstruct it weeks later.