Incident Response Plan Template: What to Do in the First 24 Hours of a Breach

Most SMBs have some version of a security policy. Far fewer have a tested, actionable incident response plan. The difference becomes painfully clear at 2am when an employee calls to say their screen is locked and there's a ransom note. This guide gives you a working framework — not a theoretical one.

Phase 1: Detection & Initial Triage (0–2 Hours)

The first two hours are about understanding scope, not fixing anything. Premature remediation — like rebooting infected machines — can destroy forensic evidence and make recovery harder.

• Confirm the incident is real — rule out false positives from monitoring tools
• Identify the affected systems: which machines, which users, which data stores
• Determine the incident type: ransomware, data exfiltration, unauthorized access, insider threat
• Activate your incident response team — IT lead, management, legal counsel if available
• Do NOT reboot affected machines unless actively spreading — preserve forensic state
• Begin an incident log: timestamp every action taken from this point forward

Phase 2: Containment (2–6 Hours)

Containment means stopping the spread without destroying evidence. The goal is to isolate affected systems from the rest of the network while preserving the ability to investigate.

• Isolate affected machines from the network — unplug ethernet, disable Wi-Fi at the switch level if possible
• Revoke or rotate credentials for any accounts that may be compromised
• Block known malicious IPs or domains at the firewall
• Preserve disk images of affected systems before any remediation begins
• Identify the attack vector — phishing email, compromised VPN, unpatched vulnerability
• Notify your cyber insurance carrier — most policies require notification within 24–72 hours

Phase 3: Notification Obligations (6–24 Hours)

Data breach notification laws vary by state and industry. Florida's Information Protection Act requires notification within 30 days of determining a breach occurred. HIPAA requires notification within 60 days. PCI DSS requires immediate notification to your acquiring bank. Failure to notify on time can result in fines that exceed the cost of the breach itself.

• Florida businesses: notify affected individuals within 30 days (Florida Information Protection Act)
• HIPAA-covered entities: notify HHS and affected individuals within 60 days
• PCI DSS: notify your acquiring bank and card brands immediately upon discovery
• Document your notification timeline — regulators will ask for it
• Engage legal counsel before sending any external notifications
• Prepare an internal communication for employees — silence breeds rumors

Phase 4: Eradication & Recovery

Only begin eradication after containment is confirmed and forensic images are preserved. Eradication means removing the threat — malware, backdoors, compromised accounts — completely from your environment. Recovery means restoring systems from known-good backups and verifying integrity before reconnecting to the network.

• Rebuild affected systems from clean images — do not attempt to "clean" ransomware-infected machines
• Restore data from the most recent clean backup — verify integrity before use
• Reset all passwords organization-wide, not just affected accounts
• Patch the vulnerability that was exploited before reconnecting systems
• Monitor restored systems intensively for 30 days post-incident

The Post-Incident Review: Turning Pain Into Prevention

Within two weeks of resolution, conduct a formal post-incident review. Document what happened, how it was detected, what the response timeline looked like, and what gaps the incident exposed. This review is not about assigning blame — it's about building a better defense. Update your IR plan based on what you learned.