---
title: "First 24 Hours: Cyber Incident Checklist"
description: "Hour-by-hour checklist for the first 24 hours of a cyber incident—stabilize, preserve evidence, contain safely, and communicate. Modules for ransomware, BEC, data theft."
url: "https://www.attainium.net/resources-articles/first-24-hours-cyber-incident-checklist"
date: "2026-07-05T17:58:35+00:00"
language: "en-US"
---

Featured

 Updated Sep 2025

# First 24 Hours: Cyber Incident Checklist

When something breaks, the first day decides the next thirty. Use this practical, time-boxed checklist to stabilize operations, meet legal and contractual obligations, and keep leadership aligned—without overreacting or destroying evidence.

![Checklist for the first 24 hours of a cyber incident](https://www.attainium.net/images/blog/Cybersecurity_Incident_first-24-hours.jpg)

## Quick Navigation

- • [Universal Day-0 Checklist](#day0)
- • [Scenario Modules](#modules)

- • [Standards &amp; Guidance](#standards)
- • [Related Resources](#resources)

---

## TL;DR — What to do first

- **Declare a cyber incident** (working severity) and stand up the response channel/bridge.
- **Preserve evidence** (don’t reimage/restore yet). Start logs/timekeeping and an incident diary.
- **Contain safely:** isolate affected hosts, disable compromised accounts/tokens, block known bad IOCs.
- **Protect communications:** assume email/SSO could be monitored; use an out-of-band channel if needed.
- **Engage key roles:** IT/SecOps, Legal (breach counsel), Communications/PR, Exec sponsor, HR as needed.
- **Map impact:** what systems/data/users/vendors are affected; immediate business/customer impact.
- **Decide next review point** (e.g., 60–90 minutes) and who owns each workstream until then.

---

## The First 24 Hours — Timeline

### Hour 0–1: Stabilize &amp; preserve

- Open an **incident record** with timestamp, commander (IC), scribe, and objectives for the hour.
- **Preserve evidence:** snapshot/cloud disk attach, collect volatile data where possible, secure logs (SIEM, endpoint, auth).
- **Contain with care:** network isolation, revoke tokens/keys, disable accounts; avoid wiping systems yet.
- Switch to a **trusted comms channel** (phone bridge/secure chat not federated to compromised SSO).
- Notify breach counsel (if retained) to consider **legal privilege** for investigative work.

### Hour 1–4: Scope &amp; communicate

- Build a **system/data map**: affected apps, tenants, identities, vendors, data types (PII/PHI/PCI/IP), geography.
- Draft a **holding statement** for internal stakeholders; external comms only if needed to prevent harm.
- Implement **access hardening**: force-rotate creds &amp; tokens in blast radius, raise MFA challenges, geo/behavior blocks.
- Stand up **workstreams**: Forensics, Containment, Legal/Regulatory, Customer, Technology/Restore, Comms.

### Hour 4–12: Verify &amp; mitigate

- Confirm **initial intrusion vector** hypothesis (phish, MFA fatigue, supplier compromise, vuln exploitation).
- Search for **lateral movement** and persistence: new admins, OAuth apps, scheduled tasks, autostarts, backdoors.
- Decide on **targeted takedowns** (C2 blocks, script kills) and begin staged recovery prep (gold images, clean creds).
- Pre-draft regulatory/tender-timeline notifications (jurisdictional triggers, customer contract SLAs).

### Hour 12–24: Recovery planning &amp; decisions

- Choose recovery approach: **clean restore** vs. in-place cleanup; define **RTO/RPO** expectations by service.
- Finalize **stakeholder messaging cadence** (execs/board, staff, customers, regulators).
- Confirm **criteria to declare “containment achieved”** and the next operating period (Day 2 plan).

---

## Playbooks

### [Ransomware](https://www.attainium.net/resources-articles/cyber-incident-hub/first-24-hours-ransomware)

Assume data exfiltration + encryption. Prioritize scoping of outbound transfer and sensitive repositories. Isolate encryption in progress, block ransomware IOCs, disable EDR tamper-bypass, validate backups, and plan regulator/customer comms.

### [Business Email Compromise (BEC)](https://www.attainium.net/resources-articles/cyber-incident-hub/first-24-hours-bec)

Secure the tenant (reset creds, revoke sessions, rotate keys, audit rules). Trace fraudulent threads, notify impacted parties, coordinate with banks for wire recall, and strengthen verification processes.

### [Data Theft / Privacy](https://www.attainium.net/resources-articles/cyber-incident-hub/first-24-hours-data-theft)

Classify data sets and jurisdictions. Run notification trigger assessments, draft notices, coordinate with identity protection vendors, and plan customer support surge capacity.

---

## Roles &amp; Responsibilities (at a glance)

- **Incident Commander (IC):** sets objectives, timeboxes decisions, coordinates workstreams.
- **Forensics/IR Lead:** scoping, evidence, IOCs, containment recommendations.
- **Legal/Breach Counsel:** privilege, notifications, law enforcement, contracts.
- **Communications/PR:** internal cadence, external statements, press and social monitoring.
- **IT/Operations:** isolation, restoration, service prioritization, workarounds.
- **Security Engineering:** hardening, detections, credential/token rotation.

---

## What you’ll need handy

- Up-to-date **contact lists** (execs, counsel, PR, insurers, IR partner, vendors, regulators).
- Access to **logs and telemetry** (identity, endpoint, email, network, SaaS, cloud control planes).
- **Backup/restore** runbooks and “last known good” checkpoints.
- Templates: internal update, customer notice, regulator notice, media holding statement.

---

## **Cyber Incident Checklist FAQs**

**What is the goal of the First 24 Hours cyber incident checklist?**

- The checklist gives you a practical, time-boxed set of actions for Day 0 of a cyber incident. It helps your team stabilize operations, preserve evidence, contain safely, and coordinate communications without having to build a response plan from scratch under pressure.

**Who should use this checklist during an incident?**

- The checklist is designed for the incident commander and core response team, including IT or security, legal or breach counsel, communications or PR, operations, and executive leadership. Smaller organizations can adapt it so that a single leader covers multiple roles.

**Does this checklist replace our incident response plan or playbooks?**

- No. The checklist is meant to complement your existing incident response plan and technical playbooks. It provides a shared Day 0 timeline and decision points so everyone stays aligned while your technical teams follow their own detailed procedures.

**How does the checklist relate to ransomware, BEC, and data theft incidents?**

- The core Day 0 steps apply to most cyber incidents, and the article links to separate modules for ransomware, business email compromise (BEC), and data theft or privacy events. You can start with the universal checklist, then switch to the module that best fits the incident you are facing.

**How does this align with NIST, ISO, or CISA guidance?**

- The checklist reflects common elements from NIST incident handling guidance, the NIST Cybersecurity Framework, ISO standards for incident management and business continuity, and CISA ransomware best practices. It is not a substitute for full compliance, but it helps you act in a way that is consistent with those frameworks.

**Is this checklist suitable for small and mid-sized organizations?**

- Yes. Smaller organizations can use the same steps but scale the level of detail. You may have fewer tools or team members, but you still need to declare an incident, preserve evidence, contain safely, communicate clearly, and make decisions about recovery and notification.

**When should we involve law enforcement, insurers, or breach counsel?**

- For any significant cyber incident, it is wise to notify your cyber insurance carrier and breach counsel early so actions can be taken under legal privilege and policy requirements. Law enforcement involvement depends on factors like fraud, extortion, data theft, and regulatory obligations, and should usually be coordinated through counsel.

**How can we practice using this checklist before a real incident?**

- The checklist is ideal for use in a cyber tabletop exercise. You can walk through a ransomware, BEC, or data theft scenario, step through the first 24 hours, and capture improvements to your plans, contacts, and decision-making so that the real incident feels more familiar.

---

## Standards &amp; Guidance

These references highlight how the checklist aligns with the most current incident response and continuity standards available as of 2025.

NIST SP 800-61 Rev. 3 (2025)The Day-0 checklist aligns to updated guidance in NIST’s Computer Security Incident Handling Guide (Rev. 3), covering detection/analysis, containment, eradication, and recovery.
 [Learn more →](https://csrc.nist.gov/pubs/sp/800/61/r3/final)

NIST CSF 2.0Respond (RS.AN, RS.MI, RS.CO) and Recover (RC.IM) are explicitly covered by Day-0 + modules.
 [Learn more →](https://www.nist.gov/cyberframework)

ISO/IEC 27035-1:2023Defines principles for information security incident management and detailed guidelines for incident response. Aligned with ISO 22301 for business continuity integration.
 [Learn more →](https://www.iso.org/standard/78973.html)

CISA StopRansomwareRansomware module incorporates isolation, out-of-band comms, forensics, law enforcement coordination.
 [Learn more →](https://www.cisa.gov/stopransomware)

---

## Related Resources

- [Tabletop Exercises](https://www.attainium.net/products-services/tabletop-exercises)
     Practice your first 24 hours with a cyber tabletop—refine detection, escalation, containment, and communications.
- [How to Conduct an Effective Tabletop Exercise](https://www.attainium.net/blog/how-to-conduct-an-effective-tabletop-exercise)
     Practical steps to plan, facilitate, and capture after-action items that drive real improvements.
- [Plan-A-ware for Business Continuity Planning](https://www.attainium.net/products-services/business-continuity-planning)
     Integrate incident response playbooks into your continuity program—roles, contact trees, and recovery dependencies in one place.
- [Business Continuity Plan Checklist (Updated 2025)](https://www.attainium.net/blog/business-continuity-plan-checklist)
     Confirm your continuity dependencies support cyber recovery and stakeholder communications.

---

Let’s discuss your next step in Cyber Resilience or Business Continuity.

**What would you like to discuss?**

   Business Continuity Planning

  Cyber Incident Response

  Tabletop Exercises

  Something else

 Phone

## Schema

```json
{
    "@context": "https://schema.org",
    "@type": "BreadcrumbList",
    "itemListElement": [
        {
            "@type": "ListItem",
            "position": 1,
            "name": "Home",
            "item": "https://www.attainium.net"
        },
        {
            "@type": "ListItem",
            "position": 2,
            "name": "Resources",
            "item": "https://www.attainium.net/resources-articles/"
        },
        {
            "@type": "ListItem",
            "position": 3,
            "name": "First 24 Hours: Cyber Incident Checklist",
            "item": "https://www.attainium.net/resources-articles/first-24-hours-cyber-incident-checklist.md"
        }
    ]
}
```

```json
{
    "@context": "https://schema.org",
    "@type": "Article",
    "mainEntityOfPage": {
        "@type": "WebPage",
        "@id": "https://www.attainium.net/resources-articles/first-24-hours-cyber-incident-checklist.md"
    },
    "headline": "First 24 Hours: Cyber Incident Checklist",
    "description": "A practical, time-boxed checklist for the first 24 hours. Stabilize, preserve evidence, contain safely, communicate. Modules for ransomware, BEC, data theft.",
    "image": {
        "@type": "ImageObject",
        "url": "https://www.attainium.net/images/blog/Cybersecurity_Incident_first-24-hours.jpg"
    },
    "publisher": {
        "@type": "Organization",
        "name": "Attainium Corp",
        "logo": {
            "@type": "ImageObject",
            "url": "https://www.attainium.net/images/attainium-640x260.jpg"
        }
    },
    "author": {
        "@type": "Person",
        "name": "Bob Mellinger",
        "url": "https://www.attainium.net/about-us/bob-mellinger"
    },
    "datePublished": "2025-09-25T15:19:18-07:00",
    "dateCreated": "2025-09-25T14:50:11-07:00",
    "dateModified": "2026-05-27T10:48:00-07:00"
}
```
