What happens in the first 72 hours after a cyberattack?

It’s 3 AM and your phone rings. Your security monitoring system has flagged a breach. Or maybe it’s Monday morning and an employee reports that files are encrypted with a ransom note on their screen. Or your bank calls to say they blocked a suspicious $200,000 wire transfer from your account.

What happens next? And more importantly - what should you do?

Here’s a realistic, hour-by-hour breakdown of the first 72 hours after discovering a cyberattack.

Before We Start: A Sobering Reality

The clock is working against you in ways you might not expect:

• The fastest attackers can move from initial access to data exfiltration in just 72 minutes - four times faster than a year ago
• Only 55% of companies have a documented incident response plan
• Among those with plans, 42% don’t update them regularly
• Companies with tested IR plans save an average of $1.49 million per breach
• The average total cost of a data breach is $4.44 million

The difference between a survivable incident and a catastrophic one often comes down to what you do in those first hours.

Hours 0-4: Discovery and Initial Response

Confirm the Incident

Not every alert is a breach. But every alert deserves investigation. Your first task is confirming whether this is a real incident.

Signs this is real:

• Ransomware notes or encrypted files
• Unusual network traffic patterns
• Unauthorized access alerts from your security tools
• Reports of compromised email accounts sending phishing
• Unexplained system changes, new admin accounts, or disabled security tools
• Notification from a third party (customer, vendor, law enforcement)

Activate Your Incident Response Team

Your IR team should include (or have rapid access to):

Role	Responsibility
Incident Commander	Overall decision-making and coordination
IT/Security Lead	Technical investigation and containment
Legal Counsel	Regulatory obligations, liability, communications review
Communications Lead	Internal and external messaging
Executive Sponsor	Resource authorization, business decisions
Insurance Contact	Claim notification, vendor coordination

If you don’t have an IR plan, this is where the chaos begins. You’re making critical decisions under extreme pressure with no playbook.

Contain the Threat

Containment is the first technical priority - not recovery, not investigation, not blame. Stop the bleeding.

Containment actions may include:

• Isolating affected systems from the network (don’t power them off - that can destroy forensic evidence)
• Disabling compromised user accounts
• Blocking malicious IP addresses at the firewall
• Revoking VPN access for suspected compromised credentials
• Changing passwords for all administrative accounts
• Preserving logs and forensic images before they’re overwritten

Critical mistake to avoid

Don’t start restoring from backups yet. If you don’t understand how the attacker got in, they’ll get right back in after you restore.

Hours 4-12: Assessment and Escalation

Determine the Scope

Now that immediate bleeding is stopped, assess the damage:

• Which systems are affected?
• What data may have been accessed or exfiltrated?
• How did the attacker get in? (phishing email, exploited vulnerability, compromised credentials)
• Are they still in the environment?
• Is this ransomware, data theft, BEC, or something else?

Contact Your Cyber Insurance Carrier

Do this within hours, not days. Most cyber insurance policies have specific notification requirements - often within 24-48 hours of discovery. Missing this window can jeopardize your coverage.

Your carrier will likely provide:

• Access to pre-approved incident response firms
• Forensic investigation support
• Legal counsel specializing in data breaches
• Crisis communication assistance
• Ransomware negotiation services (if applicable)

Engage Legal Counsel

You need legal guidance immediately for:

• Determining notification obligations (which vary by state and industry)
• Protecting attorney-client privilege over the investigation
• Advising on law enforcement notification
• Reviewing communications before they go out
• Documenting the incident for regulatory defense

Notify Law Enforcement

For significant incidents, notify:

• FBI - via your local field office or ic3.gov
• CISA - the Cybersecurity and Infrastructure Security Agency
• State Attorney General - if personal data is involved

Law enforcement can sometimes help recover funds (especially in BEC cases), provide threat intelligence, and connect you with resources.

Hours 12-24: Investigation Deepens

Forensic Investigation

Whether through your insurance-provided vendor or your IT partner, forensic investigators will:

• Analyze system logs to trace the attacker’s movements
• Identify the initial point of compromise
• Determine what data was accessed or exfiltrated
• Establish a timeline of the attack
• Identify any persistence mechanisms (backdoors, scheduled tasks, rogue accounts)

Business Impact Assessment

While the technical team investigates, business leadership needs to assess:

• Which business operations are affected?
• Can you operate manually if systems remain offline?
• What is the financial impact of downtime per hour?
• Are customer-facing services affected?
• Are contractual obligations at risk?

Internal Communication

Employees will notice something is wrong. Proactive internal communication prevents rumors and helps contain the incident:

• What happened (at a high level)
• What employees should and shouldn’t do
• Who to contact with questions
• What the company is doing about it
• Clear instructions on any security actions employees need to take (password changes, etc.)

Hours 24-48: Recovery Planning and Notification

Develop the Recovery Plan

Based on what the investigation has revealed:

1. Verify backups are clean - confirm backups haven’t been compromised
2. Patch the entry point - close the vulnerability or access method the attacker used
3. Plan the rebuild sequence - prioritize critical business systems
4. Set recovery objectives - realistic timelines for each system
5. Test before reconnecting - verify restored systems are clean before putting them back on the network

Prepare Breach Notifications

If personal data was compromised, notification deadlines are ticking:

Regulation	Notification Deadline
GDPR	72 hours to authorities
HIPAA	60 days (but sooner is better)
Most US State Laws	30-60 days (varies by state)
SEC (public companies)	4 business days (material incidents)
PCI DSS	Immediately to card brands

Delayed breach notifications increase regulatory fines by an average of $250,000 per incident according to Gartner. Get ahead of the clock.

External Communication

Depending on the severity:

• Customer notification letters (legally reviewed)
• Vendor notifications (especially if supply chain is affected)
• Regulatory filings
• Press statement (if the breach becomes public)
• Credit monitoring services for affected individuals

Hours 48-72: Recovery Execution

System Restoration

Begin restoring systems in priority order:

1. Authentication infrastructure (Active Directory, identity systems)
2. Communication systems (email, phones)
3. Core business applications (ERP, CRM, billing)
4. Productivity tools (file shares, collaboration)
5. Non-critical systems

Each system should be verified clean and monitored closely after restoration.

Heightened Monitoring

Attackers often attempt re-entry in the days following an incident. Implement:

• Enhanced logging on all systems
• Increased monitoring thresholds
• Mandatory password resets for all users
• Additional MFA requirements
• Temporary restrictions on remote access

Begin the Post-Incident Review

While the incident is fresh, start documenting:

• What happened and when
• What worked well in the response
• What didn’t work or was missing
• What needs to change in your security posture
• What needs to change in your IR plan

The Difference Preparation Makes

Factor	With IR Plan	Without IR Plan
Average breach cost	$3.0 million	$4.5 million
Time to contain	Hours to days	Weeks to months
Regulatory fines	Minimized	Significantly higher
Customer trust	Recoverable	Often permanently damaged
Business survival	High likelihood	60% close within 6 months

Companies that conduct regular tabletop exercises - simulated incident scenarios - respond faster, communicate better, and recover more effectively. Only 35% of businesses currently run these exercises.

What You Should Do Right Now

Don’t wait for an attack. Take these steps today:

1. Create or update your incident response plan - include contact lists, procedures, and decision trees
2. Establish relationships with an IR firm, legal counsel, and your insurance carrier before you need them
3. Test your plan with a tabletop exercise at least annually
4. Verify your backups - can you actually restore from them? How long does it take?
5. Keep an offline copy of your IR plan, key contacts, and network documentation - you won’t be able to access your intranet if your systems are down

The Bottom Line

The first 72 hours after a cyberattack determine whether the incident is a manageable crisis or a business-ending disaster. You will never think as clearly during an active incident as you can right now.

The companies that survive cyberattacks aren’t necessarily the ones with the biggest security budgets. They’re the ones who had a plan, practiced it, and executed it when it mattered.

---

Don’t have an incident response plan? We can help you build and test one before you need it. Contact us to get started.