Incident Response Checklist: The First 24 Hours

What you do in the first 24 hours of a suspected cyber incident determines how bad the outcome is. Print this. Save it somewhere you can access if your systems are down.

Download PDF

Incident Response
Checklist:
The First 24 Hours

What you do in the first 24 hours determines how bad the outcome is. This checklist is designed to be used in the moment.

Print this checklist. Save it somewhere you can access if your systems are down.

stealthcyber.io

Before Anything Else

The instinct when something goes wrong is to start clicking around to understand what happened. Resist it. Uncoordinated activity in a live incident destroys forensic evidence, can trigger further malicious activity, and makes the investigation significantly harder.

DO NOT:

✕Restart or shut down affected systems without direction
✕Delete files, emails, or logs that look suspicious
✕Run antivirus scans without guidance
✕Log into affected accounts from those same systems
✕Discuss the incident over potentially compromised systems
✕Post anything publicly or notify clients before legal advice

DO:

Stay calm, work the checklist, and get your security provider on the phone.

0-1h

Immediate Actions: Contain First, Investigate Second

Identify and document the systems, accounts, or services that appear to be affected

Photograph or screenshot anything unusual before touching it

Do not power off affected systems unless ransomware is actively encrypting files. If active encryption is occurring, isolate from the network immediately.

Isolate affected systems from the network if directed by your security provider

Contact your managed security provider or IR team immediately with: what you noticed, when, what systems are involved, and what actions have been taken

Contact your cyber insurance provider. Most policies require notification within 24 to 72 hours.

Identify who in leadership needs to know right now. Brief them verbally, not over potentially compromised systems.

1-4h

Assessment and Escalation

Work with your security provider on these items. Do not attempt forensic investigation independently.

Determine the nature of the incident: ransomware, account compromise, data exfiltration, BEC, or unknown

Identify the scope: how many systems, accounts, and users are affected

Identify the likely entry point: phishing, compromised credentials, unpatched vulnerability, malicious insider

Determine whether the attacker may still have active access to your environment

Identify what data may have been accessed or exfiltrated

Preserve logs: capture and preserve system logs, email logs, and authentication logs before they are overwritten

Change credentials for all potentially affected accounts from a clean, unaffected device

Revoke active sessions for affected Microsoft 365 accounts

Engage legal counsel if client data may have been compromised or if regulatory notification may be required

4-24h

Notification Assessment and Stabilisation

Assess whether the incident triggers mandatory notification obligations:

Privacy Act: notifiable data breach if serious harm to individuals is likely

APRA regulated entities: notify APRA within 72 hours of becoming aware of a material cyber incident

ASX listed entities: continuous disclosure obligations may apply

Professional body obligations (legal, accounting): check your relevant body's requirements

Draft a communication plan for clients if their data may be involved. Do not send anything before legal review.

Document a timeline of the incident as understood so far (required for insurance, regulatory, and legal purposes)

Identify third parties who may need to be notified: payment processors, cloud providers, key clients, PI insurer

Begin evidence preservation for any systems that need forensic imaging before remediation

Do not begin rebuilding or restoring systems until the investigation scope is defined

Establish an out-of-band communication channel (personal mobiles, personal email) for your response team

Key Contacts: Fill This In Now

Role	Name	Phone	Email
Security Provider / IR Team
Cyber Insurance Claims Line
Legal Counsel
CEO / Managing Principal
IT Provider
PR / Communications

After the First 24 Hours

The immediate response phase is about containment and preservation. Once achieved, the work shifts to:

Full forensic investigation to determine the complete scope
Eradication of attacker presence from the environment
Remediation of the vulnerability or control failure that enabled the incident
Regulated notifications where required
Rebuilding affected systems from known-clean baselines
Post-incident review and control uplift
Client and stakeholder communications

This is a weeks-long process, not a 24-hour one. The first 24 hours determines whether it is manageable or catastrophic.

Signs You May Have an Active Incident Right Now

Unexpected account lockouts across multiple users

MFA prompts nobody initiated

Files being renamed with unfamiliar extensions

Systems becoming slow or unresponsive without explanation

Unusual outbound network traffic or connections to unfamiliar addresses

Emails sent from staff accounts that staff did not write

Contacts reporting suspicious communications from your business

Ransom note appearing on a screen

Sudden inability to access files, systems, or backups

If any of these are occurring, call your security provider immediately. Do not wait to be certain.

Experiencing an incident?

Stealth Cyber provides 24/7 managed detection and response and incident response services for Australian professional services firms.

If you are experiencing an incident right now, call us.

Emergency Line

AU: +61 7 5230 8381

US: +1 (855) 774-2595

Website