Knowledgebase Article
Incident Response: What Happens If You Are Breached
Why Having a Plan Before an Incident Matters
The middle of an active security incident is the worst possible time to figure out your response process for the first time. Having a clear plan in advance means your team can act quickly and decisively rather than losing critical time to confusion during the moment it matters most.
If you have not yet read Malware Scanning and Removal: What to Do If You Are Infected, it covers the specific technical cleanup process this article's broader response framework builds on.
The First Hour After Discovering a Breach
Contain the incident first, which may mean taking an affected system offline, disabling compromised credentials, or restricting access to affected systems, prioritizing stopping further damage over immediately understanding the full scope. Preserve evidence rather than immediately deleting anything, since logs and affected files may be needed later to understand how the breach occurred and to meet any regulatory notification requirements. Notify your internal team and any relevant decision makers immediately, since a breach response often requires coordination across technical, legal, and communications functions simultaneously.
Assessing the Scope
Determine what data or systems were actually affected, distinguishing between a contained incident limited to one system versus something broader affecting customer data or multiple systems. This assessment directly determines what legal obligations apply next, particularly around breach notification requirements.
If personal data was involved, review GDPR, CCPA and PDPL Compliance: What Website Owners Need to Know for the notification timelines that may apply depending on where affected individuals are located, and involve legal counsel promptly given how time sensitive these obligations typically are.
Communicating About the Incident
Internal communication should stay factual and limited to those who need to know during the active response, avoiding speculation before the actual scope is understood. External communication, including any required notification to affected individuals or regulators, should be handled carefully and typically with legal guidance, since premature or inaccurate public statements can create additional complications beyond the incident itself.
Remediation
Once contained, fully remove any malicious presence, close the specific vulnerability that allowed the breach to occur, and verify no backdoor or persistent access remains before considering systems safe to fully restore. Rushing this step and declaring an incident resolved prematurely is a common mistake that sometimes allows a second, related incident shortly after the first.
After the Immediate Response
Conduct a thorough review of what happened, how it happened, and what specifically allowed it, documenting this clearly rather than relying on memory once the immediate pressure has passed. Update your security practices based on what this specific incident revealed, whether that means Two Factor Authentication (2FA) Setup Guide, patching a specific vulnerability, or other changes directly informed by the incident.
Getting Support During an Incident
Our support team can assist with server level investigation and remediation during an active incident. For incidents involving significant data exposure or requiring formal forensic investigation, specialized incident response firms exist specifically for this purpose, and engaging one early is often more effective than attempting a complex investigation without that specific expertise.