I have worked breaches where the client did everything right and breaches where they torched the evidence before we got there. The difference is almost always the first three days. Not the tooling. Not the budget. The first 72 hours.
What follows is the hour-by-hour timeline we use internally at Sherlock Forensics. It is the same sequence whether the client is a 50-person law firm or a publicly traded company. The scale changes. The order does not.
If you are reading this during an actual breach, stop reading and call 604.229.1994. We will walk you through the rest live.
Hour 0-1: Detection and Triage
Most breaches are not detected by the victim. According to Mandiant's M-Trends 2026 report the median dwell time before external notification is still over two weeks. So by the time someone tells you there is a problem the attacker has likely been inside for days or weeks. The first hour is not about finding the breach. It is about confirming it is real and not making things worse.
Confirm the Incident
Before you activate anything you need to answer one question: is this actually a breach or is it a false alarm? A firewall alert is not a breach. An employee clicking a phishing link is not necessarily a breach. A ransom note on a file server is a breach. An email from a threat actor with a sample of your data is a breach. Customer records showing up on a dark web forum is a breach.
Spend 15 minutes verifying. Pull the alert. Check the logs. Talk to whoever reported it. If the evidence says breach then you proceed. If it is ambiguous treat it as a breach until you can prove otherwise. You can always stand down. You cannot un-destroy evidence.
Activate the IR Team
Your incident response plan should have a call tree. Use it. If you do not have an IR plan you need at minimum these people in a room or on a call within 30 minutes: IT lead, legal counsel, executive decision-maker and your external IR firm if you have one on retainer. Do not email details about the breach on the compromised mail system. Use phone calls or an out-of-band messaging platform. If the attacker is in your email they are reading your response coordination in real time.
Preserve Volatile Evidence
This is where most companies make their first catastrophic mistake. Someone in IT decides to "fix the problem" by reimaging the affected machine or rebooting the server. That just destroyed your evidence. Volatile data disappears the moment a system powers off. Memory dumps, active network connections, running processes, logged-in sessions. All gone.
Do not power off affected systems. Do not reimage. Do not run antivirus scans that modify file timestamps. Isolate the system from the network by unplugging the ethernet cable or disabling the Wi-Fi adapter. Leave it running. If you have the capability capture a memory dump and a disk image before doing anything else. If you do not have that capability leave the system alone until your forensic team arrives.
Hour 1-4: Containment
Containment is not eradication. You are not trying to kick the attacker out yet. You are trying to stop the bleeding without destroying the crime scene. There is a critical distinction between those two objectives and most IT teams blur them under pressure.
Network Isolation
Segment affected systems from the rest of the network. If you have network segmentation already in place activate it. If you do not then physically isolate. Pull cables. Disable switch ports. Block the compromised system's IP at the firewall. The goal is to prevent lateral movement while keeping the system powered on for forensic collection.
Credential Actions
Reset passwords for any accounts confirmed compromised. Force MFA re-enrollment. If you suspect Active Directory compromise reset the KRBTGT account twice (with a 12-hour gap between resets per Microsoft's guidance). Revoke active sessions and OAuth tokens. Do not do a mass password reset for the entire organization at this stage unless you have confirmed the attacker has domain admin. A premature mass reset tells the attacker you know they are there and forces them to act faster.
Start the Log
Begin a written incident log immediately. Every action taken, by whom, at what time. This log will be requested by legal counsel, regulators, insurance carriers and potentially a judge. "We think someone rebooted the server around 3 PM" is not useful. "J. Martinez rebooted SVR-DB01 at 14:47 PST" is. Use UTC timestamps if your team spans time zones. This log is a legal document. Treat it like one.
Hour 4-12: Scope Assessment
You have contained the immediate threat. Now you need to understand what you are actually dealing with. The scope assessment determines everything that follows: who you notify, what regulations apply, how much this is going to cost and whether you have a reportable breach or a contained security incident.
What Systems Are Affected?
Work outward from the initial point of compromise. Check authentication logs for lateral movement. Review firewall logs for unusual outbound connections. Look at DNS query logs for beaconing patterns. Check for new accounts created or privilege escalations. If you have an EDR solution this is where it earns its cost. If you do not have EDR you are doing this manually through Windows Event Logs, syslog and whatever else you have.
What Data Was Accessed or Exfiltrated?
This is the question that determines your legal obligations. There is a massive difference between "an attacker was on our network" and "an attacker exfiltrated 50,000 customer records with Social Security numbers." The first is a security incident. The second is a reportable data breach with notification requirements in every jurisdiction where those customers reside.
Check file access logs, database query logs and DLP alerts. Look at outbound data transfer volumes. Review cloud storage access logs if applicable. If the attacker staged data for exfiltration you may find compressed archives in unusual directories. If they used legitimate transfer tools like rclone or cloud sync utilities check command history and scheduled tasks.
Build the Preliminary Timeline
Construct a timeline of attacker activity from initial access through discovery. Map each event with a timestamp, source system and evidence source. This timeline will evolve over the next 48 hours as forensic analysis uncovers more artifacts but you need a working version now to brief leadership and legal.
Hour 12-24: Notifications
If your scope assessment indicates that personal data or regulated information was accessed or exfiltrated the notification clock is now running. In many jurisdictions it started the moment you confirmed the breach not the moment you completed your investigation.
Legal Counsel
Your attorney should be directing all communications from this point forward. If you have cyber insurance your carrier likely has a breach coach on their panel who specializes in notification requirements. Use them. The legal landscape for breach notification is a patchwork. GDPR Article 33 gives you 72 hours from awareness to notify the supervisory authority. Canadian PIPEDA breach reporting requirements say "as soon as feasible." US state laws range from 30 to 60 days with some states requiring notification within 72 hours for certain data types.
Cyber Insurance Carrier
If you have a cyber insurance policy call your carrier now if you have not already. Most policies require notification within 24 to 72 hours of discovering a breach. Late notification can void coverage. I have seen companies lose seven-figure claims because they waited five days to call the carrier. Your policy is a contract. Read the notification clause and comply with it exactly.
Law Enforcement
File a report with the FBI's IC3 for US-based incidents. In Canada contact the RCMP's NC3. Law enforcement engagement is voluntary in most cases but consistently beneficial. They have threat intelligence you do not. They can coordinate internationally. They will not seize your servers or shut down your operations. That fear keeps companies from reporting and it is unfounded.
Internal Communications
Brief the board or senior leadership with facts. Resist the urge to speculate about attribution or total impact. You do not know those things yet. State what you know, what you do not know and what you are doing to find out. Provide a timeline for the next update. Do not put anything in writing that you would not want read aloud in a courtroom.
Hour 24-48: Forensic Analysis
With containment in place and notifications initiated your forensic team can now do deep analysis without the pressure of active threat movement. This is methodical work. It cannot be rushed and attempts to rush it produce incomplete findings that fall apart under legal scrutiny.
Disk Forensics
Create forensic images of all affected systems using write-blockers. Verify images with SHA-256 hashes. Analyze file system artifacts: MFT entries, prefetch files, shimcache, amcache, USN journal. These artifacts tell you what programs ran, when they ran, what files were accessed and in some cases what commands were executed. If the attacker used defense evasion techniques like timestomping or log clearing the forensic artifacts will still show inconsistencies that reveal the deception.
Memory Analysis
If you captured memory dumps during the first hour this is where they pay off. Memory analysis reveals running processes at the time of capture, network connections, loaded modules, decrypted data that was encrypted on disk and in some cases the attacker's tools and command history. Fileless malware that leaves no trace on disk exists only in memory. If you did not capture memory before containment that evidence is gone permanently.
Log Correlation
Pull logs from every source available: firewalls, proxies, DNS servers, authentication systems, cloud platforms, VPN concentrators, email gateways. Correlate events across sources using your timeline as the backbone. A single log source tells you a fragment. Correlated logs tell you the story. If you have a SIEM use it. If you do not you are doing this in spreadsheets and it will take three times as long.
Malware Analysis
If malware was deployed identify it. Check hashes against VirusTotal and your threat intelligence feeds. Determine capabilities: does it exfiltrate data, establish persistence, move laterally, encrypt files? Understanding the malware's capabilities tells you what the attacker could have done even if you have not yet confirmed they did it. This distinction matters for notification decisions. If the malware has data exfiltration capability and it ran on a system containing personal data you may need to assume exfiltration occurred unless you can prove otherwise.
Hour 48-72: Preliminary Findings
By hour 48 your forensic team should have enough evidence to produce a preliminary findings report. This is not the final report. The final report may take weeks. But the preliminary findings need to answer the questions that legal counsel, regulators and executives are asking right now.
The Preliminary Report Should Cover
- Initial Access Vector
- How did the attacker get in? Phishing, exploited vulnerability, stolen credentials, third-party compromise? If you cannot determine the initial vector say so. Do not guess.
- Scope of Compromise
- Which systems were accessed. Which accounts were compromised. What lateral movement occurred. Map it visually if possible.
- Data Impact Assessment
- What data was accessed or exfiltrated. Number of records affected. Data types involved (PII, PHI, financial, intellectual property). This drives notification scope.
- Attacker Persistence
- Has all attacker access been eliminated? Are there backdoors, scheduled tasks, new accounts or modified configurations that could allow re-entry?
- Containment Status
- Is the breach contained? What evidence supports that conclusion? What monitoring is in place to detect any resumed activity?
Eradication Planning
With the preliminary findings in hand you can now plan eradication. This is the step where you actually remove the attacker's access, close the initial entry point, remove persistence mechanisms and harden the environment against the same attack. Do not eradicate before you have completed evidence collection. Once you remove malware and close backdoors that evidence is gone. Eradication should be a planned operation executed in a coordinated window not a panicked response at 3 AM on Day 1.
What Most Companies Get Wrong
After twenty years of breach response I can tell you the mistakes are remarkably consistent. Here are the ones I see on nearly every engagement.
| Mistake | Why It Happens | What It Costs You |
|---|---|---|
| Reimaging systems before forensic collection | IT wants to "fix" the problem | Total loss of forensic evidence. You will never know what the attacker did or what data was taken. |
| Coordinating response over compromised email | It is the easiest communication channel | The attacker reads your playbook in real time and adapts. |
| Delaying insurance notification | Hoping the breach is smaller than it looks | Policy coverage denied. Seven-figure legal and remediation costs come out of pocket. |
| Mass password reset on Day 1 | Feels like decisive action | Tips off the attacker. Causes operational chaos. Does not help if AD is compromised. |
| No written incident log | Everyone is too busy responding | Regulatory inquiries and litigation require a documented timeline. Reconstructing one from memory months later is unreliable and damaging to credibility. |
| Speculating publicly about the cause | Pressure from media or customers | Premature statements get contradicted by forensic findings. Creates legal liability and erodes trust faster than saying nothing. |
The thread connecting all of these mistakes is the same: panic. Breach response is controlled chaos. The organizations that handle it well are the ones that practiced before it happened. If your IR plan lives in a binder nobody has opened since it was written it is not a plan. It is a prop.
The 72-Hour Checkpoint
At the 72-hour mark take stock. You should have containment confirmed, preliminary forensic findings documented, legal counsel directing notifications, insurance carrier engaged, law enforcement notified and a communication plan for affected individuals if notification is required.
If you do not have all of those boxes checked at 72 hours something went wrong in the timeline. Go back and find what was missed.
The investigation does not end at 72 hours. Full forensic analysis typically takes two to four weeks. Notification mailings take longer. Regulatory inquiries can stretch for months. Litigation can last years. But the first 72 hours set the trajectory for all of it. Get those hours right and everything that follows is manageable. Get them wrong and you are fighting uphill for the rest of the engagement.
Prepare Before It Happens
The best time to figure out your breach response process is not during a breach. If you do not have an incident response plan build one. If you have one test it. Run a tabletop exercise that walks your team through this exact 72-hour timeline. Find out who freezes, who takes charge and where the gaps are before real data is on the line.
If you want a structured starting point download our incident response checklist. If you want an IR team on standby before something happens look at our incident response retainer. A retainer means we are contractually obligated to pick up the phone at 2 AM on a Saturday. Without one you go into the queue behind everyone else who is also having their worst day.