FIRST 48 CISO
The Pearltech Group
Free Resource
Incident Response Playbook
THE FIRST
48 HOURS
YOUR BREACH
RESPONSE
PLAYBOOK
What to do, and in what order, the moment you learn your organization has been breached. Built for CISOs, security leaders, and anyone who will be in the room when it happens.
241
Avg. days to detect a breach
$4.4M
Avg. cost of a data breach
48hrs
Window that defines your outcome
DP
Dianne Powers
Principal CISO Advisor
The Pearltech Group
First 48 CISO  |  First48CISO.com
2026 Edition  |  Free Distribution
01
Why the First 48 Hours Matter

Most organizations discover they have an incident response problem during an incident. Not before. Not in a tabletop exercise. On a Friday evening, when an alert fires, a vendor files an SEC 8-K, or a threat actor posts your data on a leak forum.

The decisions made in the first 48 hours determine whether a breach becomes a contained incident or a company-defining crisis. This playbook gives you a sequence. Not a theory. What to do, who calls whom, what gets documented, and what never gets said out loud.

Use it now to build your plan. Use it when it happens to execute.

Hours 0-4
Detect and Triage
Hours 4-12
Contain and Assess
Hours 12-24
Notify and Stabilize
Hours 24-48
Report and Recover

The organizations that fare best in a breach are not the ones with the most sophisticated defenses. They are the ones with the clearest plan for the moment after the defenses fail.

Dianne Powers  |  First 48 CISO
02
Phase 1: Detect and Triage
01
Hours 0 – 4
Detect and Triage
Objective: Confirm the incident is real, scope what you know, and get the right people moving.

The first four hours are about confirmation and mobilization. Not remediation. Resist the urge to start fixing things before you understand what happened. Premature action destroys forensic evidence and creates legal exposure.

The second thing you do after confirming a true positive is establish a secure out-of-band communications channel. If your environment is compromised, the attacker may be watching your Slack and reading your email. Every message on compromised infrastructure signals that you know they are there. Assume the worst and communicate accordingly from minute one.

Confirm the alert is a true positive
Do not assume. Verify independently. Check logs, correlate signals, and rule out false positives before mobilizing the full team.
Critical
Activate your out-of-band communication plan
Activate your out-of-band communication plan immediately. All incident-related communications move to that channel now and stay there for the duration. If your organization does not yet have an out-of-band plan documented, establishing one is the first item on your post-incident action list.
Critical
Activate your IR retainer or internal IR team via secure channel
Call your IR firm now. Not after you have tried to investigate yourself. Early engagement preserves evidence and starts the clock on legal privilege. Use phone or the out-of-band channel established above.
Critical
Open the incident log on your out-of-band channel: timestamp everything
Every action taken, every conversation had, every system touched. This log lives on your out-of-band channel only. Nothing related to the incident goes through potentially compromised systems.
Technical
Brief your CISO and legal counsel via your out-of-band channel
Legal counsel establishes attorney-client privilege over the investigation. This is not optional. It protects you in litigation and regulatory inquiry.
Legal
Isolate affected systems. Do not power them off
Network isolation preserves volatile memory. Powering off destroys forensic evidence. Disconnect from network only.
Technical
Assess initial scope: what systems, what data, how long
Answer three questions: What was accessed? What data may have been exposed? When did the attacker first get in? These answers drive every decision that follows.
Critical
WARN
Do not notify employees, customers, or the public yet. Premature communication before scope is confirmed creates panic, triggers regulatory timelines prematurely, and may tip off the attacker that they have been detected.
03
Phase 2: Contain and Assess
02
Hours 4 – 12
Contain and Assess
Objective: Stop the bleeding. Map what the attacker touched. Understand what data is at risk.

Containment without assessment is guesswork. You cannot contain what you have not mapped. Run both tracks simultaneously: technical containment and data impact assessment, with separate teams if possible.

Revoke and rotate all potentially compromised credentials
Start with admin and privileged accounts. Assume any credential that touched affected systems is compromised until proven otherwise.
Technical
Audit third-party and vendor access logs
Many breaches enter through a vendor. Pull access logs for all third parties connected to affected systems. Flag anything anomalous from the past 90 days.
Technical
Map the data: what was accessible, what was exfiltrated
This determines your regulatory notification obligations. PII, PHI, payment data, and trade secrets each trigger different legal requirements.
Legal
Preserve forensic images before any remediation
Your IR firm needs clean forensic images of affected systems before remediation begins. This is non-negotiable for insurance claims and legal proceedings.
Critical
Check for persistence mechanisms
Sophisticated attackers plant backdoors before they are detected. Confirm the attacker has been fully evicted. Not just the visible entry point closed.
Technical
Notify your cyber insurance carrier
Most policies require prompt notification. Late notification can void coverage. Call your broker now. They can also recommend approved IR vendors.
Legal
TIP
Keep a running attacker timeline: when they first accessed, what they did, and when they were detected. This narrative becomes the core of every downstream communication: board briefing, regulatory filing, and customer notification.
04
Phase 3: Notify and Stabilize
03
Hours 12 – 24
Notify and Stabilize
Objective: Begin required notifications. Stabilize operations. Control the narrative.

Notification is a legal minefield. Who you notify, when, and in what order is determined by the data types involved and the jurisdictions affected. Never communicate before legal counsel reviews and approves messaging.

Brief your board of directors
Prepare a factual summary: what happened, what is confirmed, what is still under investigation, what actions have been taken. No speculation. No projections.
Comms
Determine regulatory notification requirements
HIPAA: 60 days. SEC material breach: 4 business days (for public companies). State breach laws vary from 30-90 days. Your legal team maps this. Not you.
Legal
Prepare internal communications for employees
Employees need to know what happened and what they should not say externally. Legal and HR draft this together. Approved messaging only.
Comms
Begin restoring critical operations from clean backups
Only restore systems that forensics has cleared. Restoring an unverified system reintroduces the attacker. Verify before you restore.
Technical
WARN
Do not pay a ransom without legal counsel present. Ransom payments may violate OFAC sanctions depending on the threat actor. Paying does not guarantee data deletion. It often funds the next attack.
05
Phase 4: Report and Recover
04
Hours 24 – 48
Report and Recover
Objective: File required reports. Brief stakeholders. Begin structured recovery.

The second 24 hours shifts from crisis management to structured response. The IR team is in containment mode. Your job now is documentation, communication, and building the foundation for recovery and post-incident review.

File SEC 8-K if material breach is confirmed (public companies)
The 4-business-day clock starts when you determine materiality, not when the breach occurred. Work with legal on the materiality determination.
Legal
Prepare customer and partner notification drafts
Draft notifications for all affected parties. Legal approves before any communication goes out. Include what happened, what data was affected, and what you are doing.
Comms
Document the complete incident timeline for the record
Detection time, containment time, notification time. This record becomes your legal defense, your insurance claim, and your post-incident review starting point.
Critical
Schedule the post-incident review for 2 weeks out
Not now. People are exhausted and the picture is incomplete. Two weeks gives time for the dust to settle and forensics to close. Block the time now.
Comms
Assess and update the IR plan based on what failed
Something in your plan did not work, or did not exist. Identify it now while it is fresh. Update the plan before the next incident, not after.
Critical
TIP
The post-incident review is not a blame session. It is a gap analysis. The question is not who failed. It is what the plan did not account for. Frame it that way from the start.
06
Why Speed Is the Variable
241
Avg. days to identify and contain a breach
$4.4M
Avg. cost of a data breach globally
60%
Of breaches involve a human element

Organizations that contain a breach in under 30 days save an average of $1 million compared to those that take longer. Speed is not just operational. It is financial. Every hour of uncontained access increases the cost, the regulatory exposure, and the reputational damage.

This playbook exists to compress that timeline. The difference between a managed incident and a public crisis is almost always a plan that existed before the breach, not one assembled during it.

First 48 CISO  |  Incident Response Advisory
Ready to Test Your Plan Before the Breach Tests It?
We work with organizations to build, stress-test, and operationalize incident response programs. Before the Friday alert fires.
Book a Retainer Consultation
FIRST 48 CISO
The Pearltech Group  |  Miami, FL  |  First48CISO.com
This playbook is an educational resource and does not constitute legal advice.
Consult qualified legal counsel for jurisdiction-specific notification requirements.
© 2026 The Pearltech Group. Free for distribution with attribution.