CycloudForte
Back to blogIncident Response

Your First 24 Hours After a Cyber Incident

What the first day of a breach actually looks like, hour by hour, and the decisions that determine whether you recover quickly or for months.

CycloudForte TeamDecember 8, 20257 min read

A weekend support engineer notices something odd in the logs. By Monday morning, customer support is fielding strange password reset requests. By Monday evening, it is clear: someone is in your systems and you do not know how, when, or for how long.

The first 24 hours of a cyber incident set the trajectory for everything that follows. Done well, you contain damage, preserve evidence, and recover in days. Done badly, you destroy the audit trail, alert the attacker that you know, and spend months untangling the wreckage.

Hour 0 to 2: declare and convene

The moment the security lead reaches "I think we have a real incident," declare it. This means notifying a pre-agreed incident response team: an executive sponsor, the security lead, IT operations, legal, and communications. Open a dedicated channel. Use that channel and nothing else for incident comms.

Do not start fixing anything yet. The first decision is what kind of incident this is: data theft, ransomware, account compromise, denial of service, or something else. The response differs by type.

Hour 2 to 6: contain, do not destroy

Isolate affected systems from the network if you can do so without losing live forensic evidence. For compromised user accounts, force-revoke sessions and rotate credentials. Do not wipe machines. Do not roll back to a snapshot. Both destroy the evidence you will need to understand the attack.

If you have a retainer with an incident response firm, call them now. If not, this is when you would engage one. The first hours are when expert hands are worth the most.

Hour 6 to 12: scope and stabilise

Establish what is affected and what is not. Pull logs, network captures, and authentication records. Take forensic images of affected systems before any remediation. Identify the attacker entry point if you can.

In parallel, business continuity decisions are made: can the affected service continue safely, on a degraded mode, or must it stop entirely? Communications begins drafting internal and customer-facing messages, but nothing goes out yet.

Hour 12 to 18: notify

Under the Nigeria Data Protection Act, you have 72 hours to notify the Nigeria Data Protection Commission of a personal data breach. Start the regulator notification process well before that deadline so you have time to verify facts. If customers are affected, prepare individual notifications.

If you are publicly listed, hold contracts with enterprise clients with breach clauses, or carry cyber insurance, separate notification obligations apply. Legal counsel maps all of them in this window.

Hour 18 to 24: eradicate and prepare recovery

With forensic evidence preserved and the attack scope understood, eradication begins. Close the entry point. Revoke any persistence the attacker established. Rotate every credential the attacker might have touched.

Recovery planning runs in parallel: which systems come back online first, in what order, and with what additional monitoring in place.

What separates good responses from bad ones

Almost none of this is technical skill. It is preparation and discipline. Businesses that handle the first 24 hours well have three things in place before the incident: a written incident response plan with named owners, a relationship with an external IR firm (even a basic retainer), and a leadership team that decides quickly under pressure. The technical work is the easiest part. The decisions and the discipline are the hard part. Build them now, while nothing is on fire.

Want help applying this?

CycloudForte runs the audits, training, and remediation work behind the insights in this article. Book a free 15-minute call to talk through your specific situation.

Book a Consultation