A cyberattack catches most organisations unprepared. Not because the threat is unknown, but because the emergency scenario was never concretely rehearsed. According to the IBM Cost of a Data Breach Report 2024, the average cost of a data breach is USD 4.88 million – a 10% increase over the previous year. Response speed is decisive: breaches detected and contained within 200 days cost an average of USD 3.93 million. If it takes longer, costs rise to USD 4.95 million – a difference of over one million dollars.
The first 24 hours after the discovery of an attack determine the course of events. Every wrong decision during this phase increases the damage exponentially. This article describes what must happen in these critical hours – and what must absolutely not happen.
The NIST Framework as a Guide
NIST SP 800-61 defines the recognised standard for incident response with four phases: Preparation, Detection & Analysis, Containment/Eradication/Recovery, and Post-Incident Activity. In practice, these phases are not strictly sequential – during the first 24 hours, Detection, Analysis, and Containment often run in parallel. What matters is that each phase is consciously addressed and not lost in the chaos.
The First 24 Hours – Step by Step
1. Confirm the Detection
Is it actually a security incident? Not every anomaly is an attack. A failed server, a faulty update, or a false positive in the SIEM can produce identical symptoms. Before the incident response team is mobilised, a qualified triage must take place: Which systems are affected? Are there indicators of compromise (IoCs)? Do logs show unusual access patterns? This initial assessment should take no longer than 30 to 60 minutes.
2. Activate the Incident Response Team
Once an incident is confirmed, the IR team is activated – ideally via a predefined alerting plan with clearly defined roles. Who leads the incident? Who communicates internally? Who coordinates technical measures? Who is the legal point of contact? If these questions are only addressed during the incident, you lose hours. IBM estimates the cost advantage of prepared IR teams at an average of USD 248,000 per incident.
3. Containment
The immediate priority: limit the damage without destroying evidence. Isolate affected systems from the network, lock compromised accounts, restrict the attacker’s lateral movement capabilities. It is important to distinguish between short-term containment (network isolation) and long-term containment (temporary fixes that enable operations while the actual remediation is being prepared).
4. Preserve Evidence
Forensic preservation takes absolute priority – before any remediation. Create RAM dumps before systems are shut down. Secure log files and verify their integrity. Create disk images. Save network captures. The chain of custody must be documented from the outset, especially if criminal prosecution or insurance claims are being considered. Those who remediate first and analyse later irreversibly destroy the evidence.
5. Manage Communication
Communication during an incident must be coordinated and controlled. Internally: inform senior management, notify affected departments, establish a consistent narrative. Externally: customers, partners, potentially the media – but only with agreed information. Legally: involve the data protection officer, verify reporting obligations. A critical point: do not communicate via potentially compromised channels. If the email server may be affected, use alternative communication channels.
6. Meet Reporting Obligations
In Switzerland, a mandatory reporting obligation for cyberattacks on critical infrastructure has been in effect since 1 April 2025. Operators must report incidents to the Federal Office for Cybersecurity (BACS) within 24 hours – as established in the Information Security Act (ISG). After the initial report, organisations have 14 days to submit a complete report. From October 2025, failure to report may result in fines of up to CHF 100,000. Additionally, the nDSG (new Data Protection Act) requires the reporting of data protection violations to the FDPIC where there is a high risk to affected individuals. Organisations subject to the GDPR have 72 hours to report to the competent supervisory authority.
7. Initial Analysis and Scoping
In parallel with containment, the analysis begins: How did the attacker gain entry? Which systems are actually compromised? Which data is affected? Scoping determines the extent of the incident and thus the effort required for eradication and recovery. Without thorough scoping, you risk overlooking compromised systems – and the attacker returning through an undiscovered access point.
The Most Common Mistakes in the First Hours
Shutting down systems immediately. The natural reflex – and one of the most damaging. Shutting down destroys volatile memory (RAM), which often contains the most valuable forensic evidence: active network connections, running processes, decrypted data, malware in memory.
Communicating over compromised channels. If an attacker is in the network, they may be reading your emails and Teams messages. Incident response communication belongs on separate, verified-secure channels – personal mobile phones, out-of-band communication.
Paying the ransom prematurely. In ransomware attacks, the demand is immediate. Payment guarantees neither the recovery of data nor the prevention of a subsequent attack. Moreover, payments to sanctioned groups may have legal consequences. Analyse first, then decide – and always with legal counsel.
Remediating before analysing. Those who delete malware, change passwords, and rebuild systems before forensic preservation is complete make a subsequent root cause analysis impossible. Without root cause analysis, the actual vulnerability remains open.
Why the Plan Must Exist Before the Incident
Improvising incident response under pressure does not work. The organisations with the lowest breach costs have one thing in common: a tested incident response plan. IBM shows that companies with IR teams and regularly tested plans detect incidents an average of 61 days faster – and suffer nearly one million dollars less in damage. The plan does not need to be perfect. It needs to exist, be known to the participants, and be exercised at least once a year in a tabletop exercise.
How Zerberos Supports You
We help you be prepared before an incident occurs. In our Risk Assessment, we identify vulnerabilities and evaluate your current security posture. With a tailored Security Roadmap, we define concrete measures – including incident response planning. And when it matters, we stand ready as a competent partner. Contact us before the emergency strikes.
Sources
- NIST SP 800-61 Rev. 3: Incident Response Recommendations and Considerations for Cybersecurity Risk Management – csrc.nist.gov
- IBM: Cost of a Data Breach Report 2024 – ibm.com
- Federal Office for Cybersecurity BACS: Mandatory reporting of cyberattacks – ncsc.admin.ch
- Information Security Act ISG: Mandatory reporting for critical infrastructure from 1 April 2025 – admin.ch
- nDSG: New Data Protection Act of Switzerland – fedpol.admin.ch