Learn what to do in the first hours and days after discovering a data breach.
• Contain the breach immediately by isolating affected systems and preserving forensic evidence before resetting anything
• Check for infostealer infections on employee devices. Resetting passwords on a compromised device just hands attackers the new credentials
• Notify regulators within required timelines. GDPR gives you 72 hours, and US state laws vary
• Use dark web monitoring to check if stolen data is already being sold. You won’t know the full scope of a breach without looking at what’s already out there
The global average cost of a data breach hit $4.44 million in 2025, according to IBM’s 2025 Cost of a Data Breach Report. Speed is the biggest factor in that number. Breaches resolved within 200 days cost $3.87 million versus $5.01 million for slower responses.
That’s why having a clear plan for the first hours after discovery matters so much. The faster your team moves, the less damage you’ll deal with.
This guide covers the six steps your company should take right after a breach. For building a response plan before a breach happens, see our data breach response plan guide.
You’ll hear “data breach response” a lot in the next few sections. Here’s what it actually means.
Data breach response is the process you follow after discovering unauthorized access to sensitive data. It covers containment and forensic investigation first, then moves into notification and recovery. Your response starts the moment you confirm a breach and continues until affected systems are restored and regulators are notified.
The first 24 to 48 hours after discovering a breach determine how much damage your company takes. Move fast, but move smart.
Isolate affected systems. Disconnect compromised servers and endpoints from the network. This stops the attacker from moving laterally or exfiltrating more data. Don’t shut systems down completely. You need them running to capture forensic evidence.
Preserve evidence before resetting anything. Take forensic images of affected systems and capture memory dumps. Save all relevant logs. Once you start resetting passwords and patching, you’ll lose evidence of how the attacker got in and what they accessed.
Assemble your response team. Pull in IT security and legal. Get communications and executive leadership involved too. If you have an incident response plan, activate it now. If you don’t, designate a response lead and start documenting every action from this point forward.
Check employee devices for infostealer malware. This step often gets missed and it’s one of the most important. If the breach started with stolen credentials from stealer logs, the employee’s device is likely still infected. Resetting their password on a compromised device just gives the attacker the new password.
According to the Verizon 2025 Data Breach Investigations Report, stolen credentials were the initial access vector in 22% of breaches. Many of those credentials came from infostealer malware running on employee devices.
You can use Breachsense to check whether your company’s credentials are already circulating on the dark web or in stealer logs. If they are, you’ll know which accounts to prioritize and which devices to investigate for active infections.
Once you’ve contained the immediate threat, you need to figure out what was actually affected. This shapes everything that follows: who you notify and what you remediate.
Data breach remediation is the work you do to fix the vulnerabilities that caused a breach and restore affected systems. It covers patching the entry point and resetting compromised credentials. You’re also hardening your environment so the same attack can’t work again. Remediation starts after containment and runs in parallel with notification.
Bring in digital forensics experts if you don’t have them in-house. Their job is to answer four questions:
The type of data stolen shapes your entire response. Credentials require password resets. Personal data triggers notification laws. Financial records bring additional regulatory requirements.
Here’s what to look for based on the attack type:
Once you know the attack vector, you’ll know what to look for and where.
Create a timeline of the breach from the earliest known indicator of compromise through discovery and containment. Record every system accessed and every account compromised. This documentation supports your forensic investigation and satisfies regulatory reporting requirements. It also feeds into your lessons-learned review later.
For a deeper look at how breaches happen, see our guide on data breach causes.
Notification is where legal requirements kick in. Get this wrong and the regulatory penalties can exceed the breach costs themselves.
Under GDPR Article 33, you must notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach. That clock starts when you confirm the breach, not when you finish investigating it.
In the US, every state has its own breach notification law with different timelines and definitions of personal information. Some require notification within 30 days. Others give you 60 or 90 days.
Our data breach notification guide covers specific regulatory requirements in detail. Make sure legal counsel is involved from the start.
Tell people what happened and what data was exposed. Be specific. “Your email address and password were exposed” is useful. “Some of your information may have been accessed” is not.
Your notification should include:
The tone matters. People are more forgiving of companies that communicate honestly and quickly than those that minimize the incident or delay notification. Get ahead of the story before it leaks through other channels.
Notify your insurer immediately. Most policies have strict reporting timelines and require approval before you hire outside forensics or legal firms. Filing late can reduce or void your coverage.
If you don’t have cyber insurance, see our guide on data breach insurance to understand what it covers and whether it makes sense for your company.
For breaches involving criminal activity, report to the FBI’s IC3 or your local law enforcement equivalent. They may be able to assist with the investigation. Cooperation with law enforcement also looks favorable in regulatory proceedings.
For a full breakdown of compliance obligations, see our data breach compliance guide.
Recovery is where you fix what broke and rebuild your defenses. This is the most time-consuming phase. IBM’s 2025 report found that 76% of organizations that recovered took more than 100 days.
Don’t just force password resets across the board. First, make sure the devices those passwords will be entered on are clean. If an employee’s laptop is still infected with infostealer malware, the new password gets stolen immediately.
The sequence matters:
Whatever vulnerability the attacker exploited to get in needs to be fixed before you bring systems back online. If it was an unpatched server, patch it. If it was a phished credential with no MFA, enforce MFA. If it was a compromised vendor, revoke their access and reassess your third-party risk.
Don’t stop at the specific vulnerability, either. If the attacker got in through an unpatched Apache server, check all your other servers for the same issue. Attackers share techniques, and the same vulnerability that hit you is likely being exploited across thousands of targets.
If the attacker modified or encrypted data, you’ll need clean backups. Verify that your backup images predate the earliest known indicator of compromise. Restoring from a backup taken after the attacker was already in your environment just restores the backdoor along with your data.
Test restored systems in an isolated environment before connecting them to your production network. Confirm they’re clean and patched before going live.
Breaches don’t end when you close the initial vulnerability. Stolen data circulates on the dark web for months or years. Credentials get sold in bulk and resold repeatedly.
Set up continuous credential monitoring to watch for your company’s data appearing in new leaks and stealer logs. Breachsense monitors dark web marketplaces and infostealer channels in real time, so you can reset exposed credentials before attackers use them.
For longer-term risk reduction strategies, see our guide on data breach mitigation.
Most companies fix the immediate vulnerability and call it done. That’s how repeat breaches happen.
Within two weeks of resolving the incident, get your response team together and document what happened. Cover what went well and what went wrong. Focus on what you’d do differently next time. Be honest. The point isn’t blame. It’s improvement.
Key questions to answer:
Take everything you learned and feed it back into your data breach response plan. Update contact lists and escalation procedures. Revise your communication templates too. If you didn’t have a plan before, now you know exactly why you need one. Use our response checklist to build one.
Then test it. Schedule a tabletop exercise within 90 days where your team walks through a simulated breach scenario using the updated plan. Plans that haven’t been tested fall apart under pressure. The goal is to find gaps while the stakes are low.
Most breaches don’t end with a single incident. Once your data is out there, attackers recycle it. The best way to catch re-exposure is automated monitoring that watches for your credentials in new leaks and stealer logs.
Breachsense does this in real time. When your company’s data appears in a new dump, you get an alert so you can act on it immediately.
Check your company’s current exposure to see what’s already out there.
A data breach doesn’t have to be catastrophic. Companies that move fast during the first 48 hours and preserve evidence recover faster and pay less.
The six steps covered above give you a clear path from containment through recovery. Skip any of them and you leave gaps that attackers will exploit again.
The one thing most companies skip? Checking what’s already out there. Your credentials may already be circulating on the dark web from a breach you don’t even know about.
Check your company’s dark web exposure now to find out.
Isolate the affected systems immediately. Disconnect compromised servers and endpoints from the network to stop the attacker’s access and prevent lateral movement. Don’t reset passwords or wipe anything yet. You need to preserve forensic evidence first. Your response team should document everything from the moment of discovery.
The average time to identify and contain a breach is 241 days according to IBM’s 2025 Cost of a Data Breach Report. Full recovery takes longer. IBM found that 76% of companies that recovered took more than 100 days to do it. The timeline depends on breach scope and whether you had a tested response plan in place.
At minimum: affected individuals and relevant regulators. Your cyber insurance provider needs to know too. GDPR requires notification to supervisory authorities within 72 hours. US state breach notification laws vary but most require notifying affected residents. If the breach involves financial data, you may also need to notify credit bureaus. See our data breach notification guide for detailed requirements.
Start with forensic analysis of affected systems. Review access logs and network traffic to determine what the attacker accessed and exfiltrated. Dark web monitoring can also reveal what stolen data is already circulating. Breachsense monitors stealer logs and dark web sources where compromised data typically surfaces first.
Remediation covers everything from patching the vulnerability that caused the breach to resetting compromised credentials and hardening systems against repeat attacks. It also includes updating your security policies based on what you learned. The goal is to close the gap that was exploited and make sure it can’t happen the same way again.
Start with continuous credential monitoring to catch exposed passwords before attackers use them. Update your response plan based on lessons learned. Run regular penetration tests and patch systems on schedule. Most repeat breaches happen because companies fix the immediate vulnerability but skip the systemic changes.
Brand Protection Phishing Detection Dark Web Monitoring Counterfeit Protection Security Tools
What Are the Best Brand Protection Platforms? Brand protection software covers a wide range of threats. Some platforms …
Indicators of Compromise IOC Threat Intelligence Dark Web Monitoring Cybersecurity Breach Detection
IOCs work. But they work after the fact. By the time you find a malicious file hash or C2 beacon, attackers have already …