Incident Response Checklist: 16-Item Guide for Security Incidents

TL;DR

Stop. Breathe. Follow this checklist in order. 6 critical items must be done immediately to stop ongoing damage, 6 important items help you understand what happened, and 4 recommended items ensure proper communication. Your first priority is containment (stopping ongoing damage), then investigation, then communication. Do not communicate externally until you understand what happened.

Quick Checklist (5 Critical Items)

Rotate compromised credentials immediatelyChange API keys, database passwords, or tokens that may be exposed

Revoke suspicious sessionsInvalidate all user sessions if attacker has active access

Start an incident logRecord time discovered, who discovered, initial symptoms

Preserve logs before they rotateExport application, server, database, and auth logs immediately

Determine attack vectorHow did they get in? Exposed credentials, vulnerability, social engineering?

Immediate Containment 4

Rotate compromised credentials immediatelyChange API keys, database passwords, or tokens that may be exposed. How to rotate API keys

Revoke suspicious sessionsIf attacker has active sessions, invalidate all user sessions if needed. How to revoke sessions

Block malicious IPs or accountsIf you can identify attacker, block their access immediately. How to block malicious access

Consider taking service offlineIf damage is ongoing, temporary downtime may be better than continued breach. How to set up emergency maintenance

Document Everything 4

Start an incident logRecord: time discovered, who discovered, initial symptoms. How to document incidents

Preserve logs before they rotateExport application logs, server logs, database logs, auth logs. How to preserve logs

Screenshot relevant dashboardsCapture current state of monitoring, analytics, error tracking. How to capture incident evidence

Record all actions takenLog every change you make, who made it, and when. How to create an incident timeline

Investigate 4

Determine attack vectorHow did they get in? Exposed credentials, vulnerability, social engineering? How to investigate a breach

Identify scope of accessWhat systems, data, or accounts were accessed or modified? How to assess breach scope

Determine data exposureWhat user data was potentially accessed? Emails, passwords, payment info? How to assess data exposure

Check for persistenceDid attacker create backdoors, new accounts, or scheduled tasks? How to check for backdoors

Communicate 4

Notify internal stakeholdersInform team leads, founders, legal as appropriate. How to communicate internally

Determine notification requirementsCheck GDPR, state laws, contracts for breach notification requirements. How to determine notification requirements

Draft user communicationIf required, prepare honest, clear communication about what happened. How to write a breach notification

Notify affected usersSend notification with: what happened, what data, what you're doing, what they should do. How to notify affected users

After the Incident

Once the immediate crisis is resolved, conduct a post-mortem. Document the root cause, timeline, and lessons learned. Implement changes to prevent similar incidents. Update your security practices based on what you learned.

Consider whether to report to law enforcement. For significant breaches, especially involving payment data or large amounts of personal information, consult legal counsel about reporting requirements.

Should I take my site offline during an incident?

It depends. If the attacker has ongoing access and is actively causing damage, temporary downtime is better than continued breach. If you've contained the incident (rotated credentials, blocked access), you may be able to stay online while investigating.

When do I need to notify users?

Legal requirements vary by jurisdiction. GDPR requires notification within 72 hours for personal data breaches. US state laws vary. If user data (especially passwords, payment info, or sensitive data) was accessed, you should generally notify affected users regardless of legal requirements.

Should I admit fault publicly?

Be honest but measured. Acknowledge what happened without speculation. Focus on what you're doing to fix it and protect users. Avoid blame or excessive apology. Consult legal counsel before making public statements about significant breaches.

TL;DR

Quick Checklist (5 Critical Items)

Immediate Containment 4

Document Everything 4

Investigate 4

Communicate 4

After the Incident

Should I take my site offline during an incident?

When do I need to notify users?

Should I admit fault publicly?

Related Articles

Post-Incident Security Checklist

Cost of Data Breach for Startups

How to Rotate API Keys

Prevent the Next Incident

Incident Response Checklist: 16-Item Guide for Security Incidents