[{"data":1,"prerenderedAt":209},["ShallowReactive",2],{"blog-checklists/incident-response-checklist":3},{"id":4,"title":5,"body":6,"category":189,"date":190,"dateModified":190,"description":191,"draft":192,"extension":193,"faq":194,"featured":192,"headerVariant":195,"image":194,"keywords":194,"meta":196,"navigation":197,"ogDescription":198,"ogTitle":194,"path":199,"readTime":194,"schemaOrg":200,"schemaType":201,"seo":202,"sitemap":203,"stem":204,"tags":205,"twitterCard":207,"__hash__":208},"blog/blog/checklists/incident-response-checklist.md","Incident Response Checklist: 16-Item Guide for Security Incidents",{"type":7,"value":8,"toc":183},"minimark",[9,16,19,22,47,65,82,100,119,124,127,130,152,171],[10,11,12],"tldr",{},[13,14,15],"p",{},"Stop. Breathe. Follow this checklist in order. 6 critical items must be done immediately to stop ongoing damage, 6 important items help you understand what happened, and 4 recommended items ensure proper communication. Your first priority is containment (stopping ongoing damage), then investigation, then communication. Do not communicate externally until you understand what happened.",[13,17,18],{},"If you are reading this mid-incident, you are already doing the right thing by looking for a structured process instead of panicking. The biggest mistakes happen when people rush to fix things without understanding the full picture first. Print this out, work through it top to bottom, and resist the urge to skip ahead to communication before containment is done.",[20,21],"print-button",{},[23,24,26,31,35,39,43],"checklist-section",{"title":25},"Quick Checklist (5 Critical Items)",[27,28],"checklist-item",{"description":29,"label":30},"Change API keys, database passwords, or tokens that may be exposed","Rotate compromised credentials immediately",[27,32],{"description":33,"label":34},"Invalidate all user sessions if attacker has active access","Revoke suspicious sessions",[27,36],{"description":37,"label":38},"Record time discovered, who discovered, initial symptoms","Start an incident log",[27,40],{"description":41,"label":42},"Export application, server, database, and auth logs immediately","Preserve logs before they rotate",[27,44],{"description":45,"label":46},"How did they get in? Exposed credentials, vulnerability, social engineering?","Determine attack vector",[23,48,51,54,57,61],{"title":49,"count":50},"Immediate Containment","4",[27,52],{"description":53,"label":30},"Change API keys, database passwords, or tokens that may be exposed. How to rotate API keys",[27,55],{"description":56,"label":34},"If attacker has active sessions, invalidate all user sessions if needed. How to revoke sessions",[27,58],{"description":59,"label":60},"If you can identify attacker, block their access immediately. How to block malicious access","Block malicious IPs or accounts",[27,62],{"description":63,"label":64},"If damage is ongoing, temporary downtime may be better than continued breach. How to set up emergency maintenance","Consider taking service offline",[23,66,68,71,74,78],{"title":67,"count":50},"Document Everything",[27,69],{"description":70,"label":38},"Record: time discovered, who discovered, initial symptoms. How to document incidents",[27,72],{"description":73,"label":42},"Export application logs, server logs, database logs, auth logs. How to preserve logs",[27,75],{"description":76,"label":77},"Capture current state of monitoring, analytics, error tracking. How to capture incident evidence","Screenshot relevant dashboards",[27,79],{"description":80,"label":81},"Log every change you make, who made it, and when. How to create an incident timeline","Record all actions taken",[23,83,85,88,92,96],{"title":84,"count":50},"Investigate",[27,86],{"description":87,"label":46},"How did they get in? Exposed credentials, vulnerability, social engineering? How to investigate a breach",[27,89],{"description":90,"label":91},"What systems, data, or accounts were accessed or modified? How to assess breach scope","Identify scope of access",[27,93],{"description":94,"label":95},"What user data was potentially accessed? Emails, passwords, payment info? How to assess data exposure","Determine data exposure",[27,97],{"description":98,"label":99},"Did attacker create backdoors, new accounts, or scheduled tasks? How to check for backdoors","Check for persistence",[23,101,103,107,111,115],{"title":102,"count":50},"Communicate",[27,104],{"description":105,"label":106},"Inform team leads, founders, legal as appropriate. How to communicate internally","Notify internal stakeholders",[27,108],{"description":109,"label":110},"Check GDPR, state laws, contracts for breach notification requirements. How to determine notification requirements","Determine notification requirements",[27,112],{"description":113,"label":114},"If required, prepare honest, clear communication about what happened. How to write a breach notification","Draft user communication",[27,116],{"description":117,"label":118},"Send notification with: what happened, what data, what you're doing, what they should do. How to notify affected users","Notify affected users",[120,121,123],"h2",{"id":122},"after-the-incident","After the Incident",[13,125,126],{},"Once the immediate crisis is resolved, conduct a post-mortem. Document the root cause, timeline, and lessons learned. Implement changes to prevent similar incidents. Update your security practices based on what you learned.",[13,128,129],{},"Consider whether to report to law enforcement. For significant breaches, especially involving payment data or large amounts of personal information, consult legal counsel about reporting requirements.",[131,132,133,140,146],"faq-section",{},[134,135,137],"faq-item",{"question":136},"Should I take my site offline during an incident?",[13,138,139],{},"It depends. If the attacker has ongoing access and is actively causing damage, temporary downtime is better than continued breach. If you've contained the incident (rotated credentials, blocked access), you may be able to stay online while investigating.",[134,141,143],{"question":142},"When do I need to notify users?",[13,144,145],{},"Legal requirements vary by jurisdiction. GDPR requires notification within 72 hours for personal data breaches. US state laws vary. If user data (especially passwords, payment info, or sensitive data) was accessed, you should generally notify affected users regardless of legal requirements.",[134,147,149],{"question":148},"Should I admit fault publicly?",[13,150,151],{},"Be honest but measured. Acknowledge what happened without speculation. Focus on what you're doing to fix it and protect users. Avoid blame or excessive apology. Consult legal counsel before making public statements about significant breaches.",[153,154,155,161,166],"related-articles",{},[156,157],"related-card",{"description":158,"href":159,"title":160},"Recovery and improvement after an incident","/blog/checklists/post-incident-checklist","Post-Incident Security Checklist",[156,162],{"description":163,"href":164,"title":165},"Understanding the financial impact","/blog/costs/data-breach-startup","Cost of Data Breach for Startups",[156,167],{"description":168,"href":169,"title":170},"Step-by-step credential rotation guide","/blog/how-to/rotate-api-keys","How to Rotate API Keys",[172,173,176,180],"cta-box",{"href":174,"label":175},"/","Start Free Scan",[120,177,179],{"id":178},"prevent-the-next-incident","Prevent the Next Incident",[13,181,182],{},"Regular security scanning catches vulnerabilities before attackers do.",{"title":184,"searchDepth":185,"depth":185,"links":186},"",2,[187,188],{"id":122,"depth":185,"text":123},{"id":178,"depth":185,"text":179},"checklists","2026-01-29","Step-by-step incident response checklist. What to do when you discover a security incident: contain, investigate, remediate, and communicate.",false,"md",null,"green",{},true,"Step-by-step guide for handling security incidents.","/blog/checklists/incident-response-checklist","[object Object]","HowTo",{"title":5,"description":191},{"loc":199},"blog/checklists/incident-response-checklist",[206],"Emergency Checklist","summary_large_image","CvM7xvwznwjbiDUeF6aVONU_kPYee7uogWI4Eu2X514",1775843931067]