In 2023, MGM Resorts lost an estimated $100 million after a social engineering attack that started with a single phone call to an IT help desk. The threat actor impersonated an employee, convinced a technician to reset credentials, and within hours had deployed ransomware across critical systems. Slot machines went dark. Hotel check-ins reverted to pen and paper. The entire operation ground to a halt for days.

Knowing how to respond to a cyberattack is the difference between a contained incident and a catastrophic business failure. I've worked incident response cases where organizations with a solid plan recovered in hours. I've also seen organizations without one lose weeks, millions of dollars, and their customers' trust — permanently.

This guide gives you the exact steps to take before, during, and after a cyber incident. It's built on real-world response frameworks and the mistakes I've seen teams make under pressure.

Why Most Organizations Fail Their First Real Incident

Here's what actually happens when an organization gets hit without a plan: panic. Someone notices something strange — encrypted files, a ransom note, a flood of failed login attempts — and the wrong chain of events kicks off.

People start unplugging machines at random. Someone calls their personal IT friend for advice. The CEO sends an all-hands email from a potentially compromised account. Evidence gets destroyed. The attacker, who may still have active access, watches the chaos unfold.

The Verizon 2024 Data Breach Investigations Report found that 68% of breaches involved a human element — whether through social engineering, credential theft, or simple error. The attack vector is almost always someone on your team making a decision without the right information or training.

That's why response readiness isn't just a technical problem. It's an organizational one.

Step 1: Activate Your Incident Response Plan

If you don't have a written incident response plan, stop reading this article and go create one. Seriously. CISA provides an excellent incident response planning guide that gives you a workable starting template.

Your plan should designate an incident commander — one person with authority to make decisions. It should list who gets notified, in what order, through what communication channel. It should define severity levels so a phishing email doesn't trigger the same response as an active ransomware deployment.

The First 15 Minutes Matter Most

In my experience, the decisions made in the first 15 minutes of discovering an incident determine the trajectory of the entire response. Here's what your team should do immediately:

  • Confirm the incident is real. Not every alert is a breach. Triage quickly — is this a false positive, a minor event, or a confirmed compromise?
  • Notify the incident commander. One throat to choke, one person coordinating. No freelancing.
  • Switch to out-of-band communications. If your email or Slack is compromised, you need a backup channel. I recommend a pre-established Signal group or a phone tree. Never discuss your response on a system the attacker may control.
  • Begin documenting everything. Timestamps, screenshots, who did what. This log becomes critical for forensics, legal, and insurance claims later.

Step 2: Contain the Threat Without Destroying Evidence

Containment is where I see the most costly mistakes. The instinct to "just shut everything down" is strong, but it's often wrong.

Powering off a machine can destroy volatile memory — RAM contents that might tell your forensics team exactly what malware is running, what credentials were stolen, and what the threat actor accessed. Instead, isolate the affected systems from the network. Disconnect the Ethernet cable. Disable the Wi-Fi adapter. But keep the machine powered on unless your forensics team says otherwise.

Short-Term vs. Long-Term Containment

Short-term containment stops the bleeding. You're segmenting compromised systems, blocking known malicious IPs, disabling compromised user accounts, and revoking stolen credentials.

Long-term containment prepares you for recovery. This means standing up clean systems in parallel, patching the vulnerability that was exploited, resetting all passwords (not just the compromised ones), and enforcing multi-factor authentication across every account that doesn't already have it.

If the attacker used credential theft to move laterally — and they almost certainly did — assume every account that touched a compromised system is burned.

Step 3: Eradicate the Threat Completely

Containment stops the spread. Eradication removes the attacker's presence entirely. These are not the same thing, and confusing them is how organizations get hit twice.

Eradication means identifying every backdoor, every persistence mechanism, every compromised account. Threat actors rarely use a single entry point. If they got in through a phishing email that delivered malware, they likely also dumped credentials, created new admin accounts, and planted secondary access methods.

This is where professional forensics help earns its fee. If your organization doesn't have an in-house digital forensics team — and most don't — engage a reputable incident response firm. Your cyber insurance carrier usually has a pre-approved list.

What to Look For During Eradication

  • New or modified user accounts, especially with elevated privileges
  • Scheduled tasks or cron jobs that weren't there before
  • Unauthorized remote access tools (AnyDesk, TeamViewer, Cobalt Strike beacons)
  • Modified firewall rules or security group policies
  • Data staged for exfiltration in unusual directories

How to Respond to a Cyberattack: The Communication Playbook

Technical response is half the battle. Communication is the other half, and it's where reputations are made or destroyed.

Internal Communication

Your employees need to know what happened, what's being done, and what they should do right now. Keep it simple. Tell them which systems are offline, whether they should change passwords, and who to contact if they see something suspicious.

I've seen incidents where employees — trying to be helpful — started forwarding the ransom note to colleagues, clicking links in it, or posting screenshots on social media. Clear internal communication prevents this.

External Communication

Depending on the nature of the breach, you may have legal obligations to notify affected individuals, regulators, or law enforcement. In the United States, all 50 states have data breach notification laws with varying timelines — some as short as 30 days.

Report the incident to the FBI's Internet Crime Complaint Center (IC3). This isn't just a formality. FBI IC3 data helps law enforcement track threat actor groups, and in some ransomware cases, the FBI has been able to provide decryption keys or assist with recovery.

Get legal counsel involved before making any public statement. What you say — and when you say it — has legal, regulatory, and financial consequences.

Step 4: Recover and Restore Operations

Recovery isn't flipping a switch. It's a methodical process of bringing systems back online in priority order, verifying their integrity, and monitoring aggressively for any sign the attacker retained access.

Recovery Priority Order

  • Identity systems first. Active Directory, SSO providers, MFA infrastructure. If your identity layer is compromised, nothing else is trustworthy.
  • Communication systems second. Email, messaging, VoIP. Your team needs to coordinate.
  • Business-critical applications third. Revenue-generating systems, customer-facing platforms.
  • Everything else last. Internal tools, development environments, non-essential services.

Restore from known-good backups. If you're restoring from backups and you're not sure when the compromise began, you risk reintroducing the attacker's tools. Work with your forensics team to establish a clean restoration point.

Adopt a Zero Trust Posture During Recovery

During recovery, treat every system and every user as potentially compromised until verified. This is the zero trust principle in its purest application. Verify explicitly. Grant least-privilege access. Assume breach until proven otherwise.

Monitor everything. Increase logging levels. Watch for anomalous authentication patterns, unusual data transfers, and new processes on restored systems. The days and weeks after initial recovery are when a sophisticated threat actor will attempt to re-establish access.

Step 5: Learn From It — The After-Action Review

Every incident is a lesson. The organizations that get stronger after an attack are the ones that run an honest, blame-free after-action review within two weeks of recovery.

Document what happened, when it happened, how it was detected, how long detection took, what worked in the response, and what didn't. Be specific. "Communication was slow" isn't useful. "It took 47 minutes to reach the incident commander because the phone tree was outdated" gives you something to fix.

Questions Your After-Action Review Must Answer

  • How did the attacker gain initial access?
  • How long were they in the environment before detection (dwell time)?
  • What security controls failed, and why?
  • Did employees recognize and report the attack, or was it found by automated tools?
  • Were backups available and clean?
  • Did the incident response plan work as written?

The $4.88M Lesson Most Organizations Learn Too Late

IBM's 2024 Cost of a Data Breach Report pegged the global average cost of a data breach at $4.88 million. But here's the number that should keep you up at night: organizations with an incident response team and a tested plan saved an average of $2.66 million per breach compared to those without.

That's not a rounding error. That's the difference between survival and shutdown for many mid-sized businesses.

The single most effective way to reduce your risk isn't buying another tool. It's preparing your people. Security awareness training — done well — turns your workforce from your biggest vulnerability into your first line of detection.

I've built a cybersecurity awareness training course specifically designed to give your team the knowledge they need to recognize threats before they become incidents. And because phishing remains the number one initial attack vector, I also offer dedicated phishing awareness training for organizations that covers real-world phishing simulation tactics, credential theft techniques, and how to report suspicious messages effectively.

What Is the First Thing You Should Do During a Cyberattack?

The first thing you should do when you suspect a cyberattack is confirm the incident and notify your designated incident commander. Do not attempt to remediate on your own, do not shut down systems without guidance, and do not communicate over potentially compromised channels. Activate your incident response plan, switch to out-of-band communications, and begin documenting everything with timestamps. Speed matters, but controlled speed matters more.

Build Your Response Muscle Before You Need It

Knowing how to respond to a cyberattack on paper isn't enough. You need to practice. Run tabletop exercises quarterly. Simulate a ransomware scenario and walk your leadership team through the decisions they'd face. Test your backups by actually restoring from them — not just checking that the backup job completed.

Conduct phishing simulations monthly. Measure who clicks, who reports, and how fast. Track improvement over time. The organizations I've seen handle incidents best are the ones that treat security awareness as an ongoing discipline, not an annual compliance checkbox.

Your next incident isn't a matter of if. It's a matter of when. The question is whether your team will respond with a plan or with panic. That choice is yours to make right now.