In May 2023, the City of Dallas got hit with Royal ransomware. Police dispatch systems went down. Court services froze. Municipal operations ground to a halt for weeks. The city ultimately spent over $8.5 million on recovery. And here's the part that stings: Dallas had cybersecurity staff and budgets most organizations would envy. The difference between a bad day and a catastrophe isn't whether you get attacked — it's how to respond to a cyberattack when it lands.

I've walked organizations through incident response more times than I'd like to count. The ones that recover quickly all share one trait: they had a plan before they needed one. The ones that spiral? They were googling "what to do after a hack" while their network burned. This post is the guide I wish every organization had pinned to their wall before the worst day arrives.

Why Your First 60 Minutes Decide Everything

The Verizon 2024 Data Breach Investigations Report found that 68% of breaches involved a human element — phishing, social engineering, credential theft, or simple mistakes. That means most attacks don't start with some exotic zero-day. They start with someone clicking something they shouldn't have.

Once a threat actor gains initial access, the clock starts. IBM's 2024 Cost of a Data Breach Report pegged the global average breach cost at $4.88 million. But organizations that contained a breach in under 200 days saved over $1 million compared to those that took longer. Your first actions directly impact your financial exposure.

The window between detection and containment is where fortunes are won or lost. Let's break down exactly what to do.

Step 1: Detect and Confirm the Incident

Before you respond, you need to confirm you're actually under attack and not chasing a false alarm. This sounds obvious. In practice, it's where many teams stumble.

Indicators You Shouldn't Ignore

  • Unusual outbound network traffic, especially to unfamiliar IP addresses or countries
  • Employees reporting phishing emails or suspicious login prompts
  • Unexpected account lockouts or multi-factor authentication requests nobody initiated
  • Files being encrypted or renamed with unfamiliar extensions
  • Security tools generating alerts about lateral movement or privilege escalation
  • New admin accounts appearing that nobody created

If multiple indicators line up, treat it as a confirmed incident. Don't wait for perfection. In my experience, organizations that wait for absolute certainty before acting lose critical containment time.

Activate Your Incident Response Team

Every organization needs a designated incident response team — even if it's just three people with defined roles. At minimum, you need someone from IT, someone from leadership with decision-making authority, and someone who handles communications. If you have legal counsel, loop them in immediately. Attorney-client privilege can protect sensitive forensic findings later.

Step 2: Contain the Threat

Containment is about stopping the bleeding. You're not trying to fix everything yet. You're trying to prevent the attack from spreading further.

Short-Term Containment

  • Isolate affected systems. Disconnect compromised machines from the network. Don't power them off — you may destroy forensic evidence in memory.
  • Disable compromised accounts. If credential theft is involved, reset passwords and revoke active sessions for affected accounts immediately.
  • Block malicious IPs and domains. Use your firewall and DNS filtering to cut off communication with the attacker's infrastructure.
  • Segment your network. If you haven't already, isolate critical systems from the compromised segment.

Long-Term Containment

Once you've stopped the immediate spread, build a clean environment to operate from. This might mean standing up temporary systems, applying emergency patches, or moving operations to a backup environment. The goal is to keep business running while you investigate.

This is also where a zero trust approach pays dividends. Organizations that already enforce least-privilege access and network segmentation contain threats faster because the blast radius is naturally smaller.

Step 3: Eradicate the Root Cause

Containment without eradication is just a temporary bandage. You need to find how the attacker got in and eliminate that pathway completely.

Common Root Causes I've Seen

  • A phishing email that harvested credentials — the employee had no security awareness training
  • An unpatched VPN appliance with a known exploit
  • A third-party vendor with excessive access permissions
  • Reused passwords exposed in a previous data breach
  • A misconfigured cloud storage bucket left open to the internet

Run a full scan of all systems with updated signatures. Review logs to trace the attacker's path from initial access through every system they touched. Remove any malware, backdoors, or persistence mechanisms. If the attacker created accounts, delete them. If they modified configurations, restore them.

If you lack internal forensic capability, this is the time to bring in a qualified incident response firm. CISA maintains resources for organizations that need help through their incident reporting and response page.

Step 4: Recover and Restore Operations

Recovery means bringing systems back online in a controlled, verified manner. Rushing this step is how organizations get hit twice.

Recovery Priorities

  • Restore from clean, verified backups. If you can't verify backup integrity, treat them as potentially compromised.
  • Rebuild rather than repair when possible. A freshly imaged system is more trustworthy than one you've tried to clean.
  • Enforce multi-factor authentication across all accounts before granting access to restored systems.
  • Monitor restored systems closely for at least 30 days. Threat actors often leave multiple backdoors.
  • Prioritize critical business functions first. Know your recovery time objectives.

For ransomware incidents specifically, the FBI strongly advises against paying the ransom. Payment doesn't guarantee data recovery and directly funds criminal operations. Report ransomware incidents to the FBI's Internet Crime Complaint Center (IC3).

How to Respond to a Cyberattack: The Quick-Reference Checklist

If you're searching for a concise answer, here it is. Knowing how to respond to a cyberattack comes down to six actions in order:

  1. Detect and confirm the incident using network alerts, user reports, and system anomalies.
  2. Activate your incident response team and notify leadership and legal counsel.
  3. Contain the threat by isolating systems, disabling accounts, and blocking attacker infrastructure.
  4. Eradicate the root cause — remove malware, close the entry point, eliminate backdoors.
  5. Recover operations from clean backups with enhanced monitoring and enforced MFA.
  6. Document everything and conduct a post-incident review within two weeks.

Print this. Post it in your server room. Share it with your leadership team. When the adrenaline hits, simple checklists save organizations.

Step 5: Communicate — Internally and Externally

The communication piece is where I see the most painful mistakes. Either organizations say too much too soon, or they say nothing and lose trust permanently.

Internal Communication

Your employees need to know what happened, what's being done, and what they should do. If credential theft was involved, tell them to change passwords. If phishing was the entry point, tell them what the phishing email looked like so they can report similar messages.

Don't hide the incident from your own people. They're your first line of defense, and they can't help if they're in the dark.

Most U.S. states now have data breach notification laws. If personal data was compromised, you likely have a legal obligation to notify affected individuals and possibly state attorneys general within a specific timeframe — often 30 to 72 days.

If you operate in healthcare, finance, or government, sector-specific regulations like HIPAA, GLBA, or FISMA add additional reporting requirements. Your legal counsel should drive this process, but your incident response team needs to provide the facts.

For publicly traded companies, the SEC's 2023 cybersecurity disclosure rules require material incident reporting within four business days on Form 8-K. This isn't optional.

Step 6: Learn From It — The Post-Incident Review

Every incident is a masterclass in where your defenses failed. Wasting that lesson is the real crime.

What a Good Post-Incident Review Covers

  • Timeline reconstruction: When did the attack start? When was it detected? How long did containment take?
  • Root cause analysis: What was the initial attack vector? Why did it succeed?
  • Response evaluation: What worked in your incident response plan? What didn't?
  • Gap identification: What tools, training, or processes would have prevented or shortened this incident?
  • Action items with owners and deadlines — not vague recommendations that gather dust.

Hold this review within two weeks of the incident while memories are fresh. Include everyone who was involved — IT, leadership, communications, legal. No blame. Just facts and improvements.

The $4.88M Lesson Most Organizations Learn Too Late

Here's what I keep coming back to after years in this field: technical controls alone don't determine outcomes. People do.

The Verizon DBIR keeps telling us the same story year after year — human error and social engineering dominate the threat landscape. You can deploy the most sophisticated endpoint detection money can buy, but if your employees can't recognize a phishing email, you're exposed.

This is why ongoing cybersecurity awareness training for your entire organization isn't a nice-to-have. It's the single most cost-effective control you can implement. Trained employees report suspicious emails faster, fall for social engineering less often, and create fewer of the mistakes that threat actors exploit.

And training shouldn't be a once-a-year checkbox. Effective programs include regular phishing simulation exercises that test real-world scenarios. When your people practice identifying phishing emails monthly, they develop the reflexes that catch attacks before they become incidents.

Build Your Incident Response Plan Before You Need It

If you don't have a written incident response plan right now, you're betting your organization's survival on improvisation under pressure. I've seen that bet lose too many times.

Minimum Viable Incident Response Plan

  • Roles and responsibilities: Who does what? Name names, not job titles.
  • Contact list: Cell phones for your IR team, legal counsel, insurance carrier, and an external forensics firm you've vetted in advance.
  • Communication templates: Pre-drafted internal and external notifications you can customize quickly.
  • Containment procedures: Step-by-step instructions for isolating systems, disabling accounts, and preserving evidence.
  • Recovery procedures: Backup locations, restoration steps, and validation checklists.
  • Regulatory checklist: Which laws and regulations apply to your organization, with notification deadlines.

Test this plan at least annually with a tabletop exercise. Put your team in a room, present a realistic scenario, and walk through every step. You'll find the gaps before an actual attacker does.

The Attacks Are Coming. Your Response Is the Variable.

Every organization with an internet connection will face a cyberattack. That's not pessimism — it's the statistical reality of operating in 2025. The FBI IC3 received over 880,000 complaints in 2023, with reported losses exceeding $12.5 billion. The actual numbers are far higher because most incidents go unreported.

Knowing how to respond to a cyberattack transforms an organization from a victim into a resilient operation that can take a hit and keep moving. The steps aren't complicated. Detection, containment, eradication, recovery, communication, and learning. The hard part is doing the preparation work now — building the plan, training the people, and testing the process — so it's second nature when the alarm goes off.

Start today. Assign your incident response roles. Write down your containment procedures. Get your people into ongoing security awareness training. Run a phishing simulation this month. Every hour you invest in preparation saves days of chaos during an actual incident.

Your future self, standing in the middle of an active breach at 2 AM, will thank you.