What to Do After a Cyber Attack: A Step-by-Step Guide from Our Cyber Expert
What to Do After a Cyber Attack: A Step-by-Step Guide from Our Cyber Expert
Thought Leadership

By Patricia A. Pramono • Studio 1080, Published on July 30, 2025

TABLE OF CONTENTS

SHARE THIS ARTICLE

Cyber attacks don’t always announce themselves with a loud alarm. Sometimes, they sneak in quietly (through an unmanaged asset, a missed patch, or a well-disguised phishing email) only to surface once the damage is done. When that moment comes, time is everything. And what a company does in the first few hours after experiencing an attack can determine whether it recovers or unravels.

To help companies respond effectively and rebuild resilience, we feature insights from Muhammad Luqman, Head of Tech Security at Cisometric, to walk us through what really needs to happen after an incident. With multiple certifications under his belt (CISSP, CCSP, CASP+), Luqman leads Cisometric’s technical security operations, from SOC implementation to real-time incident response, and has helped numerous organizations recover from targeted attacks.

Once a cyber attack is discovered, the clock starts ticking. According to Luqman, the first few hours are critical, often referred to as the “golden window”, where fast, structured response can make the difference between a contained breach and a company-wide crisis.

Below is a step-by-step guide to what organizations should prioritize in the first 0–72 hours after an incident. These are the essential actions that help reduce damage, preserve evidence, and set the foundation for recovery.

Step 1: Contain Without Compromise

“The first step is always containment,” says Luqman. “And that step needs to happen fast, ideally within the first one to three hours after an incident is discovered.”

This window is critical. It's when the threat is still active or spreading, and when evidence is still intact. But rushing in without a plan can backfire. “A lot of companies go into panic mode and start unplugging or rebooting everything. But that can actually destroy volatile data that’s crucial for forensic analysis,” Luqman shares.

Instead, the priority should be to isolate affected systems like cutting off network access, blocking suspicious processes, or segmenting impacted areas, without shutting them down entirely.

We follow the principle of ‘contain without compromise,’” Luqman emphasizes. “You want to stop the bleeding, yes, but you also want to preserve the crime scene.”

In practice, this might involve:

  • Network segmentation to block lateral movement
  • Access revocation for compromised accounts
  • Freezing endpoints instead of rebooting them
  • Capturing volatile memory (RAM) and system state data
  • Cloning drives for forensic examination

Skipping these steps can severely limit a team’s ability to understand how the attacker got in, what they touched, and how to prevent it from happening again.

“Containment is a strategic move,” Luqman adds. “You need people who can act quickly, but also precisely. That’s why having a defined incident response playbook and training your team on it is non-negotiable.”

He also warns that companies without an experienced response team should not hesitate to call in external help. “If you don’t have the technical depth in-house, this is where a vendor like Cisometric can step in. Our SOC and CSIRT teams are trained to respond in real time, contain threats safely, and preserve evidence for investigation.”

Step 2: Identify the Type of Attack 

Once the immediate threat has been contained, the next priority is understanding what you’re actually dealing with. Was it ransomware? A phishing-based credential compromise? A misused admin account? Each type of attack requires a different remediation approach and misidentifying it can lead to wasted effort, increased downtime, or worse, a second wave of compromise.

Luqman recalls a real incident where an unmanaged, undocumented asset became the hidden entry point for a major breach. “The company didn’t even know that asset existed until hours into the response,” he says.

As teams scrambled to contain the attack, they focused all efforts on the wrong system, losing precious time and letting the damage spread.

“It was a harsh reminder that you can’t protect what you don’t know exists. Strong visibility across assets is a must,” explains Luqman. “And that’s where a properly implemented SIEM (Security Information and Event Management) system plays a central role.”

A SIEM acts as your central nervous system during a crisis. It collects logs, correlates events, and can provide early indicators of attack techniques and compromised assets. But Luqman cautions: “Operating a SIEM isn’t just about having the tool, it requires having the right people to read the data and act on it. That’s where the SOC team comes in.”

Security Operations Centers (SOC) are staffed with analysts who know how to interpret unusual patterns, detect lateral movement, and trace the attacker’s path within a company’s infrastructure. Without this real-time expertise, companies often miss the root cause or worse, think the attack is over when it’s not.

This is especially true for businesses with growing infrastructure, hybrid cloud setups, or limited in-house security talent. “The longer it takes to identify the breach type, the harder it becomes to contain and clean up. Missteps in this phase can extend the dwell time, which leads to more damage,” Luqman adds.

Also read: What Makes a Next Gen SOC and Why Your Business Needs One Now

Step 3: Build the Right Team

Incident response is not just a technical task. It’s a cross-functional operation that touches nearly every part of a business, especially in the first 72 hours.

“You need an Incident Response Commander, technical leads, a communications officer, legal counsel, and sometimes even HR or PR,” Luqman explains. “And these roles must be clearly assigned before the incident happens, because during an attack, there's no time to figure out who’s doing what.”

Even smaller companies that lack dedicated roles can still define responsibilities. The same person may wear multiple hats, but clarity matters. “It’s better to have a lightweight but defined team than to leave responses hanging between departments,” Luqman adds.

In larger organizations, the absence of a structured team often leads to siloed responses, miscommunications, or delays in decision-making. Meanwhile, public-facing missteps or legal oversights can quickly escalate into reputational damage or regulatory penalties.

“Security is a shared responsibility,” says Luqman. “Don’t leave it to the IT team alone. Coordinated action across departments makes all the difference.

At Cisometric, many of our engagements begin with helping companies to build or refine their incident response team structure (even as a simulation) so that roles are clear before the real crisis hits. It’s one of the easiest ways to reduce chaos and improve decision-making under pressure.

Step 4: Communicate with Clarity

A cyber incident is usually a communication crisis too. Missteps in messaging can magnify the impact of an attack, confuse internal teams, decrease customer trust, and invite regulatory scrutiny.

“One of the most common mistakes we see is panic,” Luqman shares. “When panic spreads, decision-making gets sloppy. That’s why calm, structured communication is key.”

Internally, employees should be briefed as early as possible, even if not all the facts are known yet. Let them know what’s happening, what they’re expected to do (like resetting passwords or avoiding specific systems), and when they’ll receive the next update. This helps manage speculation and keeps everyone aligned.

Externally, customers, partners, vendors, and regulators must be informed responsibly. That means no speculation, no technical jargon, and no vague PR statements. “Stick to facts. Reassure them that the situation is under control and that you’re taking responsible action,” Luqman advises.

He also emphasizes the importance of designating a Communications Lead as part of the incident response team. This person should liaise with legal, technical, and executive teams to ensure all messaging is aligned, approved, and consistent across platforms (email, social media, internal memos, and external statements).

At Cisometric, our team frequently helps clients to prepare communications templates and breach response protocols ahead of time, so they’re not scrambling under pressure. Having the right words ready, even in draft form, can cut hours off the response timeline and prevent costly miscommunications.

And while every breach is different, one truth is constant: people remember how you communicated, even more than what happened.

Step 5: Know When to Escalate and Who to Call

Not every incident needs to be escalated to the boardroom or law enforcement (although many do). And knowing when to loop in key stakeholders can significantly affect how smoothly and responsibly the situation is handled.

“If the breach involves sensitive data, disrupts operations, or potentially violates regulatory requirements, escalation shouldn't be delayed,” says Luqman. “Notify management, legal, and regulators as soon as the impact is confirmed. Don’t wait for all the answers to come in. What matters is fast, responsible action.”

This is where having clear escalation criteria written into your incident response plan becomes essential. It helps teams avoid hesitation, politics, or confusion in the middle of a crisis.

Here’s a general rule of thumb:

  • Escalate to Legal when personal data, financial records, or customer information is involved
  • Notify Executives when the incident could impact business continuity or brand reputation
  • Alert Regulators or Law Enforcement if data breach notification laws apply, or if there’s evidence of criminal activity
  • Contact Cybersecurity Partners when internal resources aren’t enough to contain, analyze, or respond effectively

Many companies hesitate to bring in outside help, worried it might signal failure or cost too much. But Luqman warns against this mindset.

“Escalating to the right partner early can actually save time, reduce damage, and preserve trust,” he explains. “Delaying can make things worse. By the time internal teams admit they’re overwhelmed, it’s often too late to act quickly.”

“A company should consider partnering with an external cybersecurity firm when they can’t identify the root cause, the scope is unclear, or they don’t have the capacity to respond in time,” Luqman explains.

Our SOC and CSIRT are purpose-built to support companies in these moments. “Cisometric’s SOC monitors threats 24/7. Once something’s detected, our analysts quickly triage and isolate the incident. Our CSIRT steps in for containment, forensic investigation, and remediation support.”

This end-to-end approach (from detection to recovery) not only limits damage, but helps companies bounce back stronger.

Also read: Important Update! New Presidential Directive for CSIRT Capabilities

Step 6: After-Recovery Review

It’s tempting once systems are back online and operations return to normal, to declare the crisis over and move on. 

“After recovery, it’s critical to conduct a thorough post-incident review,” says Luqman. “You can’t protect against the next attack if you don’t understand what happened in the last one.”

This review should involve all departments that were part of the incident response, from IT to Legal to Comms, and answer key questions:

  • What was the root cause of the attack?
  • How long did it go undetected (dwell time)?
  • What signals were missed?
  • Were any internal processes or controls ineffective?
  • How well did the response team perform under pressure?

Mapping a detailed incident timeline is also crucial. This helps identify delays, decision bottlenecks, and opportunities where faster action could have mitigated the impact. It also builds a realistic scenario for future tabletop exercises and training.

“After all, security is not just about solving today’s problem, it’s about preventing tomorrow’s,” Luqman reminds us.

To do this effectively, companies can adopt widely respected frameworks like NIST’s Computer Security Incident Handling Guide or ISO/IEC 27035, which outline how to conduct a structured post-incident activity cycle. These standards help businesses evolve their security posture by updating playbooks, improving detection rules, and reinforcing the response team’s readiness.

Cisometric regularly assists clients with Post-Incident Reviews (PIRs), offering technical analysis, policy recommendations, and even C-level briefings. “Sometimes the most valuable service we provide is helping teams see what they didn’t know they were missing,” Luqman adds.

In short, recovery ends when business resumes. But resilience begins when you reflect and prepare smarter for what’s next.

Step 7: Rebuilding Trust with Customers

Once systems are restored and the technical response winds down, your focus needs to also shift outward, to the people affected. If customer data was compromised, restoring their trust becomes just as important as restoring your infrastructure.

“Customers are more likely to stay loyal if they see a company is being honest, proactive, and capable,” Luqman emphasizes.

Do:

  • Be transparent and accurate
  • Notify affected users quickly
  • Offer clear next steps and remediation support

Don’t:

  • Speculate or share unverified details
  • Delay communication unnecessarily

Final Thoughts from the Expert

Luqman’s advice for prevention is clear: “Resilience doesn’t start after an incident, it starts before.” Cisometric helps companies assess their current posture, identify gaps, and design a maturity roadmap tailored to their business needs and risk landscape. “This isn’t just about tools. It’s about people, process, and visibility,” he says. “And we’re here to help companies build all three.”

“If there’s one thing I wish every company understood,” Luqman says, “it’s that security is everyone’s responsibility. From top leadership to daily operations, every person plays a part in cyber resilience.”

And when it comes to readiness?

“Hope is not a strategy. Invest in visibility, planning, and the right partners before a crisis hits. Because when it does, response speed and clarity will define your outcome.”

Cisometric is a next-generation cybersecurity consulting firm based in Indonesia, specializing in Security Operations Center (SOC), Incident Response, security compliance, and more. Our mission is to build a safer digital future through expert-driven solutions tailored for businesses of all sizes.

Let’s secure the future together.

Schedule a free consultation with our cybersecurity experts at Cisometric and discover how we can help protect your organization from phishing attacks to full-scale cyber threats.

Book a meeting with us, click here.

For more updates on digital scams, cybersecurity insights, and expert tips, follow our social media:

LinkedIn: Cisometric

Instagram: @cisometric

Youtube: @Cisometric 



Reference:

What to Do After Cyberattack: 3 Effective Strategies to Protect Your Business

So, You’ve Been Hacked. Now What?

Responding to data breaches – four key steps

How to rebuild trust after a cybersecurity breach 

You may like this...

Cybersecurity Insights
Cybersecurity Weakest Link: The Human Factor

Cybersecurity Weakest Link: The Human Factor

Cybersecurity incidents often bring to mind images of hackers exploiting complex technical technological vulnerabilities. But in reality, many successful cyber attacks don’t happen because of weak systems, they happen because of human errors.

Read More
Cybersecurity Insights
What To Do After a Scam: 7 Steps for the First 24 Hours

What To Do After a Scam: 7 Steps for the First 24 Hours

This article focuses on that: The moment after the attack, when you realize you’ve been scammed and need to act fast, with clear, actionable steps. Because how you respond in the first few hours can make the difference between a contained incident and a larger disaster.

Read More
Cybersecurity Insights
No Business is Too Small (or Too Big) for Hackers

No Business is Too Small (or Too Big) for Hackers

“Why would hackers bother with my small business?” If you’ve ever asked that, then you need to think twice. Unfortunately, cybercriminals see small and medium-sized businesses (SMBs) as prime targets precisely because many of them lack strong cybersecurity protections. Smaller budgets, fewer dedicated security staff, and a lack of awareness make these organizations easy prey.

Read More

Search Article by Category