A comprehensive 15-page guide with step-by-step procedures for detection, containment, eradication, recovery, and regulatory compliance. Developed by security professionals.
Click below to download your Data Breach Response Playbook.
Download Playbook (PDF)Professional 10-page PDF guide with your logo.
The average data breach costs $4.88 million. Organizations with IR plans save $1.5 million on average.
Average time to identify and contain a breach without a plan
When breaches are contained within 200 days vs. longer
83% of organizations will experience a breach—be ready
Most organizations lose the first 24 hours of a breach to confusion: who is in charge, what counts as "confirmed," who is allowed to email customers. The playbook is structured around six phases that map to the SANS PICERL model (Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned), with the timing and decision rights spelled out explicitly so the room does not have to invent them under pressure.
Phase 1 (Identification) is about declaring an incident, not investigating one. The bar is "credible signal of unauthorized access," not "we have full forensic confirmation." Setting the bar too high here is the single most common reason organizations miss the GDPR 72-hour clock and the SEC four-business-day disclosure window. The playbook gives you a one-page declaration criteria sheet so the on-call analyst can make the call without paging the CISO at 3am.
Phase 2 (Containment) is the loudest hour of the response. Isolate affected hosts at the network layer, not by shutting them down (you lose volatile memory and the attacker notices). Revoke active sessions in the IdP, not just passwords. Block C2 IPs at the perimeter even if you have not finished attribution. The playbook lists the eight containment actions you can take in the first 60 minutes without legal sign-off, and the four that need counsel on the line first.
Phases 3 through 6 cover eradication (removing the foothold, not just the symptoms), recovery (the hard call between restoring from backup and rebuilding), regulatory disclosure (the actual statute citations and timelines), and the post-incident review that turns the worst week of your year into a control improvement. Throughout, the playbook assumes you do not have a 24/7 SOC, a retained IR firm, or a full legal team, because most of the organizations that need this most do not.
The 15-page PDF is organized as a working document, not a reference manual. Each chapter ends with a checklist you can hand to a teammate.
For context on why most breaches are detected externally rather than by the victim, read our breakdown of the ten signs your company data is on the dark web. The earlier in the kill chain you spot it, the smaller the response gets.
Before you need it. Most teams pull it during quarterly IR drills, when a new compliance auditor asks for a documented response procedure, after onboarding a new CISO or DPO, or right after a near-miss like a phishing campaign that almost worked. If something is happening right now, skip to Phase 2 (Containment) on page 5.
Yes, in almost every case. External counsel should be looped in before any written communication leaves the building, because attorney-client privilege is the only thing protecting the forensic narrative from discovery later. The playbook includes a sample retention email and a one-page brief that gets counsel up to speed in under five minutes.
GDPR is 72 hours from awareness to the supervisory authority. SEC Form 8-K is four business days from materiality determination. HIPAA is 60 days for affected individuals (sooner over 500 people). PCI DSS requires immediate notification to your acquiring bank. Singapore PDPA and most APAC regimes sit in the 72-hour to 30-day range. The playbook has a one-page table with statute citations.
Containment stops the bleeding (isolate hosts, disable accounts, block C2, revoke sessions). Eradication removes the attacker's foothold (delete webshells, patch the initial access vector, rotate touched credentials, rebuild rather than clean where uncertain). Skipping eradication and jumping to recovery is how organizations get re-encrypted two weeks later by the same actor.
An incident commander runs the room. In smaller SaaS companies that is the head of security or the CTO. The IC's job is decisions and tempo, not technical work. They coordinate four workstreams: technical (SRE plus security engineering), legal (external counsel plus DPO), comms (PR plus CS), and executive (CEO plus board). The playbook includes a RACI template.
Yes. Phase 2 has a ransomware decision tree covering pay/no-pay (almost never, and OFAC sanctions can make payment illegal regardless), decryptor evaluation, and double-extortion leak-site countdown handling. Phase 4 covers backup restoration and when to rebuild from scratch instead.
AdverseMonitor alerts you within minutes when your organization appears on dark web leak sites—giving you critical early warning to execute your response plan faster.