You must detect a cyberattack quickly before you can react. Warning signs to be aware of are:

Abnormal Network Patterns: Bursts of strange activity or untypical connections with unknown IPs.

System Anomalies: Constant rebooting, crashing, or new files.

Authentication Failures: Continuing unsuccessful logins or logins during non-work hours.

Security Tool Notifications: Firewalls, antivirus, or intrusion detection system alarms.

Continuously monitoring security tools like SIEM (Security Information and Event Management) and EDR (Endpoint Detection and Response) solutions are essential to detecting early.

Step 1: Validate the Incident (First 5-10 Minutes)

As soon as an alert or suspicion is raised, your first action in what to do in first 60 minutes is to determine if an actual attack is occurring:

Validate alerts by correlating system and security logs.

Identify what systems or data has been attacked.

Determine whether the anomaly is due to a cyberattack or false positive/system error.

Avoid making hasty actions without confirmation, as unjustified interruptions can impact business procedures.

Step 2: Isolate Compromised Systems (10-20 Minutes)

Isolate compromised systems immediately once confirmed to contain the threat in its place:

Disable or reset stolen access credentials or user accounts.

Network segmentation and strict access controls reinforce this action. Remember, isolation does not mean shutting down everything—it means stopping the spread with evidence intact.

Step 3: Alert Your Incident Response Team (15-30 Minutes)

Cyberattack response is a team effort. 

Security analysts

IT administrators

Legal and compliance officers

Communication and PR team

Your IRT should know the incident response plan so you can respond well and minimize confusion throughout the crisis.

Step 4: Preserve Key Evidence (20-40 Minutes)

Preserving evidence is perhaps the most important, and most often omitted, step of what to do in first 60 minutes. Good evidence allows you to:

Analyze how the attacker broke in.

Identify vulnerabilities that were exploited.

Support law enforcement and legal cases.

Steps to preserve evidence are:

Capturing system and network logs, alerts, and screenshots.

Prevention of powering off or restarting infected devices, except in extreme cases.

Logging all actions taken as a response.

Step 5: Communicate Transparently (30-50 Minutes)

Communication in the event of a cyberattack is unavoidable. Good communication involves:

Notification of internal stakeholders (management, employees).

Alerting affected customers or partners in case of personal data compromise.

Drafting messages to regulatory authorities to meet breach notification laws (GDPR, HIPAA, etc.).

Transparent and prompt communication assists in the preservation of trust and minimizes reputational loss.

Step 6: Start Recovery Planning (50-60 Minutes)

After containment and communication, plan the recovery process:

Discover vulnerabilities to patch in minutes.

Prepare for restoring systems from clean backups.

Establish ramped-up monitoring for lingering threats.

Recovery planning enables your organization to return to regular operations securely and quickly.

Critical Rapid Response Tools

In order to properly execute what do in first 60 minutes, you need the right technology stack:

SIEM Systems: Correlate and process security logs in real-time.

EDR Tools: Detect and respond to threats on endpoints.

Network Segmentation: Limits attacker mobility within your network.

Automated Response Platforms: Enable quick, predictable incident response.

Backup Solutions: Have the ability to recover data in the case of ransomware or data loss.

Overlooking initial warnings or delaying action.

Failing to quickly isolate infected systems.

Failing to immediately involve key stakeholders.

Neglecting the necessity of maintaining evidence.

Delayed or poor customer and regulator communications.

Preparing for the Inevitable: Developing Your Incident Response Plan

Having an idea of what to do in the first 60 minutes of a cyberattack is only effective if you have a plan. Your incident response plan should:

Define roles and responsibilities.

Establish communication protocols.

Outline containment, eradication, and recovery processes.

Step 7: Conduct a Rapid Impact Assessment (60-90 Minutes)

After the initial containment and recovery planning is completed, it is necessary to conduct a rapid impact assessment so that one can understand the magnitude of the attack. It helps to answer some of the important questions:

What was accessed or destroyed?

Which business functions are affected and to what extent?

Do any regulatory or legal penalties exist?

What are the costs incurred thus far?

Knowing how to act within first 60 minutes includes assessing damage upfront, enabling recovery prioritization and resource allocation.

Step 8: Implement Improved Monitoring and Detection

After determining the attack vector and getting it under control, increase monitoring throughout your network to monitor for any lingering threats or attacker backdoors:

Raise log verbosity and retention.

Utilize threat intelligence feeds to monitor attacker indicators of compromise (IOCs).

Such constant monitoring prevents reinfection or a second wave of attacks.

Step 9: Involve External Experts and Authorities

Depending on severity and type of attack, engage external parties what they do in first 60 minutes and then subsequent stages:

Cybersecurity consultants or forensic specialists for detailed investigation.

Police authorities for reporting criminal activity, especially where there is data theft or ransomware.

Regulatory bodies to issue compulsory breach notifications.

Step 10: Coordinate Communication for Media and Public Affairs

If the cyber attack has potential public implications, advance planning of your media plan is critical. Determine:

Who the public face is?

What key messages to communicate?

How to navigate the transparency tightrope while not divulging sensitive technical details.

How to regularly update customers and partners.

Knowing what to do in first 60 minutes involves setting the tone for your brand’s crisis management to defend your reputation.

Step 11: Update Security Policies and Procedures

Once the immediate threat is addressed, inspect your current security policies to avoid future occurrences:

Examine vulnerabilities that permitted the attack.

Enhance access controls, multi-factor authentication, and password policies.

Modify incident response and disaster recovery plans based on experience gained.

Periodically reviewing your security stance is the secret to long-term resilience.

Step 12: Train Employees on Cybersecurity Awareness

Humans are usually the weakest point in cybersecurity. Put in place regular training programs emphasizing:

Phishing and social engineering awareness.

Correct incident reporting procedures.

Safe device and network use.

Knowing what to do in first 60 minutes also involves empowering staff to identify and report threats early.

Step 13: Use Automation to Speed Response

To enhance your response times against cyberattacks, utilize automation tools that can:

Automatically quarantine suspicious endpoints.

Block malicious IPs or domains based on threat intel.

Trigger incident response team alerts and workflows.

Automated playbooks eliminate human error and accelerate what do in first 60 minutes decisions.

Step 14: Back Up Data Frequently and Check Integrity

A strong backup plan is a critical defense against ransomware and devastating attacks:

Have frequent, secure backups of important data.

Have backups immutable and offline or offsite stored.

Test backup restores on a regular basis.

Knowing what do in first 60 minutes means you know you can bounce back quickly from an attack without having to pay ransom or losing data.

Step 15: Set Up Post-Incident Review and Continuous Improvement

Following complete recovery, carry out a comprehensive post-incident review:

Record the timeline of what happened and how you responded.

Review the strengths and weaknesses of the response.

Modify policies, training, and technical controls accordingly.

Continuous improvement based on what do in first 60 minutes experiences lowers chance of future breach.

Conclusion

Understanding what to do in the first 60 minutes of a new cyberattack enables your organization to minimize damage, meet regulations, and safeguard your reputation. Preparation, rapid detection, containment, communication, and recovery planning are the foundations of an effective response.

Disclaimer

The data presented herein is for educational and informational purposes only and is not intended to be used as legal, financial, or professional advice. Each organization’s cybersecurity requirements and situation is different. Readers should use competent cybersecurity experts to create and execute an incident response plan that is specifically tailored for their needs. The author and publisher make no representations or warranties with regard to actions taken or not taken based on the information provided in this blog.