The First 30 Minutes After a Suspected Breach (A Calm Playbook)

The First 30 Minutes After a Suspected Breach (A Calm Playbook)

Something doesn’t feel right. Maybe someone clicked a link and their email is sending messages they didn’t write. Maybe a vendor says they received payment instructions you never sent. Maybe there’s a login from a city you’ve never been to.

You don’t need to panic. You need a short list of things to do, in order, right now.

Why this matters

The first 30 minutes after discovering a potential breach are the most important. Quick, calm action limits the damage. Panicked, unfocused action—or worse, no action—lets the problem spread. The goal isn’t to solve everything immediately. The goal is to stop the bleeding and preserve your options.

The playbook

Minute 0-5: Isolate the affected device

If a specific computer or phone is compromised:

  • Disconnect it from Wi-Fi and unplug the ethernet cable. Don’t turn it off yet—a running machine may have forensic evidence in memory.
  • Don’t log into anything else from that device. If it has a keylogger or active malware, you’ll hand over more credentials.
  • If the compromise is an email account (not a device), skip to the next step—the “device” is the attacker’s, not yours.

Minute 5-10: Change passwords from a clean device

Use a different, trusted computer or phone:

  • Change the password for the compromised account
  • Change email password first if there’s any chance email is involved—email is the reset mechanism for everything else
  • Revoke active sessions if the service supports it (Microsoft 365: Admin center > Users > Sign out of all sessions. Google: Security > Manage devices > Sign out.)
  • Enable MFA if it wasn’t already on (this is your “never again” moment)

Minute 10-15: Check email forwarding rules

This is critical and easy to miss. Attackers frequently set up mail forwarding so they continue receiving your email even after you change the password.

  • Microsoft 365: Check Outlook Rules and the Exchange admin center for mail flow rules forwarding to external addresses
  • Google Workspace: Check Settings > Forwarding and admin routing rules

Delete any forwarding rules you didn’t create.

Minute 15-20: Assess what’s exposed

Take a breath and think about what the compromised account or device had access to:

  • Email: Could the attacker have seen client communications, invoices, or payment details?
  • Files: Could they have accessed shared drives, SharePoint, or Google Drive?
  • Financial systems: Could they have reached banking, payroll, or payment platforms?
  • Other accounts: Could they have used “forgot password” flows to reset other services?

Write this down. You’ll need it for the next steps.

Minute 20-25: Contact your bank (if financial data is involved)

If there’s any chance the attacker could initiate payments, change bank details, or access financial accounts:

  • Call your bank immediately and alert them to potential unauthorized activity
  • Check for pending transactions or recent changes to payee information
  • If you sent a wire based on fraudulent instructions, call the bank now—sometimes wires can be recalled if caught quickly

Minute 25-30: Preserve evidence and document

Don’t nuke everything blindly. You may need evidence later—for insurance, law enforcement, or understanding what happened.

  • Screenshot any suspicious emails, login alerts, or forwarding rules before deleting them
  • Save logs if you have access (sign-in logs in Microsoft 365 or Google Workspace admin)
  • Write down the timeline: When did you first notice something wrong? What did you observe? What actions did you take?

After the first 30 minutes

Once the immediate bleeding is stopped:

  • Notify affected parties. If client data or financial information may have been exposed, tell them. This is both ethical and often legally required.
  • Review other accounts. The compromised credentials may have been reused elsewhere.
  • Check your backups. If ransomware is involved, you’ll need clean backups to restore from.
  • Get help if needed. If the scope is beyond what you can confidently handle, bring in someone with incident response experience. The sooner, the better.

Common mistakes

  • Turning off the affected computer immediately. This destroys evidence in memory. Disconnect from the network first. Power off only if the situation is actively spreading (like ransomware encrypting files in real time).
  • Changing passwords from the compromised device. If the device has malware, you’re handing the attacker your new passwords.
  • Forgetting about forwarding rules. Changing the password doesn’t help if the attacker is still getting copies of every email.
  • Deleting everything to “be safe.” You may destroy evidence you need for insurance claims, legal action, or understanding the scope of the breach.
  • Not telling anyone. Hoping it’ll blow over doesn’t work. Early communication limits financial damage and maintains trust.

Quick checklist

  • Affected device disconnected from network (not powered off)
  • Passwords changed from a clean device
  • Active sessions revoked
  • Email forwarding rules checked and cleaned
  • Exposure assessed (email, files, financial, other accounts)
  • Bank contacted if financial systems involved
  • Evidence preserved (screenshots, logs, timeline)
  • Affected parties notified as needed

This post is part of the Minimum Security Posture series.

If you’d like a second set of eyes, I can run through this with you and point out the top risks in your setup—no pressure.

Share this post
X Facebook LINE