beginnerFree

First Responder Checklist

Universal first steps for any security incident, designed for IT staff who may be first on scene.

15-30 min5 steps10 checklist items

Summary

Quick-reference checklist for the critical first minutes of any security incident, focusing on preservation and escalation.

Step-by-Step Procedure

Stay Calm and Document

Your first priority is to document what you observe.

Actions

Note the exact date and time you were notified

Record who reported the incident and how

Document your initial observations

Take screenshots of any visible indicators

Start a timeline of events and your actions

Tips

Use a shared document or incident management system
Assume everything you document may be used in legal proceedings

Assess and Classify

Make an initial assessment of the incident severity.

Actions

What type of incident is this? (malware, phishing, unauthorized access, etc.)

What systems or data are potentially affected?

Is the incident ongoing or historical?

What is the potential business impact?

Preserve Evidence

Do not destroy potential evidence.

Actions

Do NOT power off affected systems (unless actively destructive)

Do NOT delete suspicious files or emails

Do NOT login to potentially compromised accounts

Do NOT alert potential threat actors

Preserve logs before they rotate

Tips

When in doubt, isolate but don't modify
Take photos of physical indicators if relevant

Contain (If Safe)

Take immediate containment actions if clearly safe to do so.

Actions

Network isolate affected systems via EDR or VLAN change

Disable compromised accounts

Block known malicious IPs/domains at firewall

If unsure, wait for security team guidance

Escalate

Notify the appropriate people.

Actions

Contact the security team via established channels

Notify your direct manager

Do NOT discuss details on public channels

Provide your documented observations and timeline

Completion Checklist

Time and date documented

Initial observations recorded

Screenshots/photos taken

Systems NOT powered off

Evidence NOT deleted

Initial classification made

Containment actions taken (if safe)

Security team notified

Manager notified

Timeline started

Evidence to Collect

Your written observations with timestamps
Screenshots of indicators
Photos of physical evidence (if any)
List of potentially affected systems
List of people you've notified

Related Playbooks

Incident ClassificationEscalation Matrix

Join our community to discuss playbooks and share incident response experiences.

Step-by-Step Procedure

Stay Calm and Document

Your first priority is to document what you observe.

Actions

Note the exact date and time you were notified

Record who reported the incident and how

Document your initial observations

Take screenshots of any visible indicators

Start a timeline of events and your actions

Tips

Use a shared document or incident management system
Assume everything you document may be used in legal proceedings

Assess and Classify

Make an initial assessment of the incident severity.

Actions

What type of incident is this? (malware, phishing, unauthorized access, etc.)

What systems or data are potentially affected?

Is the incident ongoing or historical?

What is the potential business impact?

Preserve Evidence

Do not destroy potential evidence.

Actions

Do NOT power off affected systems (unless actively destructive)

Do NOT delete suspicious files or emails

Do NOT login to potentially compromised accounts

Do NOT alert potential threat actors

Preserve logs before they rotate

Tips

When in doubt, isolate but don't modify
Take photos of physical indicators if relevant

Contain (If Safe)

Take immediate containment actions if clearly safe to do so.

Actions

Network isolate affected systems via EDR or VLAN change

Disable compromised accounts

Block known malicious IPs/domains at firewall

If unsure, wait for security team guidance

Escalate

Notify the appropriate people.

Actions

Contact the security team via established channels

Notify your direct manager

Do NOT discuss details on public channels

Provide your documented observations and timeline