Incidents happen: suspicious logins, fraud, data leaks, ransomware, or social scams. The difference between a small disruption and a large loss is speed, priorities, and a calm plan. This article gives you a repeatable playbook for personal, family, or small-team incidents: how to detect issues quickly, what to do in the first 10 minutes, how to manage the first 24 hours and first week, templates for communication and escalation, and a light monthly program to reduce future incidents.

When the incident involves helping an elderly loved one recover from a scam, our Helping Grandma Stay Safe guide includes a recovery plan and 3 simple scam-avoidance lines to teach for next time.

Where helpful we show how Ivy features (Risk Checkup, Site Scanner, Shared Vaults, Masked Emails, Virtual Cards, Password Manager) speed detection and recovery. Masked emails forward messages to your inbox; forwarded messages are temporarily cached and handled per our Privacy Policy. Feature availability and integrations may vary by plan and region; see getivy.ai.

Detection: how incidents usually begin (and how to spot them fast)

Common early signals

Fast detection tools

  • Risk Checkup - surfaces exposed/reused credentials and prioritizes immediate fixes. Run it as soon as you suspect something.
  • Email & bank alerts - enable login, password, and charge alerts on email and banking accounts.
  • Site Scanner - use for suspicious links or vendor pages referenced in an incident. For the link-scanning habit that feeds into this, see Scan Before You Click.
  • Vault & audit logs - shared vaults provide an audit trail of who accessed which secret and when.

The first 10 minutes - calm containment checklist

The goal in the first 10 minutes is stop the bleeding, preserve evidence, and create clear ownership.

Breathe & assemble

Announce an incident: short message to the recovery lead or household: "Incident detected. Containment now. See playbook."

Document everything

Screenshots, emails, timestamps, device names. Save copies to a secure location (encrypted drive or shared vault notes).

Isolate

If a device is suspected (malware or ongoing compromise), disconnect from the network (Wi-Fi off / unplug ethernet). Don't shut down if investigating a live threat that needs volatile memory capture.

Secure recovery channels

Change the primary email password from a known good device and enable authenticator-app 2FA. If the email is compromised, use shared vaulted admin access.

Freeze payments

Cancel or suspend suspect virtual cards, ask your bank to watch for suspicious charges, and cancel any merchant tokens that look risky. Virtual cards make this quick and contained.

Notify

Short notification to stakeholders (internal or household) with the incident label, the lead, and the immediate next step.

The first 24 hours - triage, restore, and stabilize

Hours 0–4: Triage & priority fixes

  • Run Risk Checkup from a secure device to find exposed credentials. Prioritize email, bank, domain registrar, and any admin accounts.
  • Rotate credentials for priority accounts - use a password manager to generate unique passphrases. Move shared credentials into a shared vault and rotate any secret the attacker may have seen.
  • Cancel suspicious payments (virtual card cancellation or bank fraud report).

Hours 4–12: Clean & recover

  • Scan devices for malware on a clean machineIf ransomware is present, isolate and move to recovery playbook.
  • Restore access using documented recovery steps - do not reuse the same compromised passwords or recovery channels.
  • Contact providers (email host, bank, hosting provider) and provide evidenceRequest session termination or account holds as needed.

Hours 12–24: Communication & escalation

  • Customer / public communications: prepare a short, factual statement if external users are affected (see templates below). Avoid speculation.
  • If criminal activity or significant harm: open a police report and preserve copies of evidence. Share report IDs with banks / platforms to accelerate investigations.

The first week - recover, harden, and learn

  • Full auditrun a full Risk Checkup, re-audit shared vault access, and check logs (auth, vendor, admin).
  • Restore from clean backups using your tested restore playbookEnsure backups are not infected and keys are rotated. For a complete backup strategy - 3-2-1 rule, bus-factor roles, and test-restore procedures - see our Backup, Recovery & Bus Factor guide.
  • Post-mortem meetingtimeline, root cause, what worked, what failed, and a prioritized remediation list.
  • Implement mitigationspatch, improve access controls, and add monitoring/alerts for the same vectors.
  • Train & documentupdate the recovery playbook with lessons learned and run a structured tabletop drill with your team or household to practice before the next incident. Small teams: our Home Office Security guide includes a compact incident playbook and roles.

Evidence collection & templates

Evidence checklist

  • Screenshotsalerts, emails, suspicious messages.
  • Log extractsauth logs, firewall logs, vendor logs.
  • Payment recordscharge IDs, card numbers used, virtual card IDs.
  • Chain of custodywho handled evidence, when, and where stored.

Short incident report template - internal

Incident: [short title]

Detected: [timestamp]

Lead: [name + contact]

Impact: [accounts/data affected]

Containment actions taken: [list]

Next steps: [short list]

Status: [Open / Stabilized / Resolved]

Public/customer incident statement (PR template)

What happened: We detected [type of incident] on [date].

What we did: We isolated the issue, secured affected accounts, and are restoring service from verified backups. We engaged [forensics/authorities] and notified affected users.

What you should do: If you received a notice, change your password and watch for suspicious charges. If you used [affected service], we recommend [action].

Contact: [support contact], [status page link]

Commitment: We will provide updates as the investigation proceeds.

Escalation: when to involve others

Legal & insurance

If financial loss or regulatory exposure is likely.

Forensics

For complex intrusions, malware, or legal evidence preservation.

Law enforcement

When threats, fraud, or extortion occur.

PR / communications

For customer-facing incidents that may affect trust.

Have contact lists pre-staged in your shared vault (provider support, counsel, insurer, and PR) so you're not searching under pressure.

Detection & monitoring - automation you should set up

  • Email & auth alertsenable login alerts, blocking rules, and anomalous sign-in alerts on all critical accounts.
  • Bank rulesset daily charge alerts and thresholds for immediate review.
  • Log retentionensure auth and admin logs are available for at least 90 days.
  • Automated Risk Checkup cadenceschedule regular runs and alert for newly discovered high-risk exposures.
  • Site Scanner watchlistsmaintain a short watchlist of vendor sites (payroll/vendor portals) to scan after public announcements.

Communication & tone guidelines

  • Be factual and calm. No speculation.
  • Act fast but review accuracy before public statements.
  • Own the next steps. Tell people what you are doing and when you'll provide the next update.
  • Offer practical instructions for affected users (change password, check bank).

Quick scripts (copy-paste)

Short internal alert (IM / chat)

User notification (email)

Law enforcement report starter

The light monthly routine (10 minutes)

Running this routine consistently is the best way to keep incidents small and recoverable. For the full habit-building framework around this routine, see our Security Habits & Routines guide.

  • Run Risk Checkup, remediate top 2 items.
  • Check backups & restore logs.
  • Look for failed login spikes and unusual new devices.
  • Review shared vault audit and revoke stale access.

Incident Detection & Response - Quick Checklist

FIRST 10 MIN

  • Document evidence (screenshots, timestamps).
  • Isolate affected device.
  • Secure email - change password from clean device.
  • Stop suspicious payments (cancel virtual card).

0–24 HOURS

  • Run Risk Checkup; rotate priority passwords.
  • Run malware scans on affected devices.
  • Contact providers; request session termination.

24–72 HOURS

  • Restore from clean backups.
  • Escalate to law enforcement / forensics if needed.
  • Communicate factually to affected users.

FIRST WEEK

  • Full post-mortem; update playbook.
  • Run a test restore to verify backup integrity.

MONTHLY

  • Risk Checkup; backup verification; vault audit.

Need help? Try Ivy's incident features: Risk Checkup, shared vaults & Site Scanner at getivy.ai.

Respond faster with Ivy

Risk Checkup, Site Scanner, Shared Vaults, and virtual cards - the tools that speed every step of detection, containment, and recovery.