It’s 3 AM. Your monitoring alerts are going crazy. Unauthorized access detected. Customer data potentially exposed.
Most founders freeze in this moment. They delete tweets, ignore messages, hope it blows over. The public relations industries call this “the panic response”—and it makes everything worse.
You don’t need a crisis team on retainer. You need a clear plan you can execute under pressure. This checklist walks you through the first 24 hours, based on real incidents from startups that survived.
Hour 0-2: Stop the Bleeding
Your hands are shaking. You just confirmed the breach. Start here, in this order.
Stop the breach immediately. Disable compromised accounts. Rotate all credentials. Document everything with screenshots, logs, and exact timestamps. Don’t post anything publicly yet. Start a private incident log in Google Docs.
Your incident log needs the time you discovered the breach, how you found out, which systems were accessed, a preliminary data exposure assessment, and every action you take.
Buffer discovered their 2013 breach and contained it in 90 minutes. They succeeded because they documented first, then acted methodically. No panic posting on Twitter.
The biggest mistakes founders make right now: tweeting “we’ve been hacked” before knowing the scope, deleting evidence while trying to “clean up,” and waiting because they’re embarrassed.
Hour 2-4: Know What You’re Dealing With
The breach is contained. Now figure out what was exposed.
Identify exactly what data was accessed. List affected users if possible. Check if payment information was compromised. Verify attackers have no remaining access. Determine if passwords or API keys were stolen.
Answer these three questions before you do anything else: Was customer data exposed? Can the attacker get back in? Is this still happening?
If you can’t answer these confidently, call a security consultant now. Two hours of expert help costs less than the lawsuit from guessing wrong.
Hour 4-8: Prepare Your Message
You know what happened. Tell customers before they find out from Reddit.
Draft your email to affected users. Write a holding statement for social media. Prepare an FAQ for your support team. Update your status page. Schedule sends—unless it’s urgent, don’t email at 4 AM.
Here’s the email template that works:
Subject: Security Incident—Action Required
We discovered unauthorized access to our systems on [date/time].
What happened: [2-3 sentences, specific but clear]
What was affected: [Exact data exposed]
What we did: [Actions to stop breach]
What you should do: [Specific steps like password changes]
What’s next: [Security improvements, timeline]
Reply with questions or check [status page link].
For social media, keep it simple: “We’re investigating a security incident. Customer data may be affected. Emailing impacted users directly. Updates: [status page link]”
Skip these phrases entirely: “We take security seriously” (meaningless now), “Your data is safe” (it wasn’t), and “Sophisticated attack” (sounds like an excuse).
Notify customers within 8 hours of confirming the breach. Waiting longer kills trust faster than the breach itself.
Hour 8-12: Go Live
Send your messages. Handle the responses.
Send the email to affected users. Post your status update. Post your social statement. Monitor all replies. Brief your support team with the FAQ. Set up a dedicated breach email address.
Your support team should acknowledge every message within one hour. Use approved FAQ responses. Escalate anything unusual immediately.
Expect angry emails and refund requests. This is normal. Take breaks. Eat something. You need stamina for the next 12 hours.
Hour 12-18: Manage the Fallout
Initial panic is settling. Now you manage what comes next.
Respond to any journalist inquiries. Address trending social posts. Offer concrete remediation like credit monitoring or refunds. Update your status page with progress. Check in with your team.
If journalists contact you, here’s what to say: “We discovered unauthorized access on [date]. We contained it immediately and notified affected users. We’re working with security experts. Impacted customers received specific protection steps via email.”
When should you offer compensation? If payment data was exposed, offer credit monitoring. If service went down, offer account credits. For major trust breaches, consider proactive refunds.
The math matters here. Offering $50 credits to 200 users costs $10K. It prevents 150 churns worth $45K in annual revenue. Offer compensation before they ask.
Hour 18-24: Build the Foundation
The worst is over. Time to rebuild and prevent round two.
Schedule a security audit—external if you can afford it. Draft a post-mortem for public release in 5-7 days. Implement immediate security fixes. Plan your customer follow-up. Document lessons learned internally.
Your post-mortem should cover what happened with a clear timeline, the root cause in technical but understandable terms, immediate actions taken, changes you’re implementing, and prevention measures.
Companies that publish detailed post-mortems recover trust faster. Share your timeline, your mistakes, your fixes.
Send a follow-up email 3-5 days later. Update customers on investigation progress and security improvements made.
After Day 1
In week one, complete your audit, publish the post-mortem, implement fixes, and monitor churn.
In weeks 2-4, share your improvements, consider security certification, update documentation, and train your team.
Track your recovery by monitoring churn rate, support sentiment, social mentions, and new signup rates.
Budget expectations: If you’re under $50K MRR, expect $2K-$5K for immediate fixes. Over $100K MRR, budget $10K-$20K.
One SaaS we studied had 12% churn in month one. By month three, they recovered to 3% through transparent communication.
When to Get Help
Call a crisis consultant if media is covering the breach, over 10K users are affected, payment card data was stolen, or you’re getting legal threats.
Call a lawyer if GDPR or CCPA applies, health or financial data was exposed, or class action threats emerge.
Crisis PR support for 48 hours runs $2K-$5K. That’s cheaper than losing 40% of your customers.
Set Up Now
Before you need it, document your incident response plan. Create a security contact list. Write communication templates. Set up a status page—even the free tier works. Schedule regular security audits.
Free tools that help: Statuspage.io, Sentry, pre-written templates in Google Docs.
Bottom Line
If you’re building a SaaS, you will face a security incident. The difference between startups that survive and ones that die comes down to speed, transparency, and having a plan.
Copy this checklist. Put it in your wiki. Share it with your co-founder. Run through it once while you’re calm, so you’re not figuring it out at 3 AM.
