The first 24 hours of a cyberattack on your city determine the next 24 months. Decisions made in the first day shape the recovery cost, the legal exposure, the regulatory response, the insurance outcome, and the level of citizen trust your government will operate under for years.
Most municipalities improvise these decisions. Most municipalities pay for that improvisation. This briefing is the operational playbook, organized by hour, for the people who will actually be in the room when it happens. Print it. Put it in the IR binder. Run a tabletop against it. The goal is to make the decisions in advance, when nobody is panicked, so that the people doing the responding are doing what was already decided rather than inventing it under pressure.
Section 01Hour 0 — Detection
Detection rarely looks like a movie. There is no klaxon. There is usually one of the following: an employee calls the help desk because their workstation is locked with a ransom note, a system administrator notices that backups failed in an unusual way, a department head reports a "weird email," or a vendor calls because their monitoring saw your network connecting to something it should not have. Sometimes the first signal is a citizen complaint that the water billing system is showing the wrong balances.
The instinct in the first minutes is wrong. The instinct is to "fix" the affected machine — reboot it, log in as administrator, run a scan, see if it goes away. Do not. The first action is preservation, not remediation.
- Physically isolate the affected system if possible. Unplug the network cable. Disable wireless. Do not power off (powering off destroys volatile memory, which contains forensic evidence about the attacker's activity).
- Begin a contemporaneous timeline log. Time, person, action, observation. Pen and paper is fine. Do not use the affected systems to keep notes.
- Notify the incident response decision-maker per the IR plan. If your IR plan does not name a single decision-maker by title, fix that today, before an incident.
Section 02Hours 1 to 2 — Emergency Decisions
The decision-maker is on the phone. The IT director or CISO is on site. The city manager has been notified. What happens in the next two hours determines almost everything that follows.
Activate the incident response retainer. If you have a retainer with an IR firm, use it now. Their on-call number is in the playbook. If you do not have a retainer, this hour is consumed shopping for one. The cost difference between a retainer-priced engagement and an emergency engagement is typically a factor of two to three. Cities without retainers learn this in the worst possible context.
Begin network segmentation. Disconnect affected segments from the rest of the network and, importantly, from the internet. The attacker is probably reading your network traffic and possibly your communications. Disconnection does not have to mean shutting down. It means cutting the routing.
Stop using the compromised network for incident communications. Move IR coordination to phones, personal email accounts on devices not connected to the city network, or a known-clean out-of-band channel established for this purpose in your IR plan.
Do not pay anything yet. Do not even consider paying yet. The decision to pay or not pay is an executive decision that comes hours later, with information you do not yet have.
Section 03Hours 2 to 4 — Federal and Law Enforcement Notification
Three federal contacts, in order:
The local FBI field office. Every state has at least one. The number is in your IR plan (and if it is not, find it now, before the incident, and add it). The FBI field office connects you to federal cyber resources, including potential decryption tools that have not been publicly released, and creates a paper trail that helps with insurance, litigation, and regulatory inquiries.
The Internet Crime Complaint Center (IC3) at ic3.gov. Filing a report with IC3 is part of the federal response architecture and is generally expected by insurance carriers as part of a documented response.
CISA. The Cybersecurity and Infrastructure Security Agency coordinates federal cyber response. Reporting to CISA triggers their incident-response coordination resources where appropriate. CISA's regional offices, which were rebuilt during 2026 after the federal staffing cuts, are now playing an active role in CI Fortify-aligned response.
None of these contacts obligates you to pay or not pay. None of them takes control of your incident from you. They provide resources and create documentation. Cities that skip these notifications routinely find their cyber insurance claims denied later because the carrier required law-enforcement notification as a condition of coverage.
Section 04Hours 4 to 6 — Communications Strategy
Three audiences. Different messages. One spokesperson.
Internal staff. The IT team needs to know they are in an active incident response. Department heads need to know which systems are unavailable and what to tell their staff. The mayor or county executive needs to be briefed even if not yet involved in operational decisions. Council leadership needs an early heads-up.
Council and elected officials. A briefing, often in executive session if your municipal code allows. The briefing should cover what is known, what is not, who is responding, and the timeline for the next update. Avoid speculation. Set expectations for follow-up.
The public. Not yet, in detail. But within the first six hours, the city should have a holding statement ready: "We are aware of an incident affecting some of our IT systems and are working with law enforcement and security professionals to investigate. We will share more information as soon as we have confirmed details."
Designate one spokesperson. Multiple voices speaking to the public produce contradictions, which produce headlines. The spokesperson is usually the city manager, the mayor, or the public information officer, depending on the city's structure. The spokesperson does not have to be the IT director, and probably should not be.
Section 05Hours 6 to 12 — Investigation Begins
The forensic team has arrived, in person or remote. Initial scope assessment is underway. The scope answers three questions:
- What is encrypted? Which systems are unrecoverable from production. Which are recoverable from backups.
- What is exfiltrated? Most modern ransomware groups exfiltrate data before encrypting. Knowing what they took matters for notification, regulatory disclosure, and the ransom decision.
- What is still operational? Which services are still running. Which can keep running. Which are at risk and need protective shutdown.
Notify your cyber insurance carrier. Most policies require notification within 24 to 72 hours. Late notification is one of the most common reasons for claim denial. Notification is typically through a dedicated incident hotline. The carrier will assign breach counsel (a lawyer) and may assign their own incident response vendor to work alongside yours.
The pay-or-don't-pay decision usually surfaces in this window. The decision is an executive decision, not an IT decision. The considerations include whether your insurance covers ransom payments at all, whether the threat actor is on the U.S. Treasury OFAC sanctions list (paying a sanctioned entity is illegal regardless of any other consideration), how viable your backup recovery actually is, what data was exfiltrated, and what your communications strategy supports.
The 2023 Aliquippa, Pennsylvania water authority incident is instructive: the threat actor (CyberAv3ngers, attributed to the Iranian Revolutionary Guard) was already on Treasury's sanctions list. Paying would have been illegal under U.S. law, regardless of operational pressure. Most U.S. cities now decline to pay, both as a matter of FBI guidance and because the legal and reputational costs of paying often exceed the costs of recovering without payment.
Section 06Hours 12 to 24 — Stabilization
By the end of the first day, the incident has either stabilized or escalated. Stabilization means the attacker no longer has access, the affected systems are contained, and the focus has shifted from stopping the bleeding to recovering function.
Recovery activities in this window typically include restoring critical services from clean backups (after forensic clearance), standing up parallel infrastructure for the most essential functions if recovery from the existing environment will be slow, and beginning the resident-notification process for any compromised personal data. Most state breach notification laws require resident notification within 30 to 60 days, but the planning starts now.
The CI Fortify framework's "isolation" pillar is highly relevant in this window. The question is no longer "do we have isolation capability?" The question is "can we operate the critical services in this isolated state for as long as recovery takes?" Cities that have practiced isolation can answer yes. Cities that have not are improvising.
Section 07Things Not to Do in the First 24 Hours
Do not power off servers. Powering off destroys volatile memory, which contains forensic evidence about the attacker's activity, including encryption keys in some cases. Disconnect, do not power down.
Do not delete logs or files. Any deletion, even of seemingly malicious files, destroys evidence. Let the forensic team decide what to preserve and what to remove.
Do not communicate about the incident on the same network. Email, Teams, internal chat, and most enterprise collaboration tools route through the network the attacker has compromised. Move incident communications off-network.
Do not pay impulsively. The pay-or-don't-pay decision deserves hours of considered analysis with executive, legal, and insurance counsel. It does not deserve to be made in the first three hours by a single person who is trying to make the problem go away.
Do not let unauthorized staff "fix" things. The IT director's friend with a security background is not your incident responder. Helpful amateurs in the first 24 hours destroy more value than they create.
Do not promise things publicly that you cannot deliver. Saying "no resident data was affected" before the investigation is complete is the kind of statement that turns a manageable incident into a credibility crisis when the eventual disclosure shows otherwise.
Do not skip the federal notification or the insurance notification. Both are mandatory in most circumstances, and skipping them creates problems that compound for months afterward.
Section 08Decision Tree for the Pay-or-Don't-Pay Question
This decision belongs to the chief executive, in consultation with legal counsel, the insurance carrier, and the FBI. It is not a vote. It is a structured decision with a small number of inputs.
Is the threat actor on the U.S. Treasury OFAC sanctions list? If yes, payment is illegal under U.S. law. The decision is made.
Does your insurance policy cover ransom payments? Many policies now exclude ransom payments specifically. If not covered, the city pays from the general fund. This usually changes the calculation.
Are the backups viable? If recovery from backups is realistic in a reasonable timeline, payment becomes harder to justify. If backups are corrupt, encrypted, or missing, the calculus changes.
What is the data exfiltration risk? If the attackers have data they will publish regardless of payment (the modern double-extortion model), payment may not actually solve the disclosure problem.
What is the FBI's read on this specific group? The FBI tracks payment-versus-non-payment reliability for known groups. Some groups deliver decryption keys reliably after payment. Others do not. The field office can advise.
The federal government's official position is to discourage payment. That position is not legally binding for most municipal operators, but it informs the regulatory and reputational environment in which the decision is made.
Section 09Beyond the First 24
The first 24 hours are the highest-leverage window. The next windows matter too:
Days 2 through 7: Recovery acceleration. Restore additional services. Stand up workarounds. Begin staff retraining on temporary processes.
Days 7 through 30: Notifications and legal. Resident notifications begin. State attorney general engagement. Initial class-action complaints often filed in this window.
Days 30 through 90: Service restoration and audit. Most services back online. Insurance claim adjudication active. Forensic report finalized. Council and public reporting on what happened and what is changing.
Months 3 through 12: Litigation and regulatory. Class actions progress. Insurance disputes resolve or escalate. State and federal regulatory inquiries continue.
Year 1 onward: Cultural rebuilding and infrastructure overhaul. Staff turnover. Trust rebuilding. Strategic cybersecurity reinvestment. Insurance renewal under tightened terms.
Section 10How OneCyberShield Supports the First 24
OneCyberShield is not an incident response firm. We do not run the IR engagement. But the products we deploy substantially shape what the first 24 hours look like for cities that use them.
The Threat Intelligence and SOC Platform drives the Hour 0 detection. Cities with 24/7 monitoring discover incidents in hours, not weeks. Network Defense supports the rapid segmentation needed in Hour 1. The Immutable Backup and Recovery architecture preserves the recovery path that the pay-or-don't-pay decision depends on. Across all four pillars, the platform's audit-ready logging supports the forensic investigation in Hours 6 to 12 and the insurance claim documentation that follows.
The most important thing OneCyberShield does for the first 24 hours, however, happens before the incident. The platform exists so that the IT team has visibility, the architecture supports isolation, and the recovery options are real, before anyone needs them. The cities that handle the first 24 hours well are the cities that prepared for them. The cities that fail the first 24 are the cities that improvise.
For the financial cost of getting these hours wrong, see Briefing 006. For the federal expectations on isolation and recovery capability, see Briefing 005.