KapacyberKapacyber
Free TemplateEmergency Response

Cyber Incident Response Card

A single-page emergency reference. First steps, things not to do, and the contacts to fill in before you need them. Designed for the first hour of a cyber incident, when reading anything longer isn't happening.

What's on the card

One page. Six sections. Designed to be reachable in a panic.

  • Section 1 — First 5 things to do. Isolate, leave systems on, document, alert leadership, call the carrier.
  • Section 2 — First 5 things NOT to do. Don't pay, don't reboot, don't use compromised email, don't engage outside the carrier's panel.
  • Section 3 — Pre-filled key contacts. Carrier claim line, IR firm, breach counsel, backup vendor, MSSP/IT provider. Empty slots to fill in.
  • Section 4 — Decision triage. Three questions that help you classify scope (containment, recovery, public disclosure).
  • Section 5 — Notification windows reminder. Carrier 24–72hr, HIPAA 60d, NAIC 72hr, SEC 4 business days, state laws vary.
  • Section 6 — Emergency Kapacyber hotline. 24/7 number to reach us if you don't have an existing IR firm.

Free download — drop your work email

We'll unlock the template immediately and add you to our dealership-security list (unsubscribe any time).

By submitting, you agree to our Privacy Policy. We don't sell or share your information.

The card is a printable web document. Use your browser's Print → Save as PDF for an offline copy.

Why a single-page card

In the first hour of an incident, you don't read a playbook.

The first 60 minutes decide the outcome.

What you do (and don't do) in the first hour shapes whether you have backups left, whether forensic evidence survives, and whether your cyber-insurance claim holds up. Reading a 50-page playbook isn't happening in that hour. A single-page card might.

Most owners don't have the contacts handy.

The carrier's claim line, the IR firm's emergency number, breach counsel, the backup vendor — all critical, none usually memorised. The card has slots to fill in before you need them, so the information is reachable from a phone that isn't plugged into the compromised network.

Print it. Tape it to the inside of the server-room door.

Or laminate it for the front desk. Or save it as a PDF in your phone's downloads. The format is intentionally a single page so it ends up somewhere reachable in a panic.

In an active incident right now?

The card is the pre-prepared version. If you're actively looking at a ransom note or your systems are encrypted, the right move is the emergency intake instead.

Submit emergency intake