Identifying and containing a data breach
This article is an incident-response playbook for confirming and containing a suspected data breach rather than a vulnerability disclosure. It recommends validating the alert by checking source credibility, examining leaked samples, determining whether the data is genuinely from the organization, and correlating authentication, system, and access logs with EDR/EPP and network-analysis telemetry to identify the exfiltration source. The guide maps likely leak origins across databases, applications, email, workstation files, exposed GitHub/GitLab repositories, and compromised credentials, then scopes impact based on data sensitivity, volume, recency, and whether the leak could enable broader compromise. Containment focuses on blocking suspicious user access, isolating affected hosts or network segments, blocking exfiltration flows by IP/port/protocol, revoking active sessions, rotating passwords and SSH certificates, and hardening privileged accounts with MFA while preserving forensic evidence and meeting 72-hour reporting obligations.