What to Do When You Find a Security Hole in Your Business
Steps to take (and avoid) when you discover a security vulnerability — immediate containment, communication, remediation, and follow-up guidance for different roles.
What to Do When You Find a Security Hole in Your Business
Finding a security vulnerability—whether it was discovered by an automated scanner, a pen-test, or an observant developer—can be alarming. The right response is calm, methodical, and prioritises safety over speed. This article walks through immediate steps, containment, communication, remediation, and post-incident review from three perspectives: the technician doing the fix, a consultant advising the client, and an IT director coordinating the organisation.

First Principles: Stay Calm, Preserve Evidence
Do not panic. Quick, uncoordinated changes can destroy the very evidence you’ll need to understand the root cause. Your two highest priorities are to contain the issue and preserve forensic data so the vulnerability can be analysed and remediated correctly.
Immediate Technician Steps (first 0–2 hours)
- Isolate, don’t delete: If the vulnerability is in a running service, consider isolating the host or service from the network rather than removing files. Snapshots and memory captures may be needed for analysis.
- Collect evidence: Save relevant logs, take system snapshots, preserve timestamps, copy config files, and note who discovered the issue and how. Use read-only methods where possible to avoid altering state.
- Apply temporary mitigations: If a safe, reversible mitigation exists (WAF rule, firewall block, feature toggle), apply it while preserving evidence. Avoid changes that obfuscate the vulnerability before it’s analysed.
- Inform the incident owner: Notify your security lead or the person responsible for incidents with an initial summary and list of actions you’ve taken.
Consultant / External Advisor Approach
When advising a client, prioritise clear communication and risk framing. Give them an actionable plan: short-term containment, medium-term remediation, and longer-term hardening. Be explicit about what data may have been exposed and recommend whether to involve legal counsel or data protection officers.
IT Director / Leadership Checklist
Coordinate stakeholders and make triage decisions: determine the business impact, decide on public disclosure or notification, and allocate engineering and communications resources. Ensure the incident response team has a single source of truth (ticket or incident channel) and that decisions are logged.
Quick Do / Don’t
- Do: Preserve logs and evidence; isolate the issue; inform your incident lead.
- Don’t: Publicly disclose details without legal/PR review; overwrite logs or hurriedly patch in a way that prevents root-cause analysis.
- Do: Use reversible mitigations (feature flags, network blocks) where possible.
Remediation & Verification
Once evidence is collected and the threat is contained, move to a controlled remediation: patch the code, update dependencies, rotate credentials, and remove backdoors. After fixes, validate with tests, scans, and a staged deploy before returning systems to normal operation.
Post-Incident: Learn and Harden
Conduct a blameless post-mortem that documents the timeline, root cause, decisions made, and follow-up actions. Update runbooks and automation so the same issue is faster to detect and contain next time.
If you’re unsure about scope or evidence handling, consult a professional incident responder. Mishandling an incident can increase risk and complicate legal or compliance requirements. Need help? Contact us.
Need Something Else?
Let's work together to create a custom solution that meets your needs. Contact us today.
