Security at Work · Crisis management

How to organize a war room for a cyberattack (a practical guide for companies)

Quick answer

A cyber war room is a command-and-control structure activated immediately after a serious security incident is confirmed — bringing the right roles together, in a secure channel outside the compromised infrastructure, to contain the attack, preserve evidence and coordinate communications. Without this structure, critical decisions are made in panic, by the wrong people, in the wrong sequence — and the final damage can be ten times greater than the original incident. According to NIST SP 800-61, organized response capability is the main factor that separates companies that survive an attack from those that do not.

Decripte is a cybersecurity company serving businesses from 1 to 100,000+ employees — from assessment to 24x7 incident response.

Warning signs

  • Ransomware confirmed or in progress. Files being encrypted on multiple hosts, a ransom note displayed, or indicators of mass-encryption tools detected by the EDR. Immediate activation — every minute of delay can double the scope of the attack.
  • Data exfiltration underway or confirmed. Anomalous transfer of large volumes to external destinations, massive access to sensitive data repositories, or a DLP alert. If personal data or trade secrets are involved, the regulatory and reputational impact demands immediate legal coordination.
  • Privileged account compromise. Administrator, CEO, CFO credentials or access to critical systems (ERP, banking, payroll) have been compromised, or there is evidence of lateral movement within the domain. The risk of direct financial damage and advanced persistence justifies the war room.
  • Incident impacting critical operations. Production systems, customer service, payment processing or the supply chain are unavailable or degraded because of an attack. Measurable financial and reputational impact is occurring in real time.
  • Suspected insider threat with active access. Evidence that an employee, former employee or third party with legitimate access is exfiltrating data or sabotaging systems. Beyond the technical side, it requires coordination with HR, legal and possibly law enforcement from the outset.
  • Attack with imminent public or regulatory repercussion. The incident has already been or may be disclosed publicly (social media, press, dark web), or there are customers, partners or regulators who have been or will be affected. The communications dimension requires the war room to include PR and executive leadership from the first moment.

Step by step

  1. 1

    1. Confirm and isolate — do not shut down

    Before anything else, confirm this is a real incident and not a false positive. Selective network isolation (disconnecting affected segments without shutting machines down) preserves volatile memory and forensic evidence. Powering off servers hastily is one of the most costly mistakes untrained teams make.

  2. 2

    2. Activate the out-of-band communication channel

    Immediately assume that corporate email, Slack, Teams and any system hosted on your infrastructure may be compromised or monitored by the attacker. Create a group on an external, secure channel — WhatsApp Business with a dedicated number, Signal or an external crisis platform — and move all incident communication there.

  3. 3

    3. Name the Incident Commander

    A single person holds final decision authority. Without an Incident Commander, the war room becomes a committee: everyone talks, no one decides. The Commander need not be the most technical person — they need the authority to mobilize resources, approve communications and end circular discussions.

  4. 4

    4. Summon the mandatory roles

    Activate immediately: the technical IR team (containment and analysis), legal (liability, LGPD, evidence preservation), communications/PR (external narrative), the DPO if personal data is involved, and an executive with spending-approval authority. HR joins if an insider threat is suspected.

  5. 5

    5. Open the timeline log

    From the first minute, a designated person documents in real time: what was detected, when, by whom, which actions were taken and which decisions were approved by whom. This log is the foundation of the post-incident report, of communication with authorities and of any eventual legal defense.

  6. 6

    6. Establish the meeting cadence

    In the first 24 hours: status meetings every 2 hours, 20 minutes maximum. Fixed format — current state, next 3 actions, blockers. Avoid open, agenda-less meetings: they consume the time the technical team needs to work. After initial stabilization, move to 4-6 hour cycles.

  7. 7

    7. Assess the legal notification triggers

    If personal data is involved, the ANPD's legal deadline starts counting from the moment the company becomes aware of the incident. Legal and the DPO must assess within the first 2 hours whether there is an obligation to notify — the Brazilian deadline is 3 business days for a preliminary notification to the ANPD and to affected data subjects, when applicable.

  8. 8

    8. Decide on full isolation vs. monitored containment

    In some scenarios (especially espionage and APT), isolating immediately alerts the attacker and prompts them to erase their tracks. In others (active ransomware spreading), every second counts and isolation is immediate. This decision must be made by the Commander with the technical lead — never unilaterally by operational IT.

What NOT to do

  • Do not pay the ransom on impulse: payment does not guarantee data recovery, may finance organized crime, may violate international sanctions and frequently leads to a second ransom demand. This decision — if it is to be made at all — requires legal and technical analysis and specialized negotiation.
  • Do not destroy evidence by trying to 'clean' systems: formatting disks, overwriting logs or restoring backups before forensic collection eliminates your ability to understand the attack, hold the attacker accountable and meet regulatory requirements. Preserve everything and document the chain of custody.
  • Do not communicate before you have the minimum facts: premature statements to the press, customers or regulators with incorrect or incomplete information aggravate the reputational crisis and can create additional legal liability. Prepare a 'we are investigating and will provide an update in X hours' statement while you establish the facts.
  • Do not run the war room on the compromised infrastructure: using corporate email, internal collaboration tools or systems hosted on your infrastructure to coordinate the response exposes your strategy to the attacker and can sabotage containment. An out-of-band channel is non-negotiable.
  • Do not exclude legal and the DPO from the first hours: the legal nature of the incident — notification obligations, evidence preservation, contractual liability, legal-privilege protection — begins to be defined in the first decisions. Bringing them in later is too late for maximum protection.

What a cyber war room is and why it exists

A cyber war room — also called a crisis room, incident command center or operational CSIRT — is the temporary decision-making structure activated when a serious security incident threatens an organization's continuity, data or reputation. The concept comes from military crisis management and was adapted to the corporate information-security context by NIST SP 800-61 (Computer Security Incident Handling Guide) and the SANS Institute's crisis-management framework.

The core logic is simple: serious cyber incidents demand fast decisions, with serious consequences, under conditions of incomplete information and extreme pressure. Without a structured process, what happens is 'management by shouting' — the loudest person decides, the technical staff is steamrolled by the executive, legal arrives late, and communication is improvised. The outcome is systematically worse than the original incident would have required.

The war room does not replace the technical incident-response team — it governs it. While forensic analysts and IR engineers work on containment and eradication, the war room ensures that business, communication and compliance decisions are made with speed and coherence. It is the difference between reacting and responding.

Who should be in the war room: roles and responsibilities

The Incident Commander is the most critical and most neglected role. This is the person with final authority over every decision in the incident — from isolating systems to approving public communication. They need not be the most technical: they need clarity, authority and the ability to end debates. In companies without a structured CISO, this role often falls to the CTO or a senior director with support from specialized consultants.

The IR Technical Lead is the main link between the war room and the field team. They are responsible for translating forensic data into actionable information for the Commander — 'what is the real scope?', 'is the attacker still active?', 'what do we need to contain it?'. In critical incidents, this person should be spared administrative and operational tasks to focus exclusively on analysis and technical direction.

Legal and the DPO join from the first moment for distinct reasons: legal handles contractual liability, evidence preservation under legal privilege, relations with authorities and any eventual litigation; the DPO (or the person responsible for privacy) assesses immediately whether personal data was affected and which notification obligations apply — LGPD, regulated sector (BACEN, ANS, ANATEL), contractual agreements.

Communications and PR manage the narrative. The role is not to hide the incident — it is to communicate in a controlled, precise and well-timed way. This includes drafting internal announcements for employees, responses for affected customers and partners, and statements for the press should the incident become public. Poor crisis communication can cause reputational damage greater than the attack itself.

HR participates when there is a suspected insider threat, when employees are victims (e.g., leaked employee data) or when disciplinary actions or dismissals need to be coordinated as part of the response. An executive with approval authority — CEO, CFO or COO — must be available for high-impact decisions: hiring external IR, activating cyber insurance, approving communication with strategic customers, or making the decision to notify regulators.

Assess your company for free

See in minutes what is already exposed from your business.

Decripte's free Threat Management plan maps vulnerabilities, monitors threats and shows leaked credentials — no credit card and no technical team.

Start free now

Secure infrastructure and out-of-band channels: assuming compromise

The fundamental principle of war-room infrastructure is to assume total compromise until proven otherwise. This means all communication, planning and coordination of the response must happen outside corporate systems. Company email, Microsoft Teams, corporate Slack, internal ticketing systems — all must be considered potentially read by the attacker during the response.

The out-of-band channel should be established before the incident, as part of the response plan, but it can be improvised quickly. The most common options include: Signal (end-to-end encryption, no corporate metadata), WhatsApp Business with a SIM number dedicated to IR, external crisis-management platforms (such as Everbridge, OnSolve or similar), or simply an email group on the key members' personal accounts.

Beyond the communication channel, the war room needs a secure working environment for documentation: a shared spreadsheet in a personal Google or Microsoft account, outside the corporate domain, serves for the incident timeline. Forensic tools should run on isolated workstations or in temporary cloud environments provisioned outside the compromised infrastructure.

The physical room — when the company has a centralized physical presence — should be a room with restricted access, without corporate cameras (which may be compromised), using personal or dedicated devices. In distributed companies, the war room is entirely virtual, which further reinforces the need for a previously established out-of-band channel.

Cadence, logging and governance: how the war room works in practice

An effective war room operates in short, predictable cycles. In the first 24 hours, status meetings every 2 hours, with a maximum duration of 20 minutes, following a fixed agenda: current situation (what we know now), actions underway and their owners, the next 3 decisions needed, blockers. Open, unstructured meetings are the biggest drain on productivity in a crisis — every hour the technical team spends in a meeting is an hour less of real containment work.

The incident log is the war room's central document. It must contain: a chronological timeline with precise timestamps (in UTC), all decisions made with the name of whoever approved them, all hypotheses raised and their status (confirmed, ruled out, under investigation), affected systems and their containment status, and communications sent and received. This document, maintained in real time by a designated person, is the basis for the final report, for communications with authorities and for any eventual legal defense.

The governance structure of NIST SP 800-61 divides the response into four phases: Preparation, Detection and Analysis, Containment/Eradication/Recovery, and Post-Incident Activity. The war room mainly governs phases 2, 3 and the transition to phase 4. It is essential that the Incident Commander formally declare the transition between phases — this prevents the team from being stuck in 'containment' mode when it should already be in 'recovery', and vice versa.

After initial stabilization (typically after 24-48 hours), the cadence can be reduced to meetings every 4-6 hours, and the war room begins to plan recovery. The formal demobilization of the war room must be declared by the Commander, with clear criteria: active threat eradicated, critical systems restored, mandatory communications sent, and a follow-up timeline defined.

Crisis communication: internal, customers, ANPD and authorities

Internal communication must come before any external communication. Employees who discover the incident through the news or social media — before being informed by the company — lose trust in leadership and may take harmful actions (talking to the press, sharing incorrect information). Internal communication should be honest about what is known and what is still being investigated, with clear channels for questions.

Communication with affected customers and partners should be based on confirmed facts, not speculation. The recommended model: acknowledge the incident, explain what is known about the impact, describe what is being done, tell the customer what to do (if any action is needed), and set the next update point with a date and time. Avoid communications that downplay the incident — later findings that contradict an optimistic initial communication cause disproportionate reputational damage.

In Brazil, the LGPD (Law 13.709/2018) and ANPD Board Resolution No. 15/2024 establish communication obligations when personal data is affected. The deadline for the preliminary notification to the ANPD is 3 business days after the controller becomes aware of an incident that may cause relevant risk or harm to data subjects. A complementary notification can be made within 20 business days. The DPO or legal must assess within the first 2 hours whether the incident meets these criteria — and the record that this assessment was made must be in the timeline.

For regulated sectors (financial institutions under BACEN, health insurers under ANS, telecommunications under ANATEL), there are additional obligations and specific deadlines. Law enforcement authorities — such as the Army's CGCIBER, the Federal Police (cybercrime) or specialized state police stations — can be engaged when there is evidence of a crime, especially in cases of ransomware with ransom payment, financial fraud or industrial espionage.

Post-incident: lessons learned and structural strengthening

The lessons-learned meeting (post-mortem or after-action review) should take place between 5 and 15 days after the incident closes — enough time for the team to recover emotionally, but close enough that the details are still fresh. The goal is not to assign blame, but to understand: what failed in the detection process, what worked in the response, what was slower than it should have been, and what needs to change.

The post-incident report — based on the timeline maintained during the war room — should document the confirmed root cause, the entry vector, the extent of the compromise, the containment and eradication actions, the systems and data affected, the total cost (direct and indirect) and the improvement recommendations with owners and deadlines. This report is a security asset: it feeds the security program, justifies investments to the board and demonstrates diligence to regulators.

Companies that go through a serious incident without updating their response plan, their technical controls and their training program invariably suffer a second incident within 12 months. The post-incident phase is the most valuable security-maturity opportunity an organization has — and most squander it in their haste to 'get back to normal'. Decripte conducts structured lessons-learned processes as part of all its incident-response engagements, ensuring that learning turns into real change.

Key terms

Cyber War Room
A temporary command-and-control structure activated during a serious security incident, bringing together the necessary decision-making roles (technical, legal, communications, executive) in a secure environment outside the potentially compromised infrastructure, with the goal of coordinating the response, containing the damage and governing internal and external communications.
Out-of-Band Channel
An alternative communication channel, external to the corporate infrastructure, used during incident response to ensure that war-room coordination is not intercepted or sabotaged by the attacker. Examples: Signal, WhatsApp with a dedicated number, external crisis-management platforms. It should be defined in advance in the incident-response plan.
Incident Commander
The role of single decision authority during a security incident, responsible for coordinating all of the war room's workstreams, approving communications and ending debates. A concept adapted from the Incident Command System (ICS) used by emergency services, adopted in NIST SP 800-61 for cyber incident response.
NIST SP 800-61
A special publication of the National Institute of Standards and Technology (USA) titled 'Computer Security Incident Handling Guide', which defines the reference framework for cyber incident response in four phases: Preparation; Detection and Analysis; Containment, Eradication and Recovery; and Post-Incident Activity. It is the most widely adopted standard globally and the methodological basis of Decripte's IR processes.

Frequently asked questions

How many people should be in a cyber crisis war room?

The ideal size is between 6 and 10 people in the key roles: Incident Commander, IR technical lead, legal, DPO, communications/PR, HR (when applicable) and an executive with approval authority. Larger war rooms become ungovernable. For complex incidents, the central war room coordinates working subgroups — the field technical team, the communications team, the legal team — that report to the Commander in defined cycles.

Should I pay the ransom in a ransomware attack?

The decision to pay a ransom should never be made on impulse in the first hours. The factors to assess include: the existence and integrity of backups (which would eliminate the need to pay), the ability to recover without the key, whether the attacker is an entity under international sanctions (paying would be illegal), and the real probability of recovering the data after payment (historically low). If the decision is considered, it requires legal analysis, specialized technical expertise and, frequently, a professional ransomware negotiator. Decripte does not recommend payment as a first response and can conduct the technical and negotiation analysis.

How long do I have to notify the ANPD after an incident?

According to ANPD Board Resolution No. 15/2024, the deadline for the preliminary notification is 3 business days from the moment the controller becomes aware of the incident — not from the date the incident occurred. A complementary notification can be made within 20 business days. Notification is mandatory when the incident may cause relevant risk or harm to personal data subjects. The DPO should assess this qualification within the first 2 hours of the war room.

Can I use corporate email to coordinate the incident response?

No. During an active incident, corporate email, internal messaging systems and platforms hosted on your infrastructure must be considered potentially compromised and monitored by the attacker. All war-room coordination should take place on an external out-of-band channel — Signal, WhatsApp with a dedicated number, or a crisis-management platform contracted in advance. This alternative infrastructure should be defined before the incident, in the response plan.

What is an Incident Commander and why is it necessary to have one?

The Incident Commander is the single decision-making authority during the incident — the person who has the final say on containment, communications and resource allocation. Without this clearly defined role, the war room operates like a committee: decisions are debated endlessly, multiple people give often-contradictory orders to the technical team, and response time worsens significantly. The Incident Commander need not be the greatest technical expert — they need authority, clear communication and the ability to decide with incomplete information.

Does a small company (fewer than 50 employees) need a war room?

Yes — simplified, but necessary. For smaller companies, the war room can have 3 to 4 people (a technical lead, a manager with decision authority and legal) and simpler processes. What cannot be simplified is the fundamental principle: an out-of-band channel, a decision log, an assessment of notification obligations and a coordinator with authority. Small companies frequently lack the internal resources for this — which makes contracting an IR service on retainer in advance (such as the one offered by Decripte) especially relevant.

How do I train the team for a war room before we need it?

The most effective training is the tabletop exercise: a realistic incident simulation conducted with all the war-room roles, without real infrastructure involved, with a specialized facilitator who introduces progressive complications. At least one exercise per year is recommended for companies with sensitive data or critical infrastructure. The exercise reveals flaws in the response plan, role confusion and communication gaps before a real incident exposes them. Decripte conducts tabletop exercises as part of its incident-response program.

Security for businesses

Decripte protects companies of every size — from solo founders to Enterprise.

A full platform and services: threat management, 24x7 SOC, incident response, pentest and compliance. Start free and see what has already leaked from your business.