When a cybersecurity breach hits your company, the comms job in the first hour is not to explain everything. It is to say three things clearly: you know something happened, you are working on it, and you will tell people more as you know more. Every minute you stay silent past that, the story gets written by someone else.

I run fractional PR for Web3, AI, DePIN, and cybersecurity founders, and breach comms is one of the situations where being fractional actually helps: I have been close enough to incidents across multiple protocols to know what the first 24 hours look like from inside, without having a conflicted interest in making the company look better than it is. The question founders ask when something goes wrong is always some version of "what do we say right now?" This playbook is the answer to that question, from the holding statement through regulatory filings to the trust-rebuild arc that follows.

Why the first hour determines everything

Journalists, security researchers, and on-chain analysts move faster than most legal teams. By the time your counsel has signed off on an official statement, there are likely already threads on X, posts on Reddit, and reporters emailing your PR contact. If you have not said anything, the absence of a statement becomes the headline. "Company did not respond to request for comment" is read, correctly, as a company that was caught flat-footed or is hiding something.

The holding statement exists precisely to fill this gap. It is not a full explanation. It does not assign fault. It does not speculate on scope. It simply says: we are aware of an incident, the relevant teams are investigating, we will update as we have more information, and here is where to watch for updates. That single paragraph, published within 60 minutes of the incident becoming public knowledge, buys you time, signals competence, and prevents the silence-becomes-story problem.

Holding statement templateWe are aware of an incident affecting [product / protocol / platform]. Our security and engineering teams are investigating now. We will share a detailed update within [X hours] at [status page URL or official channel]. We take the security of [user / protocol / customer] funds and data seriously and will communicate transparently as we learn more. Questions: [press email].

Adjust the specifics but keep the shape: awareness, action, timeline, channel. Do not say "we were hacked." Do not say "no user data was affected" unless you actually know that. Do not speculate on who is responsible. Every sentence you add at this stage is a sentence that can be wrong, and a wrong sentence makes the situation worse.

The regulatory notification sequence you cannot skip

Breach comms is not just a PR problem. For most cybersecurity companies operating in 2026, it also triggers legal notification obligations that run on their own clock, separate from and often faster than whatever feels comfortable from a comms standpoint.

Framework Who it applies to Notification window Who gets notified
GDPR (EU/UK) Any entity processing EU/UK personal data 72 hours of becoming aware Supervisory authority; affected individuals if high risk
SEC Cybersecurity Rules (US) US public companies 4 business days of determining materiality SEC via Form 8-K Item 1.05
DORA (EU financial) Financial entities and ICT providers in EU Initial report within 4 hours of classification Competent authority and affected clients
US State breach laws Entities holding state residents' data 30 to 90 days depending on state State AG, affected individuals
FTC Safeguards Rule (US) Non-bank financial institutions 30 days of discovery FTC, affected customers

The comms team and the legal team need to be in the same room from the first hour, because the notifications you are legally required to make and the statements you are crafting for press need to be consistent. The worst breach responses I have seen are ones where legal and comms were running separate tracks, and the public statement contradicted or undercut what was filed with a regulator. That inconsistency becomes the new story. Coordinate first, then communicate.

Field ruleYour public statement and your regulatory filing are both evidence. If they say different things about the same event, a journalist with a FOIA request will find out, and that discrepancy will be worse for you than the original breach.

The 24-hour update: what you owe your audience

The holding statement buys you time. The 24-hour update is where you spend that time wisely. By this point, you should have enough information from your security team to answer at minimum: what type of incident this was, what systems were affected, whether user data or funds were involved and to what extent, what has been done to contain it, and what the next steps are. You will not have all the answers. That is fine. Partial answers delivered honestly are better than silence or over-promise.

Structure the 24-hour update this way. Open with the current status in one sentence. Then a brief factual description of what happened, to the extent you can confirm it. Then what you have done in response. Then what users should do if anything (change passwords, check wallets, watch for phishing). Then a clear timeline for the next update. Close with where to ask questions. If you operate a protocol with on-chain activity, include the relevant transaction hashes or contract addresses so technically sophisticated users and researchers can verify your account independently. Transparency with technical audiences is a credibility investment, not a liability.

What to include in the 24-hour updateCurrent status in one sentence. Confirmed facts about what happened. Steps taken to contain or remediate. User action required (if any). Timeline for next update. Contact point for press inquiries. On-chain evidence or technical detail if applicable to your product.

Who says what and through which channel

Channel discipline matters more than most founders expect. In a breach, you are managing multiple audiences simultaneously: your users or customers, the press, regulators, investors, and your own team. Each needs a different signal, at a different level of technical detail, through a different channel. Running everything through one channel, or letting every spokesperson freelance their own version, is how contradictions appear.

The channel map

  • Status page or official blog: the primary record. Everything official goes here first. This is what journalists screenshot, what regulators look at, and what your users bookmark. Do not let this lag behind social posts.
  • X / Twitter: link to the status page update, brief summary, do not add new information. The goal is directing traffic to the canonical source, not expanding the story.
  • Discord / Telegram / community channels: reassurance and logistics for your existing community. Address FUD directly, do not delete questions, do not go silent. Assign one person to this channel who is not also trying to write the press statement.
  • Press: one spokesperson. Preferably the CEO or a designated communications lead with direct knowledge. No team members answering DMs from journalists independently. Centralise, then respond.
  • Investors: direct, early, private. Investors who learn about a breach from a press article feel blindsided. A brief, honest one-pager to your cap table before the story breaks publicly is basic investor relations and protects those relationships for the rebuild phase.

On the cybersecurity PR side specifically, the beat reporters who will cover your incident at outlets like Dark Reading, SC Media, Wired, CoinDesk, The Block, and Cointelegraph are sophisticated. They will notice if your statement is evasive, if technical details do not add up, or if your timeline is inconsistent with on-chain or log data they can access independently. Treat them as technically literate, because most of them are. A statement that tries to obscure the facts will be dissected in public. One that is blunt and honest, even when the facts are bad, usually earns a better story. For a broader view of what good cybersecurity PR looks like when the news is not a crisis, the service page covers the proactive side.

The spokesperson problem

One of the most common mistakes in breach comms is the founder going dark. It feels logical: legal says do not say anything you do not know for certain, the facts are still emerging, better to wait. But a founder who is invisible during a crisis sends a signal, and it is not the one they intend. It reads as not caring, or as having something to hide.

The founder does not need to have all the answers to be present. They need to say: I take this seriously, I am personally overseeing the response, I will keep you informed. That is a statement any lawyer will approve, and it does meaningful work. A 60-second video from the CEO posted to the official channel, not scripted to sound like a PR product, is worth more than three beautifully crafted press releases at this stage. The technical detail can come from the security team. The accountability has to come from leadership.

What the founder says on record"I am personally overseeing our response to this incident. Our team has taken immediate steps to [contain / investigate]. I will update this community with verified information as we have it. I am committed to being transparent with you about what happened and what we are doing about it." That is sufficient. Add specifics as you have them.

What the trust rebuild actually looks like

The acute crisis phase, the first 72 hours, is where most breach comms playbooks end. That is the wrong place to stop. Trust does not recover when the incident is contained. It recovers when people see consistent, honest behavior over time afterward. The rebuild arc typically takes three to six months and follows a predictable structure.

First, the post-incident report. Within two to four weeks of the incident being fully contained, publish a detailed technical post-mortem. What happened, why it happened, what the attacker did and when, what your security posture was, what you have changed. Make it genuinely detailed, not a marketing document. The audiences that matter for long-term trust: security researchers, sophisticated users, journalists who covered the incident, and your existing customers. They have all seen enough vague incident reports to recognise one. A real post-mortem, with technical specificity and an honest accounting of what went wrong, is one of the highest-credibility actions a company can take after a breach.

Second, the security upgrade announcement. Whatever you changed: new audit partner, new bug bounty program, new internal controls, insurance coverage, third-party security review. Announce these as they happen, not all at once in a single statement. A cadence of improvements signals that the response is real, not theatrical.

Third, the earned media play. This is where proactive cybersecurity PR pays off in a context that directly addresses the incident. A founder op-ed in Dark Reading or on CoinDesk Opinion about the lessons of the breach, what the industry should learn, what needs to change in security practice, positions your company as having turned an incident into expertise. That framing, done at the right moment, with the right level of candor, is the single most effective trust-rebuild move I have seen work. It converts the incident from a liability to a proof point of seriousness.

For companies building in the threat research space and looking to use research as proof of capability, the approach in cybersecurity threat research PR applies directly here. Publishing original research after a breach tells the market you understand the threat landscape, not just that you survived one incident.

The crypto-specific layer

If your company operates a protocol, a DeFi product, a token, or any on-chain infrastructure, breach comms has an additional layer that does not apply to traditional software companies. On-chain data is public. Anyone can see the transactions. Security researchers often identify the breach before you do. The timeline of events is verifiable independently of anything you say. This is not a problem; it is actually an asset if you use it correctly.

Anchor your public statements to on-chain evidence. When you say "the attack occurred at approximately 14:32 UTC," link to the transaction hash. When you say "approximately $X in assets were affected," reference the on-chain data that supports that figure. When you say "funds have been recovered" or "the vulnerability was in contract X," show your work. The crypto community has a high tolerance for technical failure and a very low tolerance for spin. A team that communicates with technical precision, citing verifiable on-chain data, recovers faster than one that communicates vaguely and is then fact-checked by Rekt News, ZachXBT, or similar researchers who will find the data anyway.

The crypto crisis communications playbook goes deeper on the token-specific and community dynamics that apply when an incident affects a live protocol.

Field ruleIn a crypto breach, the on-chain data is already public. Your job is not to control what people find: it is to be the first and most accurate source of what it means. Researchers who find the story before you tell it will frame it for you.

What good crisis PR costs and what it buys you

There is a real question about whether to engage a crisis PR firm, use existing PR support, or manage communications internally. The honest answer depends on scale and speed. For a company with no existing PR relationship, engaging a specialist firm in the first 24 hours of a major breach is nearly impossible: there is no onboarding time, no brief, and rates in a crisis context are not kind. The case for a fractional cybersecurity PR operator on retainer before an incident happens is precisely this: you have someone who already understands your product, your stakeholders, your technical stack, and your risk posture, who can be activated immediately rather than briefed from scratch while the incident is live.

A fractional senior PR operator retainer runs $5,000 to $12,000 per month. A full agency runs $15,000 to $45,000. A crisis PR firm engaged on an emergency basis with no prior relationship typically charges $20,000 to $50,000 for the first week, and the quality suffers because they are learning your product while also trying to help you respond. The math on having representation before you need it is not complicated.

What that retainer buys you in a crisis context: a pre-written holding statement template adapted to your specific product and stakeholders, a pre-agreed spokesperson chain of command, a pre-established relationship with the relevant beat reporters, a pre-built channel map, and someone who can be on a call within the hour when something goes wrong. These are not things you can build in real time. They have to exist before the incident.

Scenario Response capability Typical cost Time to activate
Fractional operator on retainer Immediate, knows your product $5K–$12K/mo ongoing Under 1 hour
Full agency on retainer Immediate, knows your product $15K–$45K/mo ongoing Under 1 hour
Crisis firm, no prior relationship Delayed, requires onboarding $20K–$50K per incident week 12–48 hours
Internal comms only Variable, no media relationships Staff cost only Depends on team

The investment in preparation is the investment in recovery speed. Every hour of delay in the first 24 has a disproportionate cost to the narrative, which then has a disproportionate cost to user trust, which then has a disproportionate cost to protocol TVL, customer retention, or enterprise sales, depending on your product. The comms response is not separate from the business outcome: it is one of the primary levers on it.

SJ
Shilika Jain

Fractional PR and crisis communications for Web3, AI, DePIN, and cybersecurity founders. 50+ protocols and companies placed across Forbes, CoinDesk, Cointelegraph, Decrypt, The Block, Dark Reading, and Blockworks. View full profile → · Book a 30-min teardown →

Frequently asked questions

What should a company say in the first hour after a cybersecurity breach?
Publish a holding statement within 60 minutes of the incident becoming public. It needs to say three things: you are aware of an incident, your team is investigating, and you will share more information at a specific place and time. Do not speculate on scope, assign blame, or claim nothing was affected until you have verified it. A clear holding statement prevents the silence from becoming the story.
What are the regulatory notification requirements after a data breach?
It depends on jurisdiction and company type, but the most common windows are 72 hours for GDPR (any entity processing EU or UK personal data), 4 business days for US public companies under SEC cybersecurity rules, and 30 to 90 days under various US state breach notification laws. These timelines run from the moment you become aware of the incident, not from when you have all the facts, so legal and communications teams need to be coordinating from hour one. See the crypto crisis communications playbook for protocol-specific regulatory context.
How long does it take to rebuild trust after a security breach?
Three to six months is the typical arc for companies that communicate well. The rebuild follows a sequence: a detailed public post-mortem within two to four weeks, a cadence of announced security improvements, and earned media positioning the company as having turned the incident into expertise. Companies that go quiet after the acute phase and assume trust will return naturally typically take much longer, if it returns at all.
Should the founder or CEO speak publicly during a breach?
Yes, and they do not need to have all the answers to do so. The founder going dark during a crisis signals that they do not care or have something to hide. A brief, direct statement, even a 60-second video saying "I am personally overseeing this response and will keep you updated," does more for trust than three polished press releases. Accountability has to come from leadership. Technical detail can come from the security team.
What does crisis PR cost for a cybersecurity incident?
A fractional senior PR operator on retainer costs $5,000 to $12,000 per month, and that retainer buys you immediate activation capability, pre-written templates, and an operator who already knows your product. A crisis PR firm engaged with no prior relationship typically costs $20,000 to $50,000 for the first week, with slower activation because they are onboarding in real time. The strongest argument for retaining cybersecurity PR support before an incident happens is that you cannot build those relationships and materials fast enough once something goes wrong.

Navigating a security incident or building breach-readiness? Start with cybersecurity PR for retainer and crisis support, or read the crypto crisis communications playbook for the protocol-specific layer. The full playbook library covers every stage of security PR from threat research through incident response.