Remove the vulnerability that enabled the incident - Rotate any compromised credentials or keys - Apply patches or configuration changes - Verify through security scan