In the immediate aftermath of a crisis, remediation can be a real challenge for the victim organisation. It must act quickly, both to stop or limit the risk of propagation and to restore data and systems and facilitate the resumption of activity. And this must be done while preserving all the elements that could constitute evidence of the attack so as to allow the forensic teams to carry out their investigation efficiently. But in an emergency, how do you determine which data is not compromised and can be kept? What about backups: can they be used without risk to reinstall operating systems? And how can we ensure that the remediation protocol takes into account the specific constraints of the organisation? What are the best practices for remediation, and how can we prevent this step from being as complicated as the painful attack?