If IT pings you: the next 24 hours
You don't have hours to think. Read this once now, before you go. If it ever happens, come back and follow it line by line.
- "Got your message — give me a bit, I'm in the middle of something. I'll come find you."
- "Can we hop on a call instead of typing this out?"
Step zero: is the alarm even real?
Before you do anything else, make sure this is what you think it is. Corporate geo-IP flags fire on people who are physically at home all the time. If any of these is you, the right answer to IT is the boring truth — not damage control:
- You left a VPN on. Tailscale, Mullvad, NordVPN, ProtonVPN, a work-from-coffee-shop tunnel you never closed. If your traffic is still egressing through an exit node in another country, your laptop logs in from "Frankfurt" while you're sitting in your kitchen.
- Your travel router is still tunneling somewhere else. If you used it on a recent trip and it's still pointed at the old endpoint, every device in your house looks foreign until you re-point it. HomeLink users: open the app and check the active region — if it's not where you are, that's your answer.
- Your ISP rotated your IP into a weirdly-geolocated block. This happens constantly with cable and fiber providers. The MaxMind database is wrong about a non-trivial slice of US residential IPs on any given day.
- You're on a phone hotspot. Carrier NAT can put your traffic anywhere. T-Mobile in particular routes a lot of mobile data through egress points that geo-IP to the wrong state or country.
- Someone else on your home network is running a VPN. A roommate, a partner, a kid's gaming setup. If it's the household IP that flagged, it might not even be your traffic.
If any of these is the real story: say so plainly. "I had Mullvad on from yesterday, let me check" is a one-line resolved ticket. You don't need this playbook for that.
The rest of this document is for the case where the alarm is real — you are, in fact, somewhere you haven't disclosed.
The first 60 minutes
- Stop the bleeding. Close the laptop lid or disconnect from corporate VPN/SSO. Every minute it stays connected from the wrong egress is another log line. If you're mid-meeting, "my connection is dropping, let me dial back in" is a normal sentence everyone has said.
- Don't touch your router config. If something is already wrong, changing IPs now makes a clean log look like tampering. Leave it.
- Don't delete anything. Not browser history, not Slack messages, not files. Deletion in the window between "asked about it" and "responded to it" is the single worst signal you can send. Most companies log this.
- Write down what they actually asked. Word for word. The difference between "are you in the office today" and "our logs show a foreign IP — can you explain" is the entire conversation. You will respond very differently to each.
What they probably saw (and what they probably didn't)
Most "are you abroad?" pings come from one of three signals, in order of how common they are:
| What tipped them | What they actually know |
|---|---|
| Geo-IP on a login | One IP, one timestamp. Not your full week. |
| Conditional access / MDM check-in | Device location at one moment. They don't have a continuous track. |
| Someone saw your timezone in a calendar invite or a Slack status | Anecdotal. No log behind it. |
What they almost never have on day one: a continuous location history, your personal phone's location, or proof of duration. They have a snapshot. Your response should match the size of what they actually have, not the size of what you're afraid they have.
The conversation, when you have it
Move it to voice. On the call:
- Listen first. Let them say what they saw before you say anything. The shape of the question tells you whether this is a routine ping or an investigation.
- Don't volunteer. If they ask "were you in Lisbon yesterday," the answer is not a six-sentence travel itinerary. It's a short answer to the actual question.
- Don't improvise an explanation. "VPN was acting weird," "my partner was using my laptop," "I think my router rebooted to a different ISP" — these unravel fast under follow-up. If you need to say something and don't have a true clean answer, "let me look at it and come back to you" is always available.
- Ask what they need from you. Frame yourself as cooperative, not defensive. "What would you like me to do?" forces them to state the actual ask.
After the call
Within an hour, write down (for yourself, not for them):
- Exact time and channel of the ping
- Who asked
- What they said they saw
- What you said back
- Any commitments you made ("I'll send X by Y")
Keep this somewhere personal — not on a corporate device, not in corporate Drive. If this turns into anything later, your timeline is your single most useful asset.
What not to do, ever
- Don't post about it. Not in a private Slack to a coworker, not on Reddit, not to a friend on a corporate device.
- Don't ask other remote-from-abroad coworkers for advice on corporate channels. You'll pull them into it.
- Don't book a sudden flight home in a way that's visible (calendar, expense tool, OOO change). If you decide to come back, do it quietly over a normal weekend.
- Don't fix everything at once. If they didn't mention your router, your MFA, or your timezone, fixing all three this week tells them you have something to fix.
If it escalates
If a second message comes from HR, legal, or a manager's manager — stop responding alone. The cost of a 30-minute consult with an employment lawyer in your home jurisdiction is small relative to a termination-for-cause on your record. Most lawyers will do the first call free.
The best version of this playbook is the one you never need.
Most "got pinged" stories start with one preventable signal — usually the IP layer. HomeLink closes that one cleanly: every device routes through your home internet, every login looks like home.
See how HomeLink works →