Emergency playbook

If IT pings you: the next 24 hours

You don't have hours to think. Read this once now, before you go. If it ever happens, come back and follow it line by line.

When to read
Now, while it's not urgent
When to use
First message from IT about your location
First step
Check whether the alarm is even real
If it escalates
Stop responding alone — see end
The single rule: do not lie in writing. Verbal answers fade. Slack messages, emails, and ticket comments get screenshotted, exported, and sit in legal hold forever. If something escalates later, a written false statement is what turns "policy violation" into "termination for cause." If you must respond in writing in the first hour, keep it to one of these:

Step zero: is the alarm even real?

Before you do anything else, make sure this is what you think it is. Corporate geo-IP flags fire on people who are physically at home all the time. If any of these is you, the right answer to IT is the boring truth — not damage control:

If any of these is the real story: say so plainly. "I had Mullvad on from yesterday, let me check" is a one-line resolved ticket. You don't need this playbook for that.

The rest of this document is for the case where the alarm is real — you are, in fact, somewhere you haven't disclosed.

The first 60 minutes

What they probably saw (and what they probably didn't)

Most "are you abroad?" pings come from one of three signals, in order of how common they are:

What tipped themWhat they actually know
Geo-IP on a loginOne IP, one timestamp. Not your full week.
Conditional access / MDM check-inDevice location at one moment. They don't have a continuous track.
Someone saw your timezone in a calendar invite or a Slack statusAnecdotal. No log behind it.

What they almost never have on day one: a continuous location history, your personal phone's location, or proof of duration. They have a snapshot. Your response should match the size of what they actually have, not the size of what you're afraid they have.

The conversation, when you have it

Move it to voice. On the call:

After the call

Within an hour, write down (for yourself, not for them):

Keep this somewhere personal — not on a corporate device, not in corporate Drive. If this turns into anything later, your timeline is your single most useful asset.

What not to do, ever

If it escalates

If a second message comes from HR, legal, or a manager's manager — stop responding alone. The cost of a 30-minute consult with an employment lawyer in your home jurisdiction is small relative to a termination-for-cause on your record. Most lawyers will do the first call free.

One page. Bookmark it now. Save this page somewhere you can find without your work laptop — a personal email, a phone note, a printed copy in your travel wallet. The whole point is that when you actually need it, you don't want to be searching for it.

The best version of this playbook is the one you never need.

Most "got pinged" stories start with one preventable signal — usually the IP layer. HomeLink closes that one cleanly: every device routes through your home internet, every login looks like home.

See how HomeLink works →