Before the incident
Severity levels: Define before incidents happen.
| Sev | Definition | Example |
|---|---|---|
| 1 | Active breach, data exfil | Attacker has shell |
| 2 | Confirmed exploit, limited impact | SQLi exploited, WAF blocking |
| 3 | Suspicious, unconfirmed | Unusual outbound traffic |
| 4 | Vuln disclosed, no exploitation | New CVE |
Lightweight playbook: Who's on call? Where to communicate? Who can make containment decisions? Where are break-glass creds?
Break-glass access: Pre-approved emergency access, tested quarterly.
During the incident
First 15 minutes
- Acknowledge (2 min): Ack alert, open channel, post initial summary
- Assemble (3 min): Page affected service on-call, security, IC
- Contain (10 min): Stop the bleeding. Root cause comes later.
| Scenario | Containment |
|---|---|
| Credential stuffing | Block IPs, enable CAPTCHA, force MFA |
| Compromised account | Revoke, rotate |
| Data exfil | Isolate service |
| Malicious dependency | Roll back |
Roles
IC: Owns timeline, communication, decisions. Does NOT investigate. Tech Lead: Investigates, executes containment. Comms Lead: Updates stakeholders.
SEV-3/4: one person fills all.
Evidence
Before cleanup: snapshot volumes, export logs, save captures. Don't destroy evidence.
After the incident
Blameless PIR within 48 hours: Timeline, what went well, what to improve, action items with owners.
Track action items: Put in backlog, tag incident-followup, review in planning.
Tabletops
45-min walkthrough of hypothetical scenario. Run quarterly. Rotate: app attacks, infra compromise, supply chain, insider.
Common scenarios
Compromised dependency: Which services use it? Roll back or patch. Check build logs.
Leaked credential: Revoke immediately. Rotate. Audit usage. Find leak source.
Ransomware: Isolate. Don't pay. Restore from backups. Preserve forensics. Legal if customer data.
The takeaway
Prepare before. During: contain first, investigate second, communicate continuously. After: blameless PIRs, track actions. Practice quarterly. Difference between 15-minute and 15-hour incident: preparation.