Incident Response PlanΒΆ
Last Updated: 2026-06-22
ClassificationΒΆ
| Severity | Description | Response Time |
|---|---|---|
| Low | Minor bug, no data exposure | 72 hours |
| Medium | Service degradation or suspicious activity | 24 hours |
| High | Confirmed compromise of non-critical data | 4 hours |
| Critical | Active exploitation or sensitive data breach | 1 hour |
Response WorkflowΒΆ
- Detection β Alerts from monitoring, Semgrep findings, or customer reports.
- Triage β Security engineer assesses severity and assigns incident commander.
- Containment β Disable impacted services, revoke credentials, enable rate limits.
- Eradication β Patch vulnerabilities, rotate secrets, restore from known good artifacts.
- Recovery β Validate service health via
/readyprobe and smoke tests. - Post-Mortem β Document root cause, remediation tasks, and preventative controls.
Communication TemplatesΒΆ
- Internal:
#incident-responseSlack channel updates every 30 minutes for High/Critical incidents. - External: Status page updates and customer email within required disclosure windows.
Roles & ResponsibilitiesΒΆ
- Incident Commander β Coordinates response, owns timeline.
- Communications Lead β Handles stakeholder updates.
- Scribe β Maintains incident log and evidence.
- Subject Matter Experts β Provide technical remediation support.
Post-Incident ActionsΒΆ
- File follow-up issues in tracking system.
- Update documentation and runbooks to reflect fixes.
- Schedule tabletop exercises for major incident types.