Night Mode LabsBlue Book
Security Playbooks

Security Incident Response

Security incidents need fast containment, careful evidence handling, and clear communication. Prepare the process before a breach, token leak, or suspicious access event occurs.

Incident triggers

Treat these as potential security incidents:

  • Exposed secrets or credentials.
  • Suspicious privileged access.
  • Malware or unauthorized runtime behavior.
  • Vulnerability with active exploitation.
  • Data exfiltration or unauthorized disclosure.
  • Compromised dependency, CI/CD workflow, or artifact.

Response flow

Containment examples

  • Revoke or rotate exposed credentials.
  • Disable compromised identities.
  • Quarantine affected workloads.
  • Block malicious network paths.
  • Freeze suspicious deployment pipelines.
  • Disable exposed functionality with feature flags or routing controls.

Evidence handling

Record timestamps, affected systems, logs, identities, artifacts, commands run, and people involved. Preserve evidence before destroying resources when legal, compliance, or forensic needs may apply.

Watchouts

  • Do not rotate only one secret if a broader identity may be compromised.
  • Do not delete evidence while trying to clean up quickly.
  • Do not communicate certainty before facts are known.
  • Know when legal, privacy, customer, or regulatory notification paths are required.

Data Protection

Previous Page

Operational Readiness

Next Page

On this page

Incident triggersResponse flowContainment examplesEvidence handlingWatchouts