Back to DocumentationSecurity

Incident Response Playbook

A structured framework for detecting, responding to, and recovering from security incidents. Speed and clarity matter most when things go wrong.

Incident Severity Levels

SEV-1

Critical: Active data breach, production system compromise, or customer data exposure. All-hands response, executive notification within 15 minutes.

SEV-2

High: Confirmed vulnerability being actively exploited, partial service outage, or unauthorized access attempt. On-call response within 30 minutes.

SEV-3

Medium: Vulnerability identified but not exploited, suspicious activity detected, or non-critical service degradation. Response within 4 hours.

SEV-4

Low: Informational alerts, failed login attempts below threshold, or minor policy violations. Review during next business day.

Response Phases

Detection

Identify the incident through monitoring alerts, user reports, or third-party notifications. Document initial observations and timestamp everything.

Containment

Isolate affected systems to prevent spread. Revoke compromised credentials, block malicious IPs, and preserve evidence before cleanup.

Eradication

Remove the root cause. Patch vulnerabilities, remove malware, reset credentials, and rebuild compromised systems from clean images.

Recovery

Restore services from verified backups. Monitor closely for recurrence. Gradually re-enable access with enhanced monitoring.

Post-Incident Review

  • Conduct blameless post-mortem within 48 hours of resolution
  • Document timeline: detection, containment, resolution, and total impact duration
  • Identify root cause and contributing factors (not who, but what and why)
  • Define specific action items with owners and deadlines
  • Share lessons learned with the broader team
  • Update monitoring and alerting based on gaps identified
  • Update this playbook with any new procedures discovered

Communication Templates

Internal

Slack channel #incident-response with severity level, affected systems, current status, and incident commander named.

Customer

Status page update within 30 minutes. Honest, jargon-free language about what happened, impact, and next update time.

Executive

Brief summary: what happened, customer impact, current status, estimated resolution, and any legal/compliance implications.

Need help building an incident response plan? Get in touch and we will help you prepare.