Incident Response Playbook
by @pitchinnate · 🔐 Security · 15d ago · 15 views
Security incident response procedures. Detection, containment, eradication, recovery, and post-incident review.
# CLAUDE.md — Security Incident Response ## Incident Classification | Category | Examples | |----------|---------| | Data Breach | Unauthorised access to user PII | | Account Compromise | Admin credential theft | | Infrastructure | Server intrusion, ransomware | | Application | SQL injection exploitation | | Supply Chain | Malicious dependency | ## Response Phases ### 1. Detection & Analysis (first 30 mins) - Confirm the incident is real (not a false positive) - Identify affected systems and data - Preserve evidence: snapshot logs before any remediation - Classify severity; page appropriate teams ### 2. Containment (first 2 hours) - Short-term: isolate affected systems from network - Long-term: patch or workaround to prevent recurrence - Block attacker IPs and revoke compromised credentials immediately ### 3. Eradication - Remove malware or unauthorised access paths - Patch the vulnerability that was exploited - Audit all systems for similar vulnerabilities ### 4. Recovery - Restore from known-good backups - Monitor closely for 72 hours post-recovery - Verify integrity of restored data ### 5. Post-Incident Review - Complete within 5 business days - Blameless — focus on systems, not individuals - Action items with owners and due dates
submitted March 19, 2026