Incident response runbook — solo-founder-friendly playbook

# Incident Response Runbook
**Version:** 1.0 · **Last updated:** {{DATE}} · **Owner:** {{CTO}}

## 1. Severity matrix
| Severity | Definition | Response time | Notification scope |
|---|---|---|---|
| SEV1 | Customer data breach OR production outage > 30 min | Page on-call within 5 min | Customers within 72h (GDPR Art 33) |
| SEV2 | Degraded availability OR potential data exposure (unconfirmed) | Page on-call within 15 min | Customers if confirmed |
| SEV3 | Internal-only impact OR low-risk vulnerability | Within 24h | Internal only |

## 2. Roles
- **Incident Commander** — runs the response; on-call engineer initially
- **Communications Lead** — drafts customer + internal comms (CTO or designated lead)
- **Scribe** — records timeline, decisions, evidence (rotates)
- **Subject-Matter Expert** — pulled in based on the affected system

## 3. Response sequence (first 60 minutes)
1. **0-5 min:** On-call acknowledges the page; opens war-room channel \`#inc-{{TIMESTAMP}}\`
2. **5-10 min:** IC declares severity + assigns roles in war-room
3. **10-30 min:** Triage — confirm the incident, scope the impact, identify affected customers
4. **30-60 min:** Containment — stop the bleeding; rotate keys, revoke sessions, take down affected service if necessary

## 4. Containment playbook (per scenario)
### Leaked credential
- Revoke at vendor dashboard immediately
- Rotate to new key
- Search audit log for unauthorized use
- See /leak/<vendor> for vendor-specific rotation steps

### Database compromise
- Revoke service-role key
- Rotate database credentials
- Review audit log for unauthorized queries
- Restore from last clean backup if necessary
- See /scenarios/my-supabase-database-is-public

### AI agent destroyed data
- Disable agent immediately (revoke its credentials)
- Restore from last clean backup
- Review what other agents have similar access
- See /scenarios/ai-agent-deleted-production-database

### Vendor breach (e.g. Vercel × Context.ai 2026)
- Audit OAuth-app permissions: revoke any "Allow All"
- Rotate every credential the affected vendor stored
- Review their incident report; pre-emptively rotate adjacent credentials
- See /incidents/vercel-context-ai-breach-2026

## 5. Customer notification (GDPR Article 33)
- **Within 72 hours of becoming aware** — personal-data breach notification to supervisory authority
- **Without undue delay** — affected data subjects (if breach is high-risk to their rights)
- **Template:** see attached customer-notification-template.md

## 6. Internal escalation
- CEO + co-founders + legal counsel (if external counsel) — within 1h of SEV1 declaration
- Board notification (if required by company policy) — within 24h
- Cyber-insurance carrier — within 48h (most policies require this)

## 7. Communication templates
[see /templates/breach-notification for the customer-facing letter]

## 8. Post-incident review (within 5 business days)
- Timeline reconstruction
- Root cause (5 Whys)
- Action items (owner + due date)
- Publish: internal write-up always; public write-up if customers affected (transparency builds trust)

## 9. Evidence preservation
- Logs: copy to immutable storage immediately (don't let normal log rotation destroy evidence)
- Screenshots: timestamped, signed
- Communications: war-room channel exported + archived
- Vendor coordination: maintain audit trail of every notification

## 10. Cyber-insurance coordination
- Notify carrier within 48h of SEV1
- Coordinate with carrier-provided breach coach
- Track all expenses: response, notification, credit monitoring, legal, forensics

## 11. Tabletop exercise (quarterly)
- Pick a scenario from above
- Walk through with the on-call team
- Capture gaps; update this runbook

## 12. References
- /guides/soc2-for-vibe-coders — SOC 2 incident-response control
- /scenarios/* — specific scenario playbooks
- /incidents/* — real-world cases to learn from