--- name: security-incident-response description: Rapidly respond to and contain security-related customer reports including account compromise, unauthorized access, data breach suspicion, phishing attempts, and vulnerability discoveries with automated account lockdown and security team notification. Use when handling security reports, responding to account compromise, managing data breach reports, detecting phishing attempts, or coordinating security incidents. Triggers on phrases like "security incident", "account compromised", "unauthorized access", "data breach", "phishing report", "security vulnerability", "account lockdown", "breach response". --- # Security Incident Response Rapidly detect, contain, and resolve security-related customer reports while maintaining customer trust and regulatory compliance through automated response workflows and coordination with security teams. ## Workflow ### 1. Security Incident Detection and Classification 1. **Detection channels and triggers**: ``` SECURITY INCIDENT DETECTION MATRIX ================================== CUSTOMER-REPORTED INCIDENTS: Support ticket with security keywords: • "hacked", "compromised", "unauthorized", "someone accessed my account" • "phishing", "suspicious email", "fake login" • "data breach", "leaked", "exposed" • "vulnerability", "security flaw", "bug bounty" Direct security email: security@company.com In-app security report button Phone call (detected by sentiment + keywords) SYSTEM-AUTOMATED DETECTION: Impossible login patterns (2 countries in 1 hour) Multiple failed login attempts (>10 in 5 minutes) API key used from new IP/geography Bulk data export by user (unusual volume) Account credentials found in public breach database Unusual admin actions (mass user deletion, permission changes) Payment method change + immediate large transaction THIRD-PARTY DETECTION: Bug bounty platform report (HackerOne, Bugcrowd) Security research notification Law enforcement request Industry security advisory ``` 2. **Severity classification**: ``` SECURITY INCIDENT SEVERITY LEVELS ================================== SEV-1 — CRITICAL (Immediate Response Required): Criteria: • Confirmed account compromise with data exfiltration • Active exploitation of product vulnerability • Customer data breach affecting multiple accounts • Ransomware or malicious code in product Response time: <5 minutes Escalation: Security team + CISO + VP Engineering + VP Support Communication: Customer notified within 24 hours (per regulation) SEV-2 — HIGH (Urgent Response Required): Criteria: • Suspected account compromise (no confirmed exfiltration) • Single-account data breach • Phishing attack impersonating company • Vulnerability discovery (potential exploit) Response time: <15 minutes Escalation: Security team + VP Support Communication: Customer acknowledged within 1 hour SEV-3 — MEDIUM (Same-Day Response): Criteria: • Suspicious activity reported (not confirmed) • Password reset request (potential social engineering) • Social engineering attempt reported • Minor policy violation Response time: <1 hour Escalation: Security team Communication: Customer acknowledged within 4 hours SEV-4 — LOW (Routine Handling): Criteria: • False positive security alert • General security question • Security feature request • Compliance inquiry Response time: <4 hours Escalation: Security team (no urgency) Communication: Standard support communication ``` ### 2. Immediate Response and Containment 1. **Automated containment actions**: - **Account lockdown**: Immediately suspend account access - Force password reset - Revoke all active sessions - Disable API keys - Block all integrations (temporarily) - **Evidence preservation**: Capture and preserve logs before any changes - Authentication logs (last 30 days) - Action logs (what compromised account did) - IP addresses, user agents, timestamps - **Blast radius assessment**: Identify all affected accounts/data - Shared API keys, sub-accounts, team members - Data accessible through compromised account - Connected integrations that may be affected 2. **Security team notification**: - Immediate Slack alert to #security-incidents channel - PagerDuty alert for on-call security engineer (SEV-1/2) - Email to security team with full incident details - Ticket created in security incident tracking system - Customer support ticket tagged and linked to security incident 3. **Customer communication protocol**: ``` SECURITY INCIDENT CUSTOMER COMMUNICATION TEMPLATES INITIAL ACKNOWLEDGMENT (Within 1 hour): "We've received your security concern and our security team is investigating. We've taken immediate steps to secure your account. Here's what we've done so far: • [Actions taken — account locked, sessions revoked, etc.] • Our security team is conducting a full investigation • We'll provide an update within [timeframe] Your account is currently secured. To restore access, please [steps]. If you believe any of your data was compromised, we recommend [actions]. Contact: security@company.com | Incident ID: SEC-2026-0047" INVESTIGATION UPDATE (Within 24 hours): "Update on your security report (Incident ID: SEC-2026-0047): Investigation status: [In Progress / Identified / Resolved] Findings: [What we've found so far] Actions taken: [What we've done] What you should do: [Customer action items] Expected resolution: [Timeline] We take security seriously and appreciate you bringing this to our attention." RESOLUTION (Within 48-72 hours): "Security incident resolved (Incident ID: SEC-2026-0047): Root cause: [Explanation] Impact: [What was affected, if anything] Resolution: [What was fixed] Preventive measures: [What we've implemented to prevent recurrence] Your account is now fully restored and secured. We recommend: • Change your password • Enable two-factor authentication • Review active sessions • Review API keys and integrations If you have any concerns, contact security@company.com" ``` ### 3. Investigation and Resolution 1. **Forensic investigation process**: - Security analyst reviews preserved logs - Identifies attack vector and timeline - Assesses data accessed/potentially exfiltrated - Determines if other accounts affected - Classifies incident for regulatory reporting 2. **Remediation actions**: - Patch vulnerability (if product issue) - Reset compromised credentials (customer and system) - Monitor account for 30 days post-resolution - Implement additional safeguards - Update security documentation 3. **Post-incident review**: - Root cause analysis documented - Timeline of detection, response, resolution - Lessons learned and process improvements - Customer feedback collection - Regulatory compliance verification ## Templates & Frameworks ### Security Incident Dashboard ``` SECURITY INCIDENT DASHBOARD — January 2026 ============================================ INCIDENT SUMMARY: Total incidents this month: 12 By severity: SEV-1 (Critical): 1 (resolved) SEV-2 (High): 3 (2 resolved, 1 in progress) SEV-3 (Medium): 5 (all resolved) SEV-4 (Low): 3 (all resolved) Active incidents: 1 (SEV-2 — phishing investigation) Mean time to detection: 8.2 minutes (automated), 45 minutes (customer-reported) Mean time to containment: 3.4 minutes (automated), 28 minutes (manual) Mean time to resolution: 12.4 hours ACTIVE INCIDENT: Incident ID: SEC-2026-0047 Severity: SEV-2 (High) Type: Phishing campaign impersonating company Status: INVESTIGATING Detected: Jan 14, 09:30 UTC (customer report) Contained: Jan 14, 10:00 UTC (phishing URLs reported to domain registrar) Team assigned: Security analyst — Dr. Chen Customer impact: Reports received: 23 Accounts confirmed affected: 0 (pre-login phishing — no credential theft yet) Estimated reach: ~500 emails sent (based on reports) Actions taken: ✓ Customer accounts monitored for suspicious login attempts ✓ Phishing URLs reported to registrar (domains suspended) ✓ Email security rules updated (block sender domains) ✓ Customer alert sent to all users about phishing campaign ✓ DMCA takedown requests filed (3 domains) Next steps: ⏳ Coordinate with email provider (Google Workspace) for SPF/DKIM review ⏳ Monitor for new phishing variants (24-hour watch) ⏳ Customer communication update (by Jan 15, 12:00 UTC) INCIDENT TREND: Monthly incidents: August: 8 | September: 6 | October: 9 | November: 11 | December: 10 | January: 12 Trend: ↗ +17% from 6-month average (12 vs 10.3) Incident types breakdown: Account compromise: 3 (25%) Phishing reports: 4 (33%) Suspicious activity: 2 (17%) Vulnerability reports: 1 (8%) Compliance inquiries: 2 (17%) AUTOMATED CONTAINMENT ACTIONS: Accounts locked this month: 5 Sessions revoked: 23 API keys disabled: 8 Integrations temporarily blocked: 3 False positive rate: 12% (6 of 50 automated locks were false positives) Mean time to unlock false positives: 2.1 hours CUSTOMER COMMUNICATION: Initial acknowledgments sent: 12/12 (100%) Average acknowledgment time: 28 minutes (target: <60 min) ✓ Updates sent: 10/10 (100%) Resolution communications: 11/12 (92% — 1 pending) Customer satisfaction with security response: 4.2/5.0 Customer trust impact: Minimal (no confirmed data breaches this month) REGULATORY COMPLIANCE: Breaches requiring notification: 0 ✓ GDPR data protection impact assessments: 2 completed Audit logs maintained: 100% of incidents ✓ Response time within regulatory requirements: 12/12 (100%) ✓ SECURITY TEAM PERFORMANCE: On-call response time: 3.2 minutes avg (target: <5 min) ✓ Incident classification accuracy: 92% (1 misclassified, corrected within 30 min) Mean time to resolution: SEV-1: 4.2 hours SEV-2: 18.6 hours SEV-3: 6.3 hours SEV-4: 2.1 hours ``` ### Security Incident Response Checklist ``` SECURITY INCIDENT RESPONSE CHECKLIST ====================================== IMMEDIATE ACTIONS (First 5 Minutes): ☐ Detect and classify severity (SEV-1/2/3/4) ☐ Trigger automated containment: ☐ Lock account ☐ Revoke active sessions ☐ Disable API keys ☐ Block integrations (if needed) ☐ Preserve evidence (logs, screenshots, timestamps) ☐ Notify security team (Slack + PagerDuty for SEV-1/2) ☐ Create security incident ticket ☐ Acknowledge customer (template communication) INVESTIGATION (First 1 Hour): ☐ Review authentication logs (last 30 days) ☐ Review action logs (what compromised account did) ☐ Identify attack vector ☐ Assess blast radius (other affected accounts) ☐ Determine data accessed/potentially exfiltrated ☐ Update incident severity if needed REMEDIATION (First 24 Hours): ☐ Force credential reset (customer) ☐ Patch vulnerability (if product issue) ☐ Implement additional safeguards ☐ Restore account access (controlled) ☐ Monitor for 30 days (automated alerts) ☐ Send resolution communication to customer POST-INCIDENT (Within 72 Hours): ☐ Complete root cause analysis ☐ Document full timeline ☐ Identify process improvements ☐ Update security documentation/runbooks ☐ Brief support team on lessons learned ☐ Regulatory compliance verification ☐ Customer follow-up (satisfaction check) ESCALATION TRIGGERS: → CISO: SEV-1 incidents, data breach confirmed, regulatory notification needed → VP Engineering: Product vulnerability, system-wide impact → VP Support: Customer communication issues, reputational risk → Legal: Law enforcement involvement, regulatory requirement → Executive team: Media attention, customer churn risk >5 accounts ``` ## Integration Points - **Help desk** (Zendesk, Intercom): Security ticket flagging, customer communication templates - **Security platforms** (SIEM, CrowdStrike, Okta): Threat detection, log analysis, account lockdown - **Communication** (Slack, PagerDuty): Security team alerts, incident coordination - **Identity management** (Okta, Auth0): Session revocation, password reset, MFA enforcement - **Email security** (Proofpoint, Google Safe Sending): Phishing detection, domain reputation - **Bug bounty** (HackerOne, Bugcrowd): Vulnerability report intake - **Legal/compliance** (OneTrust): Regulatory reporting, breach notification management - **Monitoring** (Datadog, CloudWatch): Real-time security monitoring, anomaly detection ## Edge Cases - **False positive security alert**: Legitimate user's behavior triggers security lockdown: - Rapid review: Security analyst reviews within 30 minutes for automated locks - Customer communication: "Your account was temporarily locked for security review — we're investigating" - Unblocking: If no threat found, unlock within 2 hours with explanation - Apology: "Sorry for the inconvenience — our security systems detected unusual activity" - Improvement: Tune detection thresholds to reduce false positives - **Customer under active attack**: Account being compromised in real-time while customer is chatting with agent: - Immediate action: Lock account instantly during conversation - Customer guidance: "I'm locking your account right now to stop the unauthorized access" - Evidence gathering: Capture attacker's IP, actions in real-time - Recovery plan: Step-by-step account recovery with security hardening - Follow-up: Enhanced monitoring for 30 days, proactive check-ins - **Competitor-triggered false report**: Competitor reports fake security vulnerability for PR: - Independent verification: Security team validates report before public acknowledgment - No public confirmation until verified: Avoid validating false claims - Professional response: "We take all security reports seriously and are investigating" - Legal coordination: If malicious intent confirmed, legal team involved - Documentation: Full audit trail for potential legal action - **International regulatory requirements**: EU customer data breach requires GDPR notification within 72 hours: - Regional detection: Identify customer jurisdiction from account data - Regulatory escalation: Legal/compliance team notified of GDPR timeline - Notification preparation: Draft breach notification for supervisory authority - Customer notification: Direct customer notification if high risk - Documentation: Full GDPR breach record maintained - Coordination: Cross-functional team (security, legal, support, comms) - **Bug bounty vs customer report**: Same vulnerability reported by both bug bounty hunter and angry customer: - Coordinate communication: Don't acknowledge bug bounty report to customer and vice versa - Reward coordination: Verify bug bounty report independently - Customer focus: Prioritize customer's resolution over bounty program - Information sharing: Link reports internally without exposing bounty details to customer - Timeline: Fix vulnerability ASAP, communicate resolution to both parties appropriately ## Output ### Monthly Security Report ``` SECURITY INCIDENT MONTHLY REPORT — January 2026 ================================================== INCIDENT SUMMARY: Total incidents: 12 (↑ 20% from December) SEV-1/2 (Critical/High): 4 (33%) All resolved: 11 of 12 (92%) 1 active: SEV-2 phishing campaign investigation RESPONSE PERFORMANCE: Mean time to detection: 8.2 min (automated), 45 min (reported) Mean time to containment: 3.4 min (automated) ✓ Mean time to resolution: 12.4 hours ✓ Customer acknowledgment: 28 min avg (target: <60 min) ✓ CUSTOMER IMPACT: Accounts affected: 0 confirmed data breaches ✓ Customer satisfaction with response: 4.2/5.0 Reputational impact: Minimal RECOMMENDATIONS: 1. Reduce false positive rate (12% → target: <5%) by tuning detection thresholds 2. Implement automated phishing detection (reduce customer reports by 40%) 3. Create security FAQ for common customer questions 4. Conduct security tabletop exercise (quarterly requirement) 5. Update incident response runbooks based on January learnings ```