yaml 12 lines · 1 tab

Incident response severity matrix and first hour checklist

Kai Nakamura Apr 2026
1 tab
severities:
  sev1: customer-impacting active compromise or confirmed data exposure
  sev2: high risk suspicious activity with potential customer impact
  sev3: contained issue with low current impact

first_hour:
  - identify incident commander
  - capture volatile evidence
  - contain without destroying evidence
  - rotate potentially exposed credentials
  - notify stakeholders based on severity
  - start incident log with UTC timestamps
1 file · yaml Explain with highlit

The first hour of an incident should be structured enough that teams do not invent process under pressure. I keep severity definitions, communication paths, and containment priorities explicit. A good checklist reduces panic and preserves evidence at the same time.

Share this code

Here's the card — post it anywhere.

Incident response severity matrix and first hour checklist — share card
Link copied