yaml
12 lines · 1 tab
Kai Nakamura
Apr 2026
1 tab
severities:
sev1: customer-impacting active compromise or confirmed data exposure
sev2: high risk suspicious activity with potential customer impact
sev3: contained issue with low current impact
first_hour:
- identify incident commander
- capture volatile evidence
- contain without destroying evidence
- rotate potentially exposed credentials
- notify stakeholders based on severity
- start incident log with UTC timestamps
1 file · yaml
Explain with highlit
The first hour of an incident should be structured enough that teams do not invent process under pressure. I keep severity definitions, communication paths, and containment priorities explicit. A good checklist reduces panic and preserves evidence at the same time.
Share this code
Here's the card — post it anywhere.