Runbooks
Security SpecialistOperations & StrategyDevops
Step-by-step guides for specific incident types. Use these during active incidents to reduce cognitive load and ensure consistent response.
These runbooks are examples and starting points. They contain generic guidance that must be adapted to your specific protocol, infrastructure, and team. Review each runbook carefully and customize the commands, contacts, and procedures before relying on them during an actual incident. Untested runbooks can be worse than no runbook at all.
Available Runbooks
Critical (P1)
- Smart-Contract-Exploit - Active exploit or critical vulnerability
- Key-Compromise - Private key or signer compromise
- Frontend-Compromise - Website/UI compromise (routes to specific runbooks below)
- DNS-Hijack - Domain/DNS compromise
- CDN-Hosting-Compromise - CDN or hosting provider compromise
- Dependency-Attack - npm/package supply chain attack
- Build-Pipeline-Compromise - CI/CD compromise
High/Moderate (P2-P3)
- DDoS-Attack - Denial of service attacks
- Third-Party-Outage - External provider issues
Creating New Runbooks
Use _Runbook-Template as your starting point.
Good runbooks:
- Are concise. Responders need quick answers
- Include actual commands and links
- Get tested in tabletop exercises
- Get updated after real incidents
Suggested Runbooks to Add
Consider creating runbooks for:
- Oracle manipulation
- Governance attack
- SSL certificate issues
- Deployment failure/rollback
- Data inconsistency
See Incident-Response-Policy for the overall response process.