You have an incident response plan. Congratulations. It’s probably sitting in a Google Drive somewhere, last updated 18 months ago, and no one on your team has actually tested it.
Here’s what happens in the first 30 minutes of a real incident:
Someone notices something weird. Maybe it’s an alert from your SIEM. Maybe it’s a system acting slow. They reach for the incident response plan. They start reading. And they realize — the contact list is outdated. Half the phone numbers are wrong. No one knows if this person should escalate to the VP of Engineering or straight to the CISO. Everyone’s guessing, and guessing costs time.
That’s when the real chaos starts.
I’ve been through this enough times now to know exactly where it falls apart. Not because teams are unprepared, but because plans sit on a shelf. They don’t get practiced. They don’t get tested when it actually matters.
Here’s what I see go wrong:
1. Decision paralysis on severity. Your plan says "page the on-call engineer for SEV-2 and above." But nobody agrees on what actually is a SEV-2. Is a misconfigured S3 bucket a SEV-2? Is a compromised developer account? By the time you've debated it for 20 minutes, 20 minutes have gone. Fix this: define severity clearly with examples. An S3 bucket exposed with customer data = SEV-1. An app server crashing but no data exposed = SEV-3. Write it down. Specific.
2. Communication breakdown. Your plan has an escalation path, but it doesn't say how to escalate. Does everyone text the incident commander? Do they use a Slack channel? Do they call? Fix this: pick one communication channel for incident status. Slack thread, or a war room call, not both. Make it clear in your plan.
3. Missing decision maker. Three minutes in, someone should own the incident. But if your plan doesn't explicitly say who that person is, you'll end up with five people trying to run it. Fix this: define primary and backup incident commanders. Name them. Actually tell them they're on the list.
4. Evidence destroyed in the chaos. Someone panics and starts fixing things — restarting services, deleting logs, resetting credentials. Your plan should say: Within the first 5 minutes, capture network traffic. Take a disk snapshot. Don't restart anything without telling the incident commander.One more thing: your incident response plan won't work until you've tested it when there's pressure. Do a tabletop exercise. Make it uncomfortable. Someone will find something broken in your plan, and that's the entire point. Better to find it now.
I've put together an Incident Response Plan template that addresses these gaps — it includes a severity matrix, escalation paths with backups, a 30-minute runbook, and a contact list template that I actually use. Grab it on my Gumroad if you want a head start instead of building this from scratch.
Quick Hits
AI-assisted attacks are scaling faster than defenses. Security teams are seeing attacks where adversaries use LLMs to automate reconnaissance, generate phishing emails, and adapt to defenses in real time. This doesn't mean panic — it means your security awareness training needs to evolve, and your email filtering needs to get smarter about context, not just signatures. Assume the next phishing email will be better written than the last one.
Cloud misconfiguration is still the number-one breach vector. Every report says the same thing, and every quarter it's still true. S3 buckets, GCS buckets, Azure blobs — something's exposed. Fix: make it impossible to deploy infrastructure without a security check. Terraform policy-as-code, pre-deployment scanning, infrastructure reviews. Treat it like a unit test.
Supply chain security regulations are hardening. NIST, NIS 2.0, and domestic frameworks are tightening requirements on vendors. This isn't a nice to have compliance thing anymore — it's a contract requirement. Audit your vendors and know your own security posture well enough to explain it.
Tool of the Week: Semgrep
Semgrep is an open-source static analysis engine that finds bugs and security issues in your code. It's fast, language-agnostic (Python, JavaScript, Go, Java, and more), and works on the command line or as part of your CI/CD pipeline.
Why it matters: Most teams have code that looks like security best practices but doesn't. Hardcoded credentials. Overly permissive database queries. Deserialization without validation. Semgrep catches these before they hit production, and it learns from rules you write for your own codebase.
One specific use case: If you have a pattern of mistakes you've made before, you can write a Semgrep rule to catch it automatically. It finds that bug every time from then on.
Where to get it: semgrep.dev — open-source, free to use, also has a paid managed version if you want cloud scanning.
One Thing to Do This Week
Pull out your incident response plan. Actually open it. Find the contact list.
Pick the first three names on it. Call them. Right now. Not email, not Slack — call.
If the number's wrong, or it goes to someone who's left the company, or it rings and nobody knows what you're talking about — you just found your first improvement. Update the contact list. Call back and confirm.
Do this, and you've just made your incident response plan measurably better. Not sexy, but it works.
Until Next Monday,
VJ
Principal Security Engineer
P.S. If this was useful, forward it to one colleague who'd benefit. That's how we grow.