Runbooks
Security SpecialistOperations & StrategyDevops
Step-by-step guides for specific incident types. Use these during active incidents to reduce cognitive load and ensure consistent response.
These runbooks are examples and starting points. They contain generic guidance that must be adapted to your specific protocol, infrastructure, and team. Review each runbook carefully and customize the commands, contacts, and procedures before relying on them during an actual incident. Untested runbooks can be worse than no runbook at all.
Available Runbooks
Critical (P1)
- Smart Contract Exploit - Active exploit or critical vulnerability
- Key Compromise - Private key or signer compromise
- Frontend Compromise - Website/UI compromise (routes to specific runbooks below)
- DNS Hijack - Domain/DNS compromise
- CDN/Hosting Compromise - CDN or hosting provider compromise
- Dependency Attack - npm/package supply chain attack
- Build Pipeline Compromise - CI/CD compromise
High/Moderate (P2-P3)
- DDoS Attack - Denial of service attacks
- Third-Party Outage - External provider issues
Creating New Runbooks
Use Runbook Template as your starting point.
Good runbooks:
- Are concise. Responders need quick answers
- Include actual commands and links
- Get tested in tabletop exercises
- Get updated after real incidents
Suggested Runbooks to Add
Consider creating runbooks for:
- Oracle manipulation
- Governance attack
- SSL certificate issues
- Deployment failure/rollback
- Data inconsistency
See Incident Response Policy for the overall response process.